Files
taxbaik/src/TaxBaik.Web/Services/AuthService.cs
T
kjh2064 08347a4e20
TaxBaik CI/CD / build-and-deploy (push) Successful in 2m46s
Refactor admin dashboard and standardize UI shells
2026-07-07 23:16:31 +09:00

274 lines
10 KiB
C#

using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using BCrypt.Net;
using Microsoft.IdentityModel.Tokens;
using TaxBaik.Domain.Entities;
using TaxBaik.Domain.Interfaces;
namespace TaxBaik.Web.Services;
public class AuthService
{
private readonly IAdminUserRepository _adminUserRepository;
private readonly ILogger<AuthService> _logger;
private readonly ITelegramNotificationService _telegramService;
private readonly IHostEnvironment _environment;
private readonly string _jwtSecretKey;
private readonly string? _passwordResetToken;
private readonly int _accessTokenExpirationMinutes = 60; // Access Token: 1시간 (사용성 향상)
private readonly int _refreshTokenExpirationMinutes = 10080; // Refresh Token: 7일
public AuthService(
IAdminUserRepository adminUserRepository,
ILogger<AuthService> logger,
IConfiguration configuration,
ITelegramNotificationService telegramService,
IHostEnvironment environment)
{
_adminUserRepository = adminUserRepository;
_logger = logger;
_telegramService = telegramService;
_environment = environment;
_jwtSecretKey = configuration["Jwt:SecretKey"] ?? throw new InvalidOperationException("Missing 'Jwt:SecretKey' configuration.");
_passwordResetToken = configuration["Admin:PasswordResetToken"];
}
public async Task<AuthTokenPair?> AuthenticateAndGenerateTokenPairAsync(string username, string password)
{
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
return null;
AdminUser? user;
try
{
user = await _adminUserRepository.GetByUsernameAsync(username);
}
catch (Exception ex) when (_environment.IsDevelopment())
{
if (IsLocalE2ETestCredentials(username, password))
{
_logger.LogWarning(ex, "개발 환경에서 DB 없이 로컬 E2E 관리자 로그인 허용: {Username}", username);
return GenerateTokenPair(new AdminUser
{
Id = 0,
Username = username,
PasswordHash = string.Empty,
CreatedAt = DateTime.UtcNow
});
}
_logger.LogWarning(ex, "개발 환경에서 관리자 로그인 DB 조회 실패: {Username}", username);
return null;
}
if (user == null)
{
_logger.LogWarning("로그인 시도: 존재하지 않는 사용자 '{Username}'", username);
if (_environment.IsDevelopment() && IsLocalE2ETestCredentials(username, password))
{
_logger.LogWarning("개발 환경에서 시드 계정 없이 로컬 E2E 관리자 로그인 허용: {Username}", username);
return GenerateTokenPair(new AdminUser
{
Id = 0,
Username = username,
PasswordHash = string.Empty,
CreatedAt = DateTime.UtcNow
});
}
return null;
}
if (string.IsNullOrWhiteSpace(user.PasswordHash))
{
_logger.LogError("로그인 실패: 사용자 '{Username}'의 PasswordHash가 비어 있습니다.", username);
return null;
}
if (!BCrypt.Net.BCrypt.Verify(password, user.PasswordHash))
{
_logger.LogWarning("로그인 시도: 잘못된 비밀번호 '{Username}'", username);
// 실패한 로그인은 알림하지 않음 (로그만 남김)
return null;
}
_logger.LogInformation("로그인 성공: {Username}", username);
// 로그인 알림은 제거 (로그만 남김)
await _adminUserRepository.UpdateLastLoginAtAsync(user.Id);
return GenerateTokenPair(user);
}
public async Task<AuthTokenPair?> RefreshAccessTokenAsync(string refreshToken)
{
try
{
var principal = ValidateRefreshToken(refreshToken);
if (principal == null)
{
_logger.LogWarning("Refresh token 검증 실패");
return null;
}
var username = principal.FindFirstValue(ClaimTypes.Name);
if (string.IsNullOrWhiteSpace(username))
return null;
var user = await _adminUserRepository.GetByUsernameAsync(username);
if (user == null)
return null;
return GenerateTokenPair(user);
}
catch (Exception ex)
{
_logger.LogError(ex, "Refresh token 처리 중 오류");
return null;
}
}
public async Task<bool> ChangePasswordAsync(string username, string currentPassword, string newPassword)
{
if (!IsValidPassword(newPassword))
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
var user = await _adminUserRepository.GetByUsernameAsync(username);
if (user == null || string.IsNullOrWhiteSpace(user.PasswordHash))
return false;
if (!BCrypt.Net.BCrypt.Verify(currentPassword, user.PasswordHash))
return false;
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
_logger.LogInformation("관리자 비밀번호 변경: {Username}", username);
return true;
}
public async Task<bool> ResetPasswordAsync(string username, string newPassword, string resetToken)
{
if (string.IsNullOrWhiteSpace(_passwordResetToken))
throw new InvalidOperationException("Admin:PasswordResetToken is not configured.");
if (!TimeConstantEquals(resetToken, _passwordResetToken))
return false;
if (!IsValidPassword(newPassword))
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
var user = await _adminUserRepository.GetByUsernameAsync(username);
if (user == null)
return false;
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
_logger.LogWarning("관리자 비밀번호 재설정 API 사용: {Username}", username);
return true;
}
private AuthTokenPair GenerateTokenPair(AdminUser user)
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.Username),
new Claim("username", user.Username),
new Claim(ClaimTypes.Role, "Admin")
};
var accessToken = new JwtSecurityToken(
issuer: "taxbaik-admin",
audience: "taxbaik-admin-client",
claims: claims,
expires: DateTime.UtcNow.AddMinutes(_accessTokenExpirationMinutes),
signingCredentials: creds);
var refreshToken = new JwtSecurityToken(
issuer: "taxbaik-admin",
audience: "taxbaik-admin-client",
claims: claims,
expires: DateTime.UtcNow.AddMinutes(_refreshTokenExpirationMinutes),
signingCredentials: creds);
return new AuthTokenPair(
new JwtSecurityTokenHandler().WriteToken(accessToken),
new JwtSecurityTokenHandler().WriteToken(refreshToken),
_accessTokenExpirationMinutes * 60
);
}
public ClaimsPrincipal? ValidateRefreshToken(string token)
{
try
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
var handler = new JwtSecurityTokenHandler();
var principal = handler.ValidateToken(token, new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = key,
ValidateIssuer = true,
ValidIssuer = "taxbaik-admin",
ValidateAudience = true,
ValidAudience = "taxbaik-admin-client",
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
}, out SecurityToken validatedToken);
return principal;
}
catch
{
return null;
}
}
public ClaimsPrincipal? ValidateToken(string token)
{
try
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
var handler = new JwtSecurityTokenHandler();
var principal = handler.ValidateToken(token, new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = key,
ValidateIssuer = true,
ValidIssuer = "taxbaik-admin",
ValidateAudience = true,
ValidAudience = "taxbaik-admin-client",
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
}, out SecurityToken validatedToken);
return principal;
}
catch
{
return null;
}
}
private static bool IsValidPassword(string password) => !string.IsNullOrWhiteSpace(password) && password.Length >= 12;
private static bool TimeConstantEquals(string value, string expected)
{
var valueBytes = Encoding.UTF8.GetBytes(value);
var expectedBytes = Encoding.UTF8.GetBytes(expected);
return valueBytes.Length == expectedBytes.Length
&& System.Security.Cryptography.CryptographicOperations.FixedTimeEquals(valueBytes, expectedBytes);
}
private static bool IsLocalE2ETestCredentials(string username, string password) =>
string.Equals(username, "test_admin", StringComparison.OrdinalIgnoreCase) &&
string.Equals(password, "admin123", StringComparison.Ordinal);
}
public class AuthTokenPair(string accessToken, string refreshToken, int expiresIn)
{
public string AccessToken { get; } = accessToken;
public string RefreshToken { get; } = refreshToken;
public int ExpiresIn { get; } = expiresIn;
}