v0.1.62 - 운영 인증 링크 노출 제한

2026-04-23 18:01:48 +09:00
parent d59795b089
commit 54f4b34e5e
4 changed files with 20 additions and 9 deletions
--- a/backend/src/config.js
+++ b/backend/src/config.js
@@ -17,6 +17,7 @@ const envSchema = z.object({
  RESEND_API_KEY: z.string().optional(),
  MAIL_FROM_EMAIL: z.string().email().default('planner@sori.studio'),
  MAIL_FROM_NAME: z.string().default('10 Minute Planner'),
+  AUTH_PREVIEW_LINKS: z.coerce.boolean().default(false),
  ADMIN_ACCOUNT_ID: z.string().min(1),
  ADMIN_ACCOUNT_PASSWORD: z.string().min(12),
  ADMIN_ACCOUNT_EMAIL: z.string().email(),
--- a/backend/src/routes/auth.js
+++ b/backend/src/routes/auth.js
@@ -109,6 +109,17 @@ function sanitizeUser(user) {
  }
 }

+function withPreviewUrl(payload, key, previewUrl) {
+  if (!env.AUTH_PREVIEW_LINKS) {
+    return payload
+  }
+
+  return {
+    ...payload,
+    [key]: previewUrl,
+  }
+}
+
 async function findUserByNickname(nickname) {
  const [user] = await db
    .select()
@@ -177,12 +188,11 @@ export async function registerAuthRoutes(app) {
      linkUrl: verification.previewUrl,
    })

-    return reply.code(201).send({
+    return reply.code(201).send(withPreviewUrl({
      message: '회원가입이 완료되었습니다.',
      token,
      user: sanitizeUser(user),
-      verificationPreviewUrl: verification.previewUrl,
-    })
+    }, 'verificationPreviewUrl', verification.previewUrl))
  })

  app.post('/api/auth/login', async (request, reply) => {
@@ -397,10 +407,9 @@ export async function registerAuthRoutes(app) {
      linkUrl: verification.previewUrl,
    })

-    return {
+    return withPreviewUrl({
      message: '이메일 인증 링크를 준비했습니다.',
-      verificationPreviewUrl: verification.previewUrl,
-    }
+    }, 'verificationPreviewUrl', verification.previewUrl)
  })

  app.post('/api/auth/verification/confirm', async (request, reply) => {
@@ -485,10 +494,9 @@ export async function registerAuthRoutes(app) {
      linkUrl: reset.previewUrl,
    })

-    return {
+    return withPreviewUrl({
      message: '비밀번호 재설정 링크를 준비했습니다.',
-      resetPreviewUrl: reset.previewUrl,
-    }
+    }, 'resetPreviewUrl', reset.previewUrl)
  })

  app.post('/api/auth/password-reset/confirm', async (request, reply) => {