태그를 관리용/일반용으로 분리하고 관리자 드래그 정렬을 추가.

댓글/회원/관리자 인증·프로필 흐름 보완과 관련 마이그레이션 및 문서를 함께 반영해 운영 동선을 안정화.

Co-authored-by: Cursor <cursoragent@cursor.com>

server/api/auth/bootstrap-status.get.js

@@ -0,0 +1,7 @@
+import { getMemberBootstrapState } from '../../repositories/member-repository'
+
+/**
+ * 최초 관리자 등록 필요 여부를 조회한다.
+ * @returns {Promise<{ hasUsers: boolean, needsAdminSetup: boolean }>} 부트스트랩 상태
+ */
+export default defineEventHandler(async () => getMemberBootstrapState())

server/api/auth/signup.post.js

@@ -3,6 +3,7 @@ import { z } from 'zod'
 import { createError, getRequestIP, readBody } from 'h3'
 import { createUser, getUserByEmail, isUsernameTaken, touchUserActivity } from '../../repositories/member-repository'
 import { setMemberSession } from '../../utils/member-auth'
+import { setAdminSession } from '../../utils/admin-auth'
 
 const signupSchema = z.object({
   username: z.string().trim().min(1),
@@ -13,7 +14,7 @@ const signupSchema = z.object({
 /**
  * 회원 가입 API
  * @param {import('h3').H3Event} event - 요청 이벤트
- * @returns {Promise<{ id: string, username: string, email: string }>} 회원 정보
+ * @returns {Promise<{ id: string, username: string, email: string, avatarUrl: string, isAdmin: boolean }>} 회원 정보
  */
 export default defineEventHandler(async (event) => {
   const parsedBody = signupSchema.safeParse(await readBody(event))
@@ -54,6 +55,12 @@ export default defineEventHandler(async (event) => {
   })
 
   setMemberSession(event, { userId: created.id, email: created.email })
+  if (created.isAdmin) {
+    setAdminSession(event, {
+      userId: created.id,
+      email: created.email
+    })
+  }
   await touchUserActivity({
     userId: created.id,
     ip: String(getRequestIP(event) || '')
@@ -63,7 +70,8 @@ export default defineEventHandler(async (event) => {
     id: created.id,
     username: created.username,
     email: created.email,
-    avatarUrl: created.avatarUrl || ''
+    avatarUrl: created.avatarUrl || '',
+    isAdmin: Boolean(created.isAdmin)
   }
 })
 

server/api/posts/[slug]/comments.get.js

@@ -1,4 +1,5 @@
 import { listPostCommentsBySlug } from '../../../repositories/comment-repository'
+import { getMemberSession } from '../../../utils/member-auth'
 
 /**
  * 게시물 댓글 목록 조회 API
@@ -7,7 +8,8 @@ import { listPostCommentsBySlug } from '../../../repositories/comment-repository
  */
 export default defineEventHandler(async (event) => {
   const slug = String(getRouterParam(event, 'slug') || '')
-  const comments = await listPostCommentsBySlug(slug)
+  const session = getMemberSession(event)
+  const comments = await listPostCommentsBySlug(slug, session?.userId || null)
 
   return {
     comments

server/api/posts/[slug]/comments/[commentId]/like.post.js

@@ -0,0 +1,28 @@
+import { getRequestIP } from 'h3'
+import { toggleCommentLike } from '../../../../../repositories/comment-repository'
+import { touchUserActivity } from '../../../../../repositories/member-repository'
+import { requireMemberSession } from '../../../../../utils/member-auth'
+
+/**
+ * 댓글 좋아요 토글 API
+ * @param {import('h3').H3Event} event - 요청 이벤트
+ * @returns {Promise<{ liked: boolean, likeCount: number }>} 좋아요 상태
+ */
+export default defineEventHandler(async (event) => {
+  const session = requireMemberSession(event)
+  const slug = String(getRouterParam(event, 'slug') || '')
+  const commentId = String(getRouterParam(event, 'commentId') || '')
+
+  const result = await toggleCommentLike({
+    slug,
+    commentId,
+    userId: session.userId
+  })
+
+  await touchUserActivity({
+    userId: session.userId,
+    ip: String(getRequestIP(event) || '')
+  })
+
+  return result
+})

server/api/tags.get.js

@@ -4,4 +4,4 @@ import { listTags } from '../repositories/content-repository'
  * 공개 태그 목록 API
  * @returns {Array} 태그 목록
  */
-export default defineEventHandler(() => listTags())
+export default defineEventHandler(() => listTags({ tagType: 'managed' }))

server/repositories/comment-repository.js

@@ -10,7 +10,9 @@ import { getPostgresClient } from './postgres-client'
  * @property {string} status - 댓글 상태
  * @property {string} createdAt - 생성 시각
  * @property {string} updatedAt - 수정 시각
- * @property {{ id: string, username: string }} user - 작성자 정보
+ * @property {number} likeCount - 좋아요 수
+ * @property {boolean} likedByMe - 현재 회원 좋아요 여부
+ * @property {{ id: string, username: string, avatarUrl: string }} user - 작성자 정보
  */
 
 /**
@@ -19,6 +21,13 @@ import { getPostgresClient } from './postgres-client'
  */
 const getSql = () => getPostgresClient()
 
+/**
+ * Postgres undefined table 에러 여부 확인
+ * @param {unknown} error - 에러 객체
+ * @returns {boolean} undefined table 여부
+ */
+const isUndefinedTableError = (error) => String(error?.code || '') === '42P01'
+
 /**
  * 게시물 ID 조회
  * @param {ReturnType<typeof import('postgres').default>} sql - postgres 클라이언트
@@ -46,7 +55,7 @@ const findPublishedPostIdBySlug = async (sql, slug) => {
  * @param {string} slug - 게시물 슬러그
  * @returns {Promise<Array<PostComment>>} 댓글 목록
  */
-export const listPostCommentsBySlug = async (slug) => {
+export const listPostCommentsBySlug = async (slug, viewerUserId = null) => {
   const sql = getSql()
 
   if (!sql) {
@@ -61,23 +70,64 @@ export const listPostCommentsBySlug = async (slug) => {
     })
   }
 
-  const rows = await sql`
-    SELECT
-      comments.id,
-      comments.post_id AS "postId",
-      comments.parent_id AS "parentId",
-      comments.body,
-      comments.status,
-      comments.created_at AS "createdAt",
-      comments.updated_at AS "updatedAt",
-      users.id AS "userId",
-      users.username AS "username"
-    FROM comments
-    INNER JOIN users ON users.id = comments.user_id
-    WHERE comments.post_id = ${postId}
-      AND comments.status = 'published'
-    ORDER BY comments.created_at ASC
-  `
+  let rows = []
+
+  try {
+    rows = await sql`
+      SELECT
+        comments.id,
+        comments.post_id AS "postId",
+        comments.parent_id AS "parentId",
+        comments.body,
+        comments.status,
+        comments.created_at AS "createdAt",
+        comments.updated_at AS "updatedAt",
+        users.id AS "userId",
+        users.username AS "username",
+        users.avatar_url AS "avatarUrl",
+        COALESCE(comment_like_counts.like_count, 0) AS "likeCount",
+        CASE
+          WHEN viewer_comment_likes.user_id IS NULL THEN false
+          ELSE true
+        END AS "likedByMe"
+      FROM comments
+      INNER JOIN users ON users.id = comments.user_id
+      LEFT JOIN (
+        SELECT comment_id, COUNT(*)::INT AS like_count
+        FROM comment_likes
+        GROUP BY comment_id
+      ) AS comment_like_counts ON comment_like_counts.comment_id = comments.id
+      LEFT JOIN comment_likes AS viewer_comment_likes
+        ON viewer_comment_likes.comment_id = comments.id
+        AND viewer_comment_likes.user_id = ${viewerUserId}
+      WHERE comments.post_id = ${postId}
+        AND comments.status = 'published'
+      ORDER BY comments.created_at ASC
+    `
+  } catch (error) {
+    if (!isUndefinedTableError(error)) {
+      throw error
+    }
+
+    rows = await sql`
+      SELECT
+        comments.id,
+        comments.post_id AS "postId",
+        comments.parent_id AS "parentId",
+        comments.body,
+        comments.status,
+        comments.created_at AS "createdAt",
+        comments.updated_at AS "updatedAt",
+        users.id AS "userId",
+        users.username AS "username",
+        users.avatar_url AS "avatarUrl"
+      FROM comments
+      INNER JOIN users ON users.id = comments.user_id
+      WHERE comments.post_id = ${postId}
+        AND comments.status = 'published'
+      ORDER BY comments.created_at ASC
+    `
+  }
 
   return rows.map((row) => ({
     id: row.id,
@@ -87,9 +137,12 @@ export const listPostCommentsBySlug = async (slug) => {
     status: row.status,
     createdAt: row.createdAt.toISOString(),
     updatedAt: row.updatedAt.toISOString(),
+    likeCount: Number(row.likeCount || 0),
+    likedByMe: Boolean(row.likedByMe),
     user: {
       id: row.userId,
-      username: row.username
+      username: row.username,
+      avatarUrl: row.avatarUrl || ''
     }
   }))
 }
@@ -165,7 +218,7 @@ export const createComment = async (input) => {
   }
 
   const userRows = await sql`
-    SELECT id, username
+    SELECT id, username, avatar_url
     FROM users
     WHERE id = ${input.userId}
     LIMIT 1
@@ -189,8 +242,84 @@ export const createComment = async (input) => {
     updatedAt: created.updatedAt.toISOString(),
     user: {
       id: user.id,
-      username: user.username
+      username: user.username,
+      avatarUrl: user.avatar_url || ''
     }
   }
 }
 
+/**
+ * 댓글 좋아요를 토글한다.
+ * @param {{ slug: string, commentId: string, userId: string }} input - 좋아요 입력값
+ * @returns {Promise<{ liked: boolean, likeCount: number }>} 좋아요 결과
+ */
+export const toggleCommentLike = async (input) => {
+  const sql = getSql()
+
+  if (!sql) {
+    throw createError({
+      statusCode: 500,
+      message: '데이터베이스 설정이 필요합니다.'
+    })
+  }
+
+  const postId = await findPublishedPostIdBySlug(sql, input.slug)
+  if (!postId) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: '게시물을 찾을 수 없습니다'
+    })
+  }
+
+  const commentRows = await sql`
+    SELECT id
+    FROM comments
+    WHERE id = ${input.commentId}
+      AND post_id = ${postId}
+      AND status = 'published'
+    LIMIT 1
+  `
+  const comment = commentRows?.[0]
+
+  if (!comment) {
+    throw createError({
+      statusCode: 404,
+      message: '댓글을 찾을 수 없습니다.'
+    })
+  }
+
+  const likedRows = await sql`
+    SELECT 1
+    FROM comment_likes
+    WHERE comment_id = ${input.commentId}
+      AND user_id = ${input.userId}
+    LIMIT 1
+  `
+  const alreadyLiked = Boolean(likedRows?.[0])
+
+  if (alreadyLiked) {
+    await sql`
+      DELETE FROM comment_likes
+      WHERE comment_id = ${input.commentId}
+        AND user_id = ${input.userId}
+    `
+  } else {
+    await sql`
+      INSERT INTO comment_likes (comment_id, user_id)
+      VALUES (${input.commentId}, ${input.userId})
+      ON CONFLICT (comment_id, user_id) DO NOTHING
+    `
+  }
+
+  const countRows = await sql`
+    SELECT COUNT(*)::INT AS like_count
+    FROM comment_likes
+    WHERE comment_id = ${input.commentId}
+  `
+
+  return {
+    liked: !alreadyLiked,
+    likeCount: Number(countRows?.[0]?.like_count || 0)
+  }
+}
+

server/repositories/content-repository.js

@@ -59,7 +59,8 @@ const mapTagRow = (row) => ({
   slug: row.slug,
   description: row.description,
   sortOrder: row.sort_order,
-  color: row.color
+  color: row.color,
+  tagType: row.tag_type || 'managed'
 })
 
 /**
@@ -532,22 +533,45 @@ export const getPageBySlug = async (slug) => {
  * 공개 태그 목록 조회
  * @returns {Promise<Array>} 태그 목록
  */
-export const listTags = async () => {
+export const listTags = async ({ tagType } = {}) => {
   const sql = getPostgresClient()
 
   if (!sql) {
-    return getSampleTags()
+    const sampleTags = getSampleTags().map((tag) => ({
+      ...tag,
+      tagType: 'managed'
+    }))
+    if (!tagType) {
+      return sampleTags
+    }
+    return sampleTags.filter((tag) => tag.tagType === tagType)
   }
 
-  const rows = await sql`
-    SELECT *
-    FROM tags
-    ORDER BY sort_order ASC, name ASC
-  `
+  const rows = tagType
+    ? await sql`
+      SELECT *
+      FROM tags
+      WHERE tag_type = ${tagType}
+      ORDER BY sort_order ASC, name ASC
+    `
+    : await sql`
+      SELECT *
+      FROM tags
+      ORDER BY
+        CASE tag_type WHEN 'managed' THEN 0 ELSE 1 END ASC,
+        sort_order ASC,
+        name ASC
+    `
 
   return rows.map(mapTagRow)
 }
 
+/**
+ * 관리자 태그 목록 조회
+ * @returns {Promise<Array>} 관리자 태그 목록
+ */
+export const listAdminTags = async () => listTags()
+
 const SEARCH_TAG_LIMIT = 12
 const SEARCH_POST_LIMIT = 12
 const SEARCH_POST_CANDIDATE_LIMIT = 48
@@ -823,8 +847,8 @@ export const createAdminTag = async (input) => {
   }
 
   const rows = await sql`
-    INSERT INTO tags (name, slug, description, sort_order, color)
-    VALUES (${input.name}, ${input.slug}, ${input.description}, ${input.sortOrder}, ${input.color})
+    INSERT INTO tags (name, slug, description, sort_order, color, tag_type)
+    VALUES (${input.name}, ${input.slug}, ${input.description}, ${input.sortOrder}, ${input.color}, ${input.tagType})
     RETURNING *
   `
 
@@ -852,6 +876,7 @@ export const updateAdminTag = async (id, input) => {
       description = ${input.description},
       sort_order = ${input.sortOrder},
       color = ${input.color},
+      tag_type = ${input.tagType},
       updated_at = now()
     WHERE id = ${id}
     RETURNING *
@@ -860,6 +885,35 @@ export const updateAdminTag = async (id, input) => {
   return rows[0] ? mapTagRow(rows[0]) : null
 }
 
+/**
+ * 관리자 관리용 태그 순서를 일괄 갱신
+ * @param {Array<string>} tagIds - 정렬된 태그 ID 목록
+ * @returns {Promise<Array>} 갱신된 태그 목록
+ */
+export const reorderManagedTags = async (tagIds) => {
+  const sql = getPostgresClient()
+
+  if (!sql) {
+    throw new Error('DATABASE_REQUIRED')
+  }
+
+  await sql.begin(async (transaction) => {
+    for (let index = 0; index < tagIds.length; index += 1) {
+      const tagId = tagIds[index]
+      await transaction`
+        UPDATE tags
+        SET
+          sort_order = ${(index + 1) * 10},
+          updated_at = now()
+        WHERE id = ${tagId}
+          AND tag_type = 'managed'
+      `
+    }
+  })
+
+  return listTags({ tagType: 'managed' })
+}
+
 /**
  * 관리자 태그 삭제
  * @param {string} id - 태그 ID

server/repositories/member-repository.js

@@ -1,6 +1,14 @@
 import { createError } from 'h3'
 import { getPostgresClient } from './postgres-client'
 
+export const MEMBER_ROLE = {
+  OWNER: 'owner',
+  ADMIN: 'admin',
+  MEMBER: 'member'
+}
+
+const PRIVILEGED_ROLES = [MEMBER_ROLE.OWNER, MEMBER_ROLE.ADMIN]
+
 /**
  * @typedef {Object} MemberUser
  * @property {string} id - 사용자 ID
@@ -8,6 +16,8 @@ import { getPostgresClient } from './postgres-client'
  * @property {string} email - 이메일
  * @property {string} passwordHash - 비밀번호 해시
  * @property {string} avatarUrl - 아바타 URL
+ * @property {boolean} isAdmin - 관리자 여부
+ * @property {'owner' | 'admin' | 'member'} role - 권한 코드
  * @property {string} createdAt - 생성 시각(ISO)
  * @property {string} updatedAt - 수정 시각(ISO)
  * @property {string | null} lastSeenAt - 최근 접속 시각(ISO)
@@ -43,6 +53,8 @@ export const getUserByEmail = async (email) => {
       email,
       password_hash AS "passwordHash",
       avatar_url AS "avatarUrl",
+      is_admin AS "isAdmin",
+      user_role AS "role",
       created_at AS "createdAt",
       updated_at AS "updatedAt",
       last_seen_at AS "lastSeenAt",
@@ -68,6 +80,8 @@ export const getUserById = async (id) => {
       username,
       email,
       avatar_url AS "avatarUrl",
+      is_admin AS "isAdmin",
+      user_role AS "role",
       created_at AS "createdAt",
       updated_at AS "updatedAt",
       last_seen_at AS "lastSeenAt",
@@ -94,6 +108,8 @@ export const getUserByIdWithPassword = async (id) => {
       email,
       password_hash AS "passwordHash",
       avatar_url AS "avatarUrl",
+      is_admin AS "isAdmin",
+      user_role AS "role",
       created_at AS "createdAt",
       updated_at AS "updatedAt",
       last_seen_at AS "lastSeenAt",
@@ -115,13 +131,25 @@ export const createUser = async (input) => {
   const sql = requireSql()
 
   const rows = await sql`
-    INSERT INTO users (username, email, password_hash, avatar_url)
-    VALUES (${input.username}, ${input.email}, ${input.passwordHash}, '')
+    INSERT INTO users (username, email, password_hash, avatar_url, is_admin, user_role)
+    VALUES (
+      ${input.username},
+      ${input.email},
+      ${input.passwordHash},
+      '',
+      NOT EXISTS (SELECT 1 FROM users),
+      CASE
+        WHEN NOT EXISTS (SELECT 1 FROM users) THEN ${MEMBER_ROLE.OWNER}
+        ELSE ${MEMBER_ROLE.MEMBER}
+      END
+    )
     RETURNING
       id,
       username,
       email,
       avatar_url AS "avatarUrl",
+      is_admin AS "isAdmin",
+      user_role AS "role",
       created_at AS "createdAt",
       updated_at AS "updatedAt",
       last_seen_at AS "lastSeenAt",
@@ -175,6 +203,8 @@ export const updateMemberProfile = async (input) => {
       username,
       email,
       avatar_url AS "avatarUrl",
+      is_admin AS "isAdmin",
+      user_role AS "role",
       created_at AS "createdAt",
       updated_at AS "updatedAt",
       last_seen_at AS "lastSeenAt",
@@ -240,7 +270,7 @@ export const isUsernameTaken = async (input) => {
 
 /**
  * 관리자용 회원 목록 조회(댓글 활동 포함)
- * @returns {Promise<Array<{ id: string, username: string, email: string, avatarUrl: string, createdAt: string, updatedAt: string, lastSeenAt: string | null, lastSeenIp: string, commentCount: number, activityStatus: string }>>} 회원 목록
+ * @returns {Promise<Array<{ id: string, username: string, email: string, avatarUrl: string, isAdmin: boolean, roleCode: string, createdAt: string, updatedAt: string, lastSeenAt: string | null, lastSeenIp: string, commentCount: number, activityStatus: string, role: string }>>} 회원 목록
  */
 export const listMembersForAdmin = async () => {
   const sql = requireSql()
@@ -250,6 +280,8 @@ export const listMembersForAdmin = async () => {
       users.username,
       users.email,
       users.avatar_url AS "avatarUrl",
+      users.is_admin AS "isAdmin",
+      users.user_role AS "roleCode",
       users.created_at AS "createdAt",
       users.updated_at AS "updatedAt",
       users.last_seen_at AS "lastSeenAt",
@@ -272,13 +304,181 @@ export const listMembersForAdmin = async () => {
       username: row.username,
       email: row.email,
       avatarUrl: row.avatarUrl || '',
+      isAdmin: Boolean(row.isAdmin),
+      roleCode: String(row.roleCode || MEMBER_ROLE.MEMBER),
       createdAt: row.createdAt.toISOString(),
       updatedAt: row.updatedAt.toISOString(),
       lastSeenAt,
       lastSeenIp: row.lastSeenIp || '',
       commentCount: Number(row.commentCount || 0),
-      activityStatus: isActive ? '활성' : '비활성'
+      activityStatus: isActive ? '활성' : '비활성',
+      role: row.roleCode === MEMBER_ROLE.OWNER
+        ? '소유자'
+        : row.roleCode === MEMBER_ROLE.ADMIN
+          ? '관리자'
+          : '멤버'
     }
   })
 }
 
+/**
+ * 이메일 기준 관리자 회원 조회
+ * @param {string} email - 이메일
+ * @returns {Promise<MemberUser | null>} 관리자 회원
+ */
+export const getAdminUserByEmail = async (email) => {
+  const sql = requireSql()
+  const rows = await sql`
+    SELECT
+      id,
+      username,
+      email,
+      password_hash AS "passwordHash",
+      avatar_url AS "avatarUrl",
+      is_admin AS "isAdmin",
+      user_role AS "role",
+      created_at AS "createdAt",
+      updated_at AS "updatedAt",
+      last_seen_at AS "lastSeenAt",
+      last_seen_ip AS "lastSeenIp"
+    FROM users
+    WHERE lower(email) = lower(${email})
+      AND user_role = ANY(${PRIVILEGED_ROLES})
+    LIMIT 1
+  `
+
+  return rows?.[0] || null
+}
+
+/**
+ * 최초 관리자 등록 필요 여부를 확인한다.
+ * @returns {Promise<{ hasUsers: boolean, needsAdminSetup: boolean }>} 부트스트랩 상태
+ */
+export const getMemberBootstrapState = async () => {
+  const sql = requireSql()
+  const rows = await sql`
+    SELECT COUNT(*)::int AS "userCount"
+    FROM users
+  `
+
+  const userCount = Number(rows?.[0]?.userCount || 0)
+
+  return {
+    hasUsers: userCount > 0,
+    needsAdminSetup: userCount === 0
+  }
+}
+
+/**
+ * 관리자 권한을 가진 회원 여부를 확인한다.
+ * @param {string} userId - 사용자 ID
+ * @returns {Promise<boolean>} 관리자 권한 여부
+ */
+export const isPrivilegedMember = async (userId) => {
+  const sql = requireSql()
+  const rows = await sql`
+    SELECT id
+    FROM users
+    WHERE id = ${userId}
+      AND user_role = ANY(${PRIVILEGED_ROLES})
+    LIMIT 1
+  `
+
+  return Boolean(rows?.[0])
+}
+
+/**
+ * 관리자 화면에서 회원 권한을 변경한다.
+ * @param {{ actorUserId: string, targetUserId: string, role: 'owner' | 'admin' | 'member' }} input - 변경 정보
+ * @returns {Promise<{ id: string, roleCode: string, role: string, isAdmin: boolean }>} 변경 결과
+ */
+export const updateMemberRoleByAdmin = async (input) => {
+  const sql = requireSql()
+  const normalizedRole = String(input.role || '').trim()
+  const allowedRoles = [MEMBER_ROLE.OWNER, MEMBER_ROLE.ADMIN, MEMBER_ROLE.MEMBER]
+
+  if (!allowedRoles.includes(normalizedRole)) {
+    throw createError({
+      statusCode: 400,
+      message: '유효하지 않은 권한 값입니다.'
+    })
+  }
+
+  const actorCanManage = await isPrivilegedMember(input.actorUserId)
+  if (!actorCanManage) {
+    throw createError({
+      statusCode: 403,
+      message: '권한 변경 권한이 없습니다.'
+    })
+  }
+
+  const targetRows = await sql`
+    SELECT id, user_role AS "roleCode"
+    FROM users
+    WHERE id = ${input.targetUserId}
+    LIMIT 1
+  `
+
+  const target = targetRows?.[0]
+  if (!target) {
+    throw createError({
+      statusCode: 404,
+      message: '대상 회원을 찾을 수 없습니다.'
+    })
+  }
+
+  if (target.id === input.actorUserId && normalizedRole === MEMBER_ROLE.MEMBER) {
+    throw createError({
+      statusCode: 400,
+      message: '본인 계정을 멤버로 변경할 수 없습니다.'
+    })
+  }
+
+  if (target.roleCode === MEMBER_ROLE.OWNER && normalizedRole !== MEMBER_ROLE.OWNER) {
+    const ownerRows = await sql`
+      SELECT COUNT(*)::int AS "ownerCount"
+      FROM users
+      WHERE user_role = ${MEMBER_ROLE.OWNER}
+    `
+
+    if (Number(ownerRows?.[0]?.ownerCount || 0) <= 1) {
+      throw createError({
+        statusCode: 400,
+        message: '최소 1명의 소유자 권한은 유지되어야 합니다.'
+      })
+    }
+  }
+
+  const updatedRows = await sql`
+    UPDATE users
+    SET
+      user_role = ${normalizedRole},
+      is_admin = ${normalizedRole === MEMBER_ROLE.OWNER || normalizedRole === MEMBER_ROLE.ADMIN},
+      updated_at = now()
+    WHERE id = ${input.targetUserId}
+    RETURNING
+      id,
+      user_role AS "roleCode",
+      is_admin AS "isAdmin"
+  `
+
+  const updated = updatedRows?.[0]
+  if (!updated) {
+    throw createError({
+      statusCode: 500,
+      message: '권한 변경에 실패했습니다.'
+    })
+  }
+
+  return {
+    id: updated.id,
+    roleCode: updated.roleCode,
+    role: updated.roleCode === MEMBER_ROLE.OWNER
+      ? '소유자'
+      : updated.roleCode === MEMBER_ROLE.ADMIN
+        ? '관리자'
+        : '멤버',
+    isAdmin: Boolean(updated.isAdmin)
+  }
+}
+

server/routes/admin/api/auth/login.post.js

@@ -1,6 +1,9 @@
 import { z } from 'zod'
 import { createError, readBody } from 'h3'
-import { safeCompare, setAdminSession } from '../../../../utils/admin-auth'
+import bcrypt from 'bcrypt'
+import { setAdminSession } from '../../../../utils/admin-auth'
+import { getAdminUserByEmail } from '../../../../repositories/member-repository'
+import { setMemberSession } from '../../../../utils/member-auth'
 
 const loginSchema = z.object({
   email: z.string().email(),
@@ -14,7 +17,6 @@ const loginSchema = z.object({
  */
 export default defineEventHandler(async (event) => {
   const parsedBody = loginSchema.safeParse(await readBody(event))
-  const config = useRuntimeConfig()
 
   if (!parsedBody.success) {
     throw createError({
@@ -25,19 +27,30 @@ export default defineEventHandler(async (event) => {
 
   const body = parsedBody.data
 
-  if (
-    !safeCompare(body.email, config.adminEmail) ||
-    !safeCompare(body.password, config.adminPassword)
-  ) {
+  const adminUser = await getAdminUserByEmail(body.email)
+  const passwordMatched = adminUser
+    ? await bcrypt.compare(body.password, adminUser.passwordHash)
+    : false
+
+  if (!adminUser || !passwordMatched) {
     throw createError({
       statusCode: 401,
       message: '이메일 또는 비밀번호가 올바르지 않습니다.'
     })
   }
 
-  setAdminSession(event, body.email)
+  setAdminSession(event, {
+    userId: adminUser.id,
+    email: adminUser.email
+  })
+  setMemberSession(event, {
+    userId: adminUser.id,
+    email: adminUser.email
+  })
 
   return {
-    email: body.email
+    userId: adminUser.id,
+    email: adminUser.email,
+    username: adminUser.username
   }
 })

server/routes/admin/api/auth/logout.post.js

@@ -1,4 +1,5 @@
 import { clearAdminSession } from '../../../../utils/admin-auth'
+import { clearMemberSession } from '../../../../utils/member-auth'
 
 /**
  * 관리자 로그아웃 API
@@ -7,6 +8,7 @@ import { clearAdminSession } from '../../../../utils/admin-auth'
  */
 export default defineEventHandler((event) => {
   clearAdminSession(event)
+  clearMemberSession(event)
 
   return {
     ok: true

server/routes/admin/api/auth/me.get.js

@@ -3,6 +3,6 @@ import { requireAdminSession } from '../../../../utils/admin-auth'
 /**
  * 관리자 세션 조회 API
  * @param {import('h3').H3Event} event - 요청 이벤트
- * @returns {{ email: string }} 관리자 세션 정보
+ * @returns {{ userId: string, email: string, role: 'admin' }} 관리자 세션 정보
  */
 export default defineEventHandler((event) => requireAdminSession(event))

server/routes/admin/api/members/[id]/role.put.js

@@ -0,0 +1,39 @@
+import { createError, getRouterParam, readBody } from 'h3'
+import { z } from 'zod'
+import { requireAdminSession } from '../../../../../utils/admin-auth'
+import { updateMemberRoleByAdmin } from '../../../../../repositories/member-repository'
+
+const roleSchema = z.object({
+  role: z.enum(['owner', 'admin', 'member'])
+})
+
+/**
+ * 관리자 회원 권한 변경 API
+ * @param {import('h3').H3Event} event - 요청 이벤트
+ * @returns {Promise<{ id: string, roleCode: string, role: string, isAdmin: boolean }>} 변경 결과
+ */
+export default defineEventHandler(async (event) => {
+  const session = requireAdminSession(event)
+  const memberId = String(getRouterParam(event, 'id') || '')
+  const parsedBody = roleSchema.safeParse(await readBody(event))
+
+  if (!memberId) {
+    throw createError({
+      statusCode: 400,
+      message: '대상 회원 ID가 필요합니다.'
+    })
+  }
+
+  if (!parsedBody.success) {
+    throw createError({
+      statusCode: 400,
+      message: '권한 변경 요청 형식이 올바르지 않습니다.'
+    })
+  }
+
+  return updateMemberRoleByAdmin({
+    actorUserId: session.userId,
+    targetUserId: memberId,
+    role: parsedBody.data.role
+  })
+})

server/routes/admin/api/tags.get.js

@@ -1,5 +1,5 @@
 import { requireAdminSession } from '../../../utils/admin-auth'
-import { listTags } from '../../../repositories/content-repository'
+import { listAdminTags } from '../../../repositories/content-repository'
 
 /**
  * 관리자 태그 목록 API
@@ -9,5 +9,5 @@ import { listTags } from '../../../repositories/content-repository'
 export default defineEventHandler((event) => {
   requireAdminSession(event)
 
-  return listTags()
+  return listAdminTags()
 })

server/routes/admin/api/tags/reorder.put.js

@@ -0,0 +1,27 @@
+import { createError, readBody } from 'h3'
+import { z } from 'zod'
+import { requireAdminSession } from '../../../../utils/admin-auth'
+import { reorderManagedTags } from '../../../../repositories/content-repository'
+
+const reorderSchema = z.object({
+  tagIds: z.array(z.string().uuid()).min(1)
+})
+
+/**
+ * 관리자 관리용 태그 순서 일괄 저장 API
+ * @param {import('h3').H3Event} event - 요청 이벤트
+ * @returns {Promise<Array>} 정렬 저장 후 태그 목록
+ */
+export default defineEventHandler(async (event) => {
+  requireAdminSession(event)
+  const parsedBody = reorderSchema.safeParse(await readBody(event))
+
+  if (!parsedBody.success) {
+    throw createError({
+      statusCode: 400,
+      message: '정렬 저장 요청 형식이 올바르지 않습니다.'
+    })
+  }
+
+  return reorderManagedTags(parsedBody.data.tagIds)
+})

server/utils/admin-auth.js

@@ -49,12 +49,14 @@ const signPayload = (payload) => createHmac('sha256', getSessionSecret())
 
 /**
  * 관리자 세션 토큰 생성
- * @param {string} email - 관리자 이메일
+ * @param {{ userId: string, email: string }} adminUser - 관리자 사용자 정보
  * @returns {string} 세션 토큰
  */
-export const createAdminSessionToken = (email) => {
+export const createAdminSessionToken = (adminUser) => {
   const payload = Buffer.from(JSON.stringify({
-    email,
+    userId: adminUser.userId,
+    email: adminUser.email,
+    role: 'admin',
     expiresAt: Date.now() + sessionMaxAge * 1000
   })).toString('base64url')
 
@@ -64,7 +66,7 @@ export const createAdminSessionToken = (email) => {
 /**
  * 관리자 세션 토큰 검증
  * @param {string | undefined} token - 세션 토큰
- * @returns {{ email: string } | null} 세션 정보
+ * @returns {{ userId: string, email: string, role: 'admin' } | null} 세션 정보
  */
 export const verifyAdminSessionToken = (token) => {
   if (!token) {
@@ -85,23 +87,25 @@ export const verifyAdminSessionToken = (token) => {
     return null
   }
 
-  if (!session.email || !session.expiresAt || session.expiresAt < Date.now()) {
+  if (!session.userId || !session.email || session.role !== 'admin' || !session.expiresAt || session.expiresAt < Date.now()) {
     return null
   }
 
   return {
-    email: session.email
+    userId: session.userId,
+    email: session.email,
+    role: 'admin'
   }
 }
 
 /**
  * 관리자 세션 쿠키 설정
  * @param {import('h3').H3Event} event - 요청 이벤트
- * @param {string} email - 관리자 이메일
+ * @param {{ userId: string, email: string }} adminUser - 관리자 사용자 정보
  * @returns {void}
  */
-export const setAdminSession = (event, email) => {
-  setCookie(event, adminSessionCookieName, createAdminSessionToken(email), {
+export const setAdminSession = (event, adminUser) => {
+  setCookie(event, adminSessionCookieName, createAdminSessionToken(adminUser), {
     httpOnly: true,
     sameSite: 'lax',
     secure: process.env.NODE_ENV === 'production',
@@ -124,14 +128,14 @@ export const clearAdminSession = (event) => {
 /**
  * 관리자 세션 조회
  * @param {import('h3').H3Event} event - 요청 이벤트
- * @returns {{ email: string } | null} 세션 정보
+ * @returns {{ userId: string, email: string, role: 'admin' } | null} 세션 정보
  */
 export const getAdminSession = (event) => verifyAdminSessionToken(getCookie(event, adminSessionCookieName))
 
 /**
  * 관리자 세션 필수 확인
  * @param {import('h3').H3Event} event - 요청 이벤트
- * @returns {{ email: string }} 세션 정보
+ * @returns {{ userId: string, email: string, role: 'admin' }} 세션 정보
  */
 export const requireAdminSession = (event) => {
   const session = getAdminSession(event)

server/utils/admin-tag-input.js

@@ -5,7 +5,8 @@ export const adminTagInputSchema = z.object({
   slug: z.string().trim().min(1).regex(/^[a-z0-9가-힣]+(?:-[a-z0-9가-힣]+)*$/),
   description: z.string().default(''),
   sortOrder: z.number().int().min(0).default(0),
-  color: z.string().trim().regex(/^#[0-9a-fA-F]{6}$/).default('#15171a')
+  color: z.string().trim().regex(/^#[0-9a-fA-F]{6}$/).default('#15171a'),
+  tagType: z.enum(['managed', 'general']).default('managed')
 })
 
 /**