배치 수정 페이지 버그 수정 및 멀티테넌시 보안 강화

backend-node/src/controllers/batchManagementController.ts

@@ -438,12 +438,29 @@ export class BatchManagementController {
       // 토큰 결정: authServiceName이 있으면 DB에서 조회, 없으면 apiKey 사용
       let finalApiKey = apiKey || "";
       if (authServiceName) {
-        // DB에서 토큰 조회
+        const companyCode = req.user?.companyCode;
+
+        // DB에서 토큰 조회 (멀티테넌시: company_code 필터링)
+        let tokenQuery: string;
+        let tokenParams: any[];
+
+        if (companyCode === "*") {
+          // 최고 관리자: 모든 회사 토큰 조회 가능
+          tokenQuery = `SELECT access_token FROM auth_tokens 
+                        WHERE service_name = $1 
+                        ORDER BY created_date DESC LIMIT 1`;
+          tokenParams = [authServiceName];
+        } else {
+          // 일반 회사: 자신의 회사 토큰만 조회
+          tokenQuery = `SELECT access_token FROM auth_tokens 
+                        WHERE service_name = $1 AND company_code = $2
+                        ORDER BY created_date DESC LIMIT 1`;
+          tokenParams = [authServiceName, companyCode];
+        }
+
         const tokenResult = await query<{ access_token: string }>(
-          `SELECT access_token FROM auth_tokens 
-           WHERE service_name = $1 
-           ORDER BY created_date DESC LIMIT 1`,
-          [authServiceName]
+          tokenQuery,
+          tokenParams
         );
         if (tokenResult.length > 0 && tokenResult[0].access_token) {
           finalApiKey = tokenResult[0].access_token;
@@ -708,13 +725,33 @@ export class BatchManagementController {
   /**
    * 인증 토큰 서비스명 목록 조회
    */
-  static async getAuthServiceNames(req: Request, res: Response) {
+  static async getAuthServiceNames(req: AuthenticatedRequest, res: Response) {
     try {
+      const companyCode = req.user?.companyCode;
+
+      // 멀티테넌시: company_code 필터링
+      let queryText: string;
+      let queryParams: any[] = [];
+
+      if (companyCode === "*") {
+        // 최고 관리자: 모든 서비스 조회
+        queryText = `SELECT DISTINCT service_name 
+                     FROM auth_tokens 
+                     WHERE service_name IS NOT NULL 
+                     ORDER BY service_name`;
+      } else {
+        // 일반 회사: 자신의 회사 서비스만 조회
+        queryText = `SELECT DISTINCT service_name 
+                     FROM auth_tokens 
+                     WHERE service_name IS NOT NULL 
+                       AND company_code = $1
+                     ORDER BY service_name`;
+        queryParams = [companyCode];
+      }
+
       const result = await query<{ service_name: string }>(
-        `SELECT DISTINCT service_name 
-         FROM auth_tokens 
-         WHERE service_name IS NOT NULL 
-         ORDER BY service_name`
+        queryText,
+        queryParams
       );
 
       const serviceNames = result.map((row) => row.service_name);