ERP-node/.cursor/rules/security-guide.mdc

---
description:
globs:
alwaysApply: true
---

# 보안 가이드

## 인증 및 인가

### JWT 기반 인증
현재 시스템은 JWT 토큰 기반 인증을 사용합니다:

```typescript
// 토큰 생성 (로그인 시)
const token = jwt.sign(
  { userId, companyCode, role },
  process.env.JWT_SECRET,
  { expiresIn: process.env.JWT_EXPIRES_IN || '24h' }
);

// 토큰 검증 (미들웨어)
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = decoded;
```

### 권한 관리 구조
- **auth_group**: 권한 그룹 정의
- **menu_auth_group**: 메뉴별 권한 그룹 매핑
- **user_auth**: 사용자별 권한 할당

### 인증 미들웨어
`backend-node/src/middleware/authMiddleware.ts` 참조

## 데이터 보안

### SQL 인젝션 방지
**올바른 방법** - 파라미터 바인딩 사용:
```typescript
const result = await pool.query(
  'SELECT * FROM user_info WHERE user_id = $1',
  [userId]
);
```

**위험한 방법** - 직접 문자열 삽입:
```typescript
const result = await pool.query(
  `SELECT * FROM user_info WHERE user_id = '${userId}'`
);
```

### 패스워드 보안
```typescript
import bcrypt from 'bcryptjs';

// 해싱
const hashedPassword = await bcrypt.hash(plainPassword, 10);

// 검증
const isValid = await bcrypt.compare(plainPassword, hashedPassword);
```

### 입력값 검증
```typescript
import Joi from 'joi';

const schema = Joi.object({
  userId: Joi.string().required().max(50),
  email: Joi.string().email().required(),
});

const { error, value } = schema.validate(req.body);
if (error) {
  return res.status(400).json({ success: false, message: error.message });
}
```

## 보안 미들웨어

### Helmet (보안 헤더)
```typescript
import helmet from 'helmet';
app.use(helmet());
```

### Rate Limiting
```typescript
import rateLimit from 'express-rate-limit';
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
});
app.use('/api/', limiter);
```

### CORS 설정
```typescript
import cors from 'cors';
app.use(cors({
  origin: process.env.CORS_ORIGIN,
  credentials: true,
}));
```

## 보안 체크리스트

### 코드 레벨
- [ ] SQL 인젝션 방지 ($1 파라미터 바인딩 사용)
- [ ] XSS 방지 (React 자동 이스케이프 활용)
- [ ] 입력값 검증 (Joi 스키마)
- [ ] 패스워드 bcrypt 해싱
- [ ] JWT 토큰 만료 설정

### 설정 레벨
- [ ] Helmet 보안 헤더
- [ ] Rate Limiting 적용
- [ ] CORS 적절한 설정
- [ ] HTTPS 사용 (운영 환경)
- [ ] 환경 변수로 시크릿 관리

### 운영 레벨
- [ ] winston 로깅 모니터링
- [ ] 권한 정기 검토
- [ ] 패스워드 정책 적용
- [ ] 백업 데이터 암호화
최초커밋 2025-08-21 09:41:46 +09:00			`---`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`description:`
			`globs:`
최초커밋 2025-08-21 09:41:46 +09:00			`alwaysApply: true`
			`---`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00
최초커밋 2025-08-21 09:41:46 +09:00			`# 보안 가이드`

			`## 인증 및 인가`

chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`### JWT 기반 인증`
			`현재 시스템은 JWT 토큰 기반 인증을 사용합니다:`
최초커밋 2025-08-21 09:41:46 +09:00
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			```typescript
			`// 토큰 생성 (로그인 시)`
			`const token = jwt.sign(`
			`{ userId, companyCode, role },`
			`process.env.JWT_SECRET,`
			`{ expiresIn: process.env.JWT_EXPIRES_IN \|\| '24h' }`
			`);`
최초커밋 2025-08-21 09:41:46 +09:00
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`// 토큰 검증 (미들웨어)`
			`const decoded = jwt.verify(token, process.env.JWT_SECRET);`
			`req.user = decoded;`
최초커밋 2025-08-21 09:41:46 +09:00			```

			`### 권한 관리 구조`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`- auth_group: 권한 그룹 정의`
			`- menu_auth_group: 메뉴별 권한 그룹 매핑`
			`- user_auth: 사용자별 권한 할당`

			`### 인증 미들웨어`
			`backend-node/src/middleware/authMiddleware.ts` 참조
최초커밋 2025-08-21 09:41:46 +09:00
			`## 데이터 보안`

			`### SQL 인젝션 방지`
			`올바른 방법 - 파라미터 바인딩 사용:`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			```typescript
			`const result = await pool.query(`
			`'SELECT * FROM user_info WHERE user_id = $1',`
			`[userId]`
			`);`
최초커밋 2025-08-21 09:41:46 +09:00			```

chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`위험한 방법 - 직접 문자열 삽입:`
			```typescript
			`const result = await pool.query(`
			`SELECT * FROM user_info WHERE user_id = '${userId}'`
			`);`
최초커밋 2025-08-21 09:41:46 +09:00			```

			`### 패스워드 보안`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			```typescript
			`import bcrypt from 'bcryptjs';`
최초커밋 2025-08-21 09:41:46 +09:00
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`// 해싱`
			`const hashedPassword = await bcrypt.hash(plainPassword, 10);`
최초커밋 2025-08-21 09:41:46 +09:00
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`// 검증`
			`const isValid = await bcrypt.compare(plainPassword, hashedPassword);`
최초커밋 2025-08-21 09:41:46 +09:00			```

chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`### 입력값 검증`
			```typescript
			`import Joi from 'joi';`
최초커밋 2025-08-21 09:41:46 +09:00
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`const schema = Joi.object({`
			`userId: Joi.string().required().max(50),`
			`email: Joi.string().email().required(),`
			`});`
최초커밋 2025-08-21 09:41:46 +09:00
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`const { error, value } = schema.validate(req.body);`
			`if (error) {`
			`return res.status(400).json({ success: false, message: error.message });`
최초커밋 2025-08-21 09:41:46 +09:00			`}`
			```

chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`## 보안 미들웨어`
최초커밋 2025-08-21 09:41:46 +09:00
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`### Helmet (보안 헤더)`
			```typescript
			`import helmet from 'helmet';`
			`app.use(helmet());`
최초커밋 2025-08-21 09:41:46 +09:00			```

chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`### Rate Limiting`
			```typescript
			`import rateLimit from 'express-rate-limit';`
			`const limiter = rateLimit({`
			`windowMs: 15 * 60 * 1000,`
			`max: 100,`
			`});`
			`app.use('/api/', limiter);`
최초커밋 2025-08-21 09:41:46 +09:00			```

chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`### CORS 설정`
			```typescript
			`import cors from 'cors';`
			`app.use(cors({`
			`origin: process.env.CORS_ORIGIN,`
			`credentials: true,`
			`}));`
최초커밋 2025-08-21 09:41:46 +09:00			```

			`## 보안 체크리스트`

			`### 코드 레벨`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`- [ ] SQL 인젝션 방지 ($1 파라미터 바인딩 사용)`
			`- [ ] XSS 방지 (React 자동 이스케이프 활용)`
			`- [ ] 입력값 검증 (Joi 스키마)`
			`- [ ] 패스워드 bcrypt 해싱`
			`- [ ] JWT 토큰 만료 설정`
최초커밋 2025-08-21 09:41:46 +09:00
			`### 설정 레벨`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`- [ ] Helmet 보안 헤더`
			`- [ ] Rate Limiting 적용`
			`- [ ] CORS 적절한 설정`
최초커밋 2025-08-21 09:41:46 +09:00			`- [ ] HTTPS 사용 (운영 환경)`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`- [ ] 환경 변수로 시크릿 관리`
최초커밋 2025-08-21 09:41:46 +09:00
			`### 운영 레벨`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`- [ ] winston 로깅 모니터링`
최초커밋 2025-08-21 09:41:46 +09:00			`- [ ] 권한 정기 검토`
			`- [ ] 패스워드 정책 적용`
chore: Remove obsolete .classpath file - Deleted the .classpath file as it is no longer needed in the project structure. - This cleanup helps maintain a tidy codebase by removing unnecessary files that may cause confusion or clutter. 2026-03-04 15:31:45 +09:00			`- [ ] 백업 데이터 암호화`