Fix: 삭제된 사용자 재가입 허용 및 로그인 차단

- 소프트 삭제된 사용자도 재가입 가능하도록 수정 - 재가입 시 기존 삭제된 사용자 데이터 완전 삭제 - 삭제된/비활성화된 사용자 로그인 차단 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-01 17:40:47 +09:00
parent 1818f0229c
commit de06404d0f
1 changed files with 37 additions and 1 deletions
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -97,10 +97,30 @@ def register(user_data: UserCreate, db: Session = Depends(get_db)):
    from ..models.user import VerificationCode
    from datetime import datetime

-    existing = db.query(User).filter(User.email == user_data.email).first()
+    # 활성 사용자만 체크 (삭제된 사용자는 재가입 허용)
+    existing = db.query(User).filter(
+        User.email == user_data.email,
+        User.deleted_at.is_(None)  # 삭제되지 않은 사용자만
+    ).first()
    if existing:
        raise HTTPException(status_code=400, detail="Email already registered")

+    # 삭제된 사용자가 있다면 완전히 제거 (동일 이메일 재가입 허용)
+    deleted_user = db.query(User).filter(
+        User.email == user_data.email,
+        User.deleted_at.isnot(None)
+    ).first()
+    if deleted_user:
+        # 관련 데이터 삭제
+        from ..models import CarView, PerformanceCheckView, ChargeHistory, Inquiry, Notification
+        db.query(CarView).filter(CarView.user_id == deleted_user.id).delete()
+        db.query(PerformanceCheckView).filter(PerformanceCheckView.user_id == deleted_user.id).delete()
+        db.query(ChargeHistory).filter(ChargeHistory.user_id == deleted_user.id).delete()
+        db.query(Inquiry).filter(Inquiry.user_id == deleted_user.id).delete()
+        db.query(Notification).filter(Notification.user_id == deleted_user.id).delete()
+        db.delete(deleted_user)
+        db.commit()
+
    # Check if email was verified (pre-registration verification)
    email_verified = False
    verification = db.query(VerificationCode).filter(
@@ -148,6 +168,22 @@ def login(
            headers={"WWW-Authenticate": "Bearer"},
        )

+    # 삭제된 사용자 체크
+    if user.deleted_at:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="This account has been deleted",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # 비활성화된 사용자 체크
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="This account has been deactivated",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
    access_token = create_access_token(data={"sub": user.email})
    return Token(access_token=access_token)