Commit Graph

7 Commits

Author SHA1 Message Date
kjh2064 54c179b1eb revert: rollback Fluent UI and Blazor homepage to last successful state (3be3794) 2026-06-30 20:29:42 +09:00
kjh2064 1b173376ee refactor: admin ui를 fluent v5와 html 기반으로 전환
TaxBaik CI/CD / build-and-deploy (push) Failing after 1m53s
2026-06-29 22:37:40 +09:00
kjh2064 917600a793 fix: 인증 로컬스토리지 복구 흐름에서 TokenStore 적재가 보장되지 않은 상태로 인증 통과 처리되는 보안 누수 현상 수정 (401 오류 원천 차단)
TaxBaik CI/CD / build-and-deploy (push) Successful in 54s
2026-06-29 15:35:32 +09:00
kjh2064 804725a785 fix: prevent admin authentication timeout during session
TaxBaik CI/CD / build-and-deploy (push) Successful in 48s
**Issues Resolved:**
1. Access Token lifetime extended 15m → 1h (better UX)
   - Users can browse admin pages for 1 hour without re-login
   - Reasonable balance between security and usability

2. Automatic pre-expiry token refresh
   - GetAuthenticationStateAsync() now checks if token expires in <5min
   - Automatically refreshes before expiry when user is still active
   - Prevents sudden logout during admin work

**Implementation:**
- Added ShouldRefreshToken() to detect imminent expiry (300s window)
- On auth state check, if token expiring soon: trigger refresh via AuthService
- Refresh happens transparently, no user interaction needed
- Maintains 7-day Refresh Token TTL for security

**Behavior:**
- User logs in with 1-hour session
- Every page load/navigation checks token status
- If <5min remaining: auto-refresh (user doesn't notice)
- If refresh fails: graceful logout with warning
- Refresh Token (7 days) allows re-login without password

This provides better UX while maintaining security through
shorter-lived access tokens and automatic renewal.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-28 12:56:44 +09:00
kjh2064 08e9e07458 fix: Critical runtime bug - TokenRefreshHandler JS interop in Blazor Server
TaxBaik CI/CD / build-and-deploy (push) Successful in 47s
**Problem:**
TokenRefreshHandler (DelegatingHandler) runs on a non-circuit thread.
ILocalStorageService (JS interop) only works during component render.
Production: 401 response → token refresh → JS interop fails silently.

**Solution:**
1. ITokenStore - Scoped in-memory token store (no JS interop)
   - Properties: AccessToken, RefreshToken, TokenExpiryTicks
   - Method: IsAccessTokenExpired()

2. TokenStore implementation
   - Replaces localStorage as primary token source
   - DelegatingHandler reads/writes only to TokenStore
   - Pages reload → GetAuthenticationStateAsync restores from localStorage

3. CustomAuthenticationStateProvider
   - Accepts ITokenStore injection
   - LoginAsync: Write to both TokenStore + localStorage
   - LogoutAsync: Clear both
   - GetAuthenticationStateAsync: Read from TokenStore first, fallback to localStorage

4. AdminDashboardClient BaseAddress fix
   - Was: new Uri("/taxbaik/api/") - relative URI (runtime error)
   - Now: Configured in Program.cs as absolute URI
   - Program.cs: AddHttpClient(..., client => client.BaseAddress = new Uri("http://localhost:5001/taxbaik/api/"))

**Architecture:**
- TokenStore: Scoped in-memory (DelegatingHandler use)
- localStorage: Persistent (page reload recovery)
- Pattern: Server-side token management without JS interop

This fixes the cascading failure that would occur on any 401 in production.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-28 10:54:11 +09:00
kjh2064 58edbd9c8f refactor: Phase 5 - JWT token lifecycle (Access + Refresh + Auto-refresh)
TaxBaik CI/CD / build-and-deploy (push) Successful in 48s
**Implementation:**
- AuthService: Split token generation
  * AccessToken: 15 minutes
  * RefreshToken: 7 days (10080 minutes)
  * New: GenerateTokenPair() method
  * New: RefreshAccessTokenAsync() method

- AuthTokenPair: New record (accessToken, refreshToken, expiresIn)

- AuthController: New /api/auth/refresh endpoint
  * POST /api/auth/refresh?refreshToken=...
  * Response: { accessToken, refreshToken, expiresIn }
  * RefreshTokenRequest DTO

- TokenRefreshHandler: New DelegatingHandler
  * Automatic Bearer token injection
  * 401 response handling
  * Auto-refresh with retry
  * localStorage sync (accessToken, refreshToken, tokenExpiry)

- CustomAuthenticationStateProvider: Token storage split
  * Before: auth_token (single)
  * After: accessToken, refreshToken, tokenExpiry
  * LoginAsync signature updated

- Login.razor: Handle token pair
  * LoginResponse: { accessToken, refreshToken, expiresIn }
  * Call new LoginAsync(accessToken, refreshToken, expiresIn)

- Program.cs: TokenRefreshHandler registration
  * AddScoped<TokenRefreshHandler>()
  * AdminDashboardClient pipeline: .AddHttpMessageHandler<TokenRefreshHandler>()

**SOLID Principles:**
✓ S (Single Responsibility): TokenRefreshHandler handles only token refresh
✓ D (Dependency Inversion): DelegatingHandler abstracts HTTP concerns
✓ O (Open/Closed): Token lifetime extension without code changes

**Security Pattern:**
- Short-lived access tokens (15min) reduce theft window
- Refresh tokens (7d) enable persistence without storing secrets
- Automatic refresh is transparent to components

**Flow:**
Blazor → AdminDashboardClient → TokenRefreshHandler (auto-add Bearer)
  → 401 → RefreshTokenAsync() → POST /api/auth/refresh
  → Store new pair → Retry original request

Status: Token lifecycle complete, ready for SignalR integration (Phase 6)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-28 10:51:24 +09:00
kjh2064 57269e281d refactor: Web과 Admin 통합 - 단일 포트 5001로 운영
TaxBaik CI/CD / build-and-deploy (push) Failing after 36s
분리의 단점을 제거하고 단일 앱으로 통합:

구조 변경:
- TaxBaik.Admin → TaxBaik.Web/Components/Admin/
- Admin Services → TaxBaik.Web/Services/
- 포트: 5001 (기존 5002 제거)

경로:
- 홈페이지: http://localhost:5001/taxbaik
- 관리자: http://localhost:5001/taxbaik/admin

기술:
- Razor Pages (Web) + Blazor Server (Admin) 통합
- 단일 Program.cs로 양쪽 모두 지원
- JWT 인증 유지
- MudBlazor UI 유지

장점:
- 개발 복잡도 감소 (터미널 1개)
- 배포 단순화 (앱 1개)
- DB 마이그레이션 1회 실행

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-06-26 22:35:21 +09:00