feat(auth): dev 전용 access token 발급 endpoint 추가

[chanwoo7]

Summary

FE 개발자가 시드(yarn prisma:seed) 데이터의 accountId 로 OIDC 흐름을 거치지 않고
GraphQL Playground에서 곧장 마이페이지 API를 시험할 수 있도록 dev 전용 헬퍼 추가.

본 PR은 마이페이지 FE 온보딩 작업 플랜의 Stage A-4.

변경 사항

Service: AuthService.issueDevAccessToken(accountId)

• repo.findAccountForJwt로 활성 USER 검증
  • 없으면 NotFoundException
  • status !== ACTIVE면 ForbiddenException
• 기존 signAccessToken을 그대로 재사용해 access token 생성
• 응답: { accessToken, tokenType: 'Bearer', expiresInSeconds }

Controller: POST /auth/dev/issue-token

• NODE_ENV=production이면 즉시 ForbiddenException으로 차단 (운영 안전망)
• body.accountId 누락/형식 오류 시 BadRequestException
• service 위임 후 200 응답
• Swagger 데코레이터 ([DEV ONLY] 라벨)

사용 예시

curl -s -X POST http://localhost:4000/auth/dev/issue-token \\
  -H 'Content-Type: application/json' \\
  -d '{"accountId":"1"}'

응답의 accessToken을 GraphQL Playground Headers에 입력:

{ "Authorization": "Bearer <accessToken>" }

회귀 테스트

• auth.service.spec.ts: 정상 / NotFound / Forbidden 3건
• auth.controller.spec.ts: production 차단 / 누락 / 형식오류 / 정상 4건

Breaking 여부

• ❌ Breaking 아님. 운영 영향 없음 (production에서 자동 차단)
• 새 endpoint 추가, 기존 endpoint 변경 없음

Test plan

• 로컬 yarn test:cov 통과 (875 tests, +7)
• CI check 통과
• CI coverage-report 통과
• CodeQL 통과

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 442c0732-2952-4c04-968f-19f209a92f61

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/fe-onboarding-dev-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟢	Statements	96.71%	2912/3011
🟢	Branches	86.52%	1656/1914
🟢	Functions	93.35%	618/662
🟢	Lines	97.04%	2656/2737

Test suite run success

875 tests passing in 77 suites.

Report generated by 🧪jest coverage report action from fe6b876

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe6b876070

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject non-USER accounts when issuing dev token

issueDevAccessToken only verifies account.status and then signs an access token, so /auth/dev/issue-token will also mint tokens for active SELLER/ADMIN IDs if provided. Because JwtBearerStrategy.validate propagates the real account_type into req.user and seller authorization relies on that type, this allows bypassing the seller credential flow in non-production environments by guessing a seller accountId. If this endpoint is intended for FE mypage testing, it should explicitly enforce account.account_type === USER before signing.

Useful? React with 👍 / 👎.

[codecov]

Codecov Report

❌ Patch coverage is 94.73684% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/features/auth/controllers/auth.controller.ts	91.66%	0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!