nonce check

oidc flow인지 check하고, nonce 유무를 체크한다
2025-05-24 14:25:44 +09:00 · 2025-05-24 14:25:44 +09:00 · c355038288
commit c355038288
parent f901464c3a
2 changed files with 75 additions and 0 deletions
--- a/packages/backend/src/controller/nonceCheck.ts
+++ b/packages/backend/src/controller/nonceCheck.ts
@ -0,0 +1,33 @@
+import type { Request } from "caido:utils";
+import { TokenLeakCheck } from "./tokenLeakCheck";
+
+export class NonceCheckController{
+    /**
+     * 응답이 OIDC(OpenID Connect) 플로우인지 확인하는 메서드
+     */
+    
+    public static isOidcFlow(req: Request): boolean {
+        if(TokenLeakCheck.extractIdToken(req)) {
+            return true;
+        }
+        return false;
+    }
+
+  
+    public static isNonceCheckRequest(req: Request): boolean {
+        const id_token = decodeIdToken(req);
+
+        // 1. nonce 파라미터가 포함된 요청인지 확인
+        if (id_token.includes("nonce=")) {
+            return true;
+        }
+
+        return false;
+    }
+}
+
+function decodeIdToken(req: Request): string {
+    // Implement actual decoding logic here. For now, return an empty string or mock value.
+    return "";
+}
+
--- a/packages/backend/src/controller/tokenLeakCheck.ts
+++ b/packages/backend/src/controller/tokenLeakCheck.ts
@ -0,0 +1,42 @@
+import type { Request } from "caido:utils";
+import jwt from "jsonwebtoken";
+
+export class TokenLeakCheck {
+  public static extractIdToken(req: Request): string | null {
+    // 1. Authorization 헤더 확인\\
+    const header = req.getHeaders() as Record<string, string | string[] | undefined>;
+    const authHeader = header["authorization"] || header["Authorization"];
+    if (typeof authHeader === "string" && authHeader.startsWith("Bearer ")) {
+      return authHeader.slice(7).trim();
+    }
+
+    // 2. 쿼리 파라미터
+    const query = req.getQuery();
+    if (query && typeof query === "object" && "id_token" in query) {
+      return (query as Record<string, any>).id_token;
+    }
+
+    // 3. POST 바디 안에 id_token이 있을 경우
+    const rawBody = req.getRaw();
+    const body = rawBody ? rawBody.toString() : "";
+    const match = body.match(/id_token=([^&\s]+)/);
+    if (match && typeof match[1] === "string") {
+      return decodeURIComponent(match[1]);
+    }
+
+    return null;
+  }
+
+  public static decodeIdToken(req: Request): Record<string, any> | null {
+    const token = this.extractIdToken(req);
+    if (!token) return null;
+
+    const decoded = jwt.decode(token, { complete: true });
+    if (!decoded || typeof decoded !== "object") return null;
+
+    return {
+      header: decoded.header,
+      payload: decoded.payload,
+    };
+  }
+}