-
Notifications
You must be signed in to change notification settings - Fork 0
feat(auth): REST Body class-validator DTO 도입 (Auth 3종) #97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| import 'reflect-metadata'; | ||
|
|
||
| import { plainToInstance } from 'class-transformer'; | ||
| import { validate } from 'class-validator'; | ||
|
|
||
| import { IsStrongPassword } from '@/common/validators/strong-password.validator'; | ||
|
|
||
| class Sample { | ||
| @IsStrongPassword() | ||
| password!: string; | ||
| } | ||
|
|
||
| function build(plain: object): Sample { | ||
| return plainToInstance(Sample, plain); | ||
| } | ||
|
|
||
| describe('IsStrongPassword', () => { | ||
| it.each([ | ||
| ['8자 + 4종', 'Aa1!aaaa'], | ||
| ['긴 비밀번호', 'My!Sup3rL0ngPassword#WithSymbols'], | ||
| [ | ||
| '64자 경계', | ||
| 'A'.repeat(15) + 'a'.repeat(15) + '0'.repeat(15) + '!'.repeat(19), | ||
| ], // 64 | ||
| ])('허용: %s', async (_label, value) => { | ||
| const dto = build({ password: value }); | ||
| expect(await validate(dto)).toHaveLength(0); | ||
| }); | ||
|
|
||
| it.each([ | ||
| ['7자', 'Aa1!aaa'], | ||
| ['65자', 'Aa1!' + 'b'.repeat(61)], | ||
| ['소문자 누락', 'AAAA1111!!!!'], | ||
| ['대문자 누락', 'aaaa1111!!!!'], | ||
| ['숫자 누락', 'AAaa!!@@##'], | ||
| ['특수문자 누락', 'AAaa1122334'], | ||
| ])('거절: %s', async (_label, value) => { | ||
| const dto = build({ password: value }); | ||
| const errors = await validate(dto); | ||
| expect(errors).toHaveLength(1); | ||
| expect(errors[0].property).toBe('password'); | ||
| }); | ||
|
|
||
| it('trim 후 길이 판정: 앞뒤 공백만으로 길이 채울 수 없음', async () => { | ||
| const dto = build({ password: ' Aa1!aa ' }); // 12 chars raw, 7 trimmed | ||
| const errors = await validate(dto); | ||
| expect(errors).toHaveLength(1); | ||
| }); | ||
|
|
||
| it('문자열이 아닌 값은 거절한다', async () => { | ||
| const dto = build({ password: 12345678 }); | ||
| const errors = await validate(dto); | ||
| expect(errors).toHaveLength(1); | ||
| }); | ||
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| import type { | ||
| ValidationArguments, | ||
| ValidationOptions, | ||
| ValidatorConstraintInterface, | ||
| } from 'class-validator'; | ||
| import { Validate, ValidatorConstraint } from 'class-validator'; | ||
|
|
||
| /** | ||
| * 강력한 비밀번호 정책 검증. | ||
| * | ||
| * 왜: 판매자 비밀번호 변경 등에서 길이 8~64 + 소문자/대문자/숫자/특수문자 | ||
| * 4종 포함을 요구한다. 기존 auth.service.assertStrongPassword 의 로직을 | ||
| * 그대로 옮겨와 DTO 레이어에서 일원화. | ||
| * | ||
| * 길이 판정은 trim 후 기준 (기존 동작 호환). | ||
| */ | ||
| @ValidatorConstraint({ name: 'IsStrongPassword', async: false }) | ||
| export class IsStrongPasswordConstraint implements ValidatorConstraintInterface { | ||
| validate(value: unknown): boolean { | ||
| if (typeof value !== 'string') return false; | ||
| const pw = value.trim(); | ||
| if (pw.length < 8 || pw.length > 64) return false; | ||
| return ( | ||
| /[a-z]/.test(pw) && | ||
| /[A-Z]/.test(pw) && | ||
| /[0-9]/.test(pw) && | ||
| /[^A-Za-z0-9]/.test(pw) | ||
| ); | ||
| } | ||
|
|
||
| defaultMessage(args: ValidationArguments): string { | ||
| return `${args.property} must be 8~64 characters and include lower/upper case, number, and special character.`; | ||
| } | ||
| } | ||
|
|
||
| export function IsStrongPassword( | ||
| validationOptions?: ValidationOptions, | ||
| ): PropertyDecorator { | ||
| return Validate(IsStrongPasswordConstraint, [], validationOptions); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
src/features/auth/dto/inputs/dev-issue-token.input.spec.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| import 'reflect-metadata'; | ||
|
|
||
| import { plainToInstance } from 'class-transformer'; | ||
| import { validate } from 'class-validator'; | ||
|
|
||
| import { DevIssueTokenInput } from '@/features/auth/dto/inputs/dev-issue-token.input'; | ||
|
|
||
| function build(plain: object): DevIssueTokenInput { | ||
| return plainToInstance(DevIssueTokenInput, plain); | ||
| } | ||
|
|
||
| describe('DevIssueTokenInput', () => { | ||
| it.each([ | ||
| ['1', '1'], | ||
| ['123', '123'], | ||
| ['0', '0'], | ||
| ['999999999999999999', '999999999999999999'], // BigInt 범위 | ||
| ])('허용: %s', async (_label, value) => { | ||
| const dto = build({ accountId: value }); | ||
| expect(await validate(dto)).toHaveLength(0); | ||
| }); | ||
|
|
||
| it.each([ | ||
| ['빈 문자열', ''], | ||
| ['음수', '-1'], | ||
| ['소수', '1.5'], | ||
| ['알파벳 혼재', 'abc'], | ||
| ['공백 포함', ' 1'], | ||
| ['끝 공백', '1 '], | ||
| ])('거절: %s ("%s")', async (_label, value) => { | ||
| const dto = build({ accountId: value }); | ||
| const errors = await validate(dto); | ||
| expect(errors).toHaveLength(1); | ||
| expect(errors[0].property).toBe('accountId'); | ||
| }); | ||
|
|
||
| it('accountId 누락 거절', async () => { | ||
| const dto = build({}); | ||
| const errors = await validate(dto); | ||
| expect(errors).toHaveLength(1); | ||
| expect(errors[0].property).toBe('accountId'); | ||
| }); | ||
|
|
||
| it('숫자 타입은 거절한다', async () => { | ||
| const dto = build({ accountId: 123 }); | ||
| const errors = await validate(dto); | ||
| expect(errors).toHaveLength(1); | ||
| }); | ||
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| import { IsString, Matches } from 'class-validator'; | ||
|
|
||
| /** | ||
| * POST /auth/dev/issue-token Body (개발 환경 한정). | ||
| * | ||
| * accountId 는 BigInt 호환 숫자 문자열. 부호/소수 불허. | ||
| */ | ||
| export class DevIssueTokenInput { | ||
| @IsString() | ||
| @Matches(/^\d+$/, { message: 'accountId must be a numeric string.' }) | ||
| accountId!: string; | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switching this parameter to a validated DTO makes malformed requests fail in the global
ValidationPipebeforedevIssueToken()reaches itsNODE_ENV==='production'guard, so production can now return400instead of the documented/previous403for this endpoint. I checkedsrc/main.tsand the app uses a globalValidationPipe, which runs before handler logic; this changes behavior specifically for invalid bodies in production and can break callers/tests that rely on a consistent Forbidden response for all production access attempts.Useful? React with 👍 / 👎.