릴리스: v1.3.25 관리자 게임 선택 UX와 세션 보안 보강

backend/src/routes/auth.js

@@ -26,6 +26,20 @@ const profileSchema = z.object({
   removeAvatar: z.union([z.string(), z.undefined()]).optional(),
 })
 
+function establishSession(req, user) {
+  return new Promise((resolve, reject) => {
+    req.session.regenerate((regenerateError) => {
+      if (regenerateError) return reject(regenerateError)
+      req.session.userId = user.id
+      req.session.isAdmin = !!user.isAdmin
+      req.session.save((saveError) => {
+        if (saveError) return reject(saveError)
+        resolve()
+      })
+    })
+  })
+}
+
 async function serializeUser(user) {
   if (!user) return null
   const primaryAdmin = await findPrimaryAdminUser()
@@ -56,12 +70,12 @@ router.post('/signup', async (req, res) => {
   const isAdmin = (await countUsers()) === 0
   const user = await createUser({ id: nanoid(), email, nickname: '', passwordHash, isAdmin })
 
-  req.session.userId = user.id
-  req.session.isAdmin = !!user.isAdmin
-  req.session.save(async (err) => {
-    if (err) return res.status(500).json({ error: 'session_save_failed' })
+  try {
+    await establishSession(req, user)
     res.json(await serializeUser(user))
-  })
+  } catch (err) {
+    return res.status(500).json({ error: 'session_save_failed' })
+  }
 })
 
 router.post('/login', async (req, res) => {
@@ -75,12 +89,12 @@ router.post('/login', async (req, res) => {
   const ok = await bcrypt.compare(password, user.passwordHash)
   if (!ok) return res.status(401).json({ error: 'invalid_credentials' })
 
-  req.session.userId = user.id
-  req.session.isAdmin = !!user.isAdmin
-  req.session.save(async (err) => {
-    if (err) return res.status(500).json({ error: 'session_save_failed' })
+  try {
+    await establishSession(req, user)
     res.json(await serializeUser(user))
-  })
+  } catch (err) {
+    return res.status(500).json({ error: 'session_save_failed' })
+  }
 })
 
 router.post('/logout', async (req, res) => {