packages/backend/src/controller/accessTokenDetector.ts

@@ -19,7 +19,7 @@ export class AccessTokenLeakController {
         title: result.title,
         description: result.description,
         request,
-        reporter: "AccessTokenLeak",
+        reporter: "",
       });
     }
   }
@@ -31,7 +31,7 @@ export class AccessTokenLeakController {
         title: result.title,
         description: result.description,
         request,
-        reporter: "AccessTokenLeak",
+        reporter: "",
       });
     }
   }
@@ -132,53 +132,34 @@ export class AccessTokenLeakController {
    * @param text - 검사할 텍스트
    * @returns 토큰 값이 있으면 해당 값, 없으면 null
    */
-  private extractTokenFromText(text: string): string | null {
+private extractTokenFromText(text: string): string | null {
      // 토큰 관련 키워드 리스트
     const tokenKeys = [
-      'access_token',
-      'accesstoken',
-      'Access-Token',
-      'Refresh_Token',
-      'Refresh-Token',
-      'RefreshToken',
-      'Secret_Token',
-      'Secret-Token',
-      'SecretToken',
-      'SSO_Auth',
-      'SSO-Auth',
-      'SSOAuth',
-      'auth_token',
-      'session_token'
-    ];
+        'access_token',
+        'accesstoken',
+        'Access-Token',
+        'Refresh_Token',
+        'Refresh-Token',
+        'RefreshToken',
+        'Secret_Token',
+        'Secret-Token',
+        'SecretToken',
+        'SSO_Auth',
+        'SSO-Auth',
+        'SSOAuth',
+        'auth_token',
+        'session_token'
+     ];
 
-    const tokenTypeKeys = [
-      'token_type',
-      'tokenType'
-    ];
-
-     // 정규표현식 토큰 타입 유무 패턴 리스트 생성
-    const tokenTypeRegexes: RegExp[] = [];
-    for (const key of tokenTypeKeys) {
-      // JSON 형식: "token_type": "Bearer"
-      tokenTypeRegexes.push(new RegExp(`"${key}"\\s*:\\s*"bearer"`, 'i'));
-      // 일반 key=value 형식: token_type=Bearer
-      tokenTypeRegexes.push(new RegExp(`${key}[=:]\\s*bearer`, 'i'));
-      // 공백 있는 형식: token_type : Bearer
-      tokenTypeRegexes.push(new RegExp(`${key}\\s*:\\s*bearer`, 'i'));
-    }
-
-    // token_type=bearer 형태 중 하나라도 포함되는지 확인
-    const hasTokenTypeBearer = tokenTypeRegexes.some(rx => rx.test(text));
-
-    // 정규표현식 토큰 유무 패턴 리스트 생성
+  // 정규표현식 패턴 리스트 생성
     const tokenPatterns: RegExp[] = [];
 
     for (const key of tokenKeys) {
-      // 1. key=token 또는 key: token
-      tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i'));
+        // 1. key=token 또는 key: token
+        tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i'));
 
-      // 2. JSON 형태의 "key": "token"
-      tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i'));
+        // 2. JSON 형태의 "key": "token"
+        tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i'));
     }
 
     // 3. Authorization: Bearer <token> 형태
@@ -186,14 +167,12 @@ export class AccessTokenLeakController {
 
     // 모든 패턴에 대해 검사
     for (const pattern of tokenPatterns) {
-      const match = pattern.exec(text);
-      if (match && match[1]) {
-        if(hasTokenTypeBearer){
-          return match[1];
+        const match = pattern.exec(text);
+        if (match && match[1]) {
+        return match[1];
         }
-      }
     }
 
     return null;
-  }
+    }
 }

packages/backend/src/index.ts

@@ -22,6 +22,7 @@ export function init(sdk: SDK<API>) {
   sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
     await csrfCheck.checker(sdk, req, res);
     //await pkceCheckController.test(sdk, req);
+    await tokenCheck.testReq(sdk, req);
     await tokenCheck.testResp(sdk, res, req);
     await ScopeDetectionController.scan(sdk, req.getUrl());
     await redirectBypassController.testAsync(sdk, req, res);
@@ -37,7 +38,6 @@ export function init(sdk: SDK<API>) {
   });
 
   sdk.events.onInterceptRequest(async (sdk, req: Request) => {
-    await tokenCheck.testReq(sdk, req);
     await pkceCheckController.test(sdk, req);
   });
   /*