feat: HR Portal - Complete Multi-Tenant System with Redis Session Storage

Major Features: - ✅ Multi-tenant architecture (tenant isolation) - ✅ Employee CRUD with lifecycle management (onboarding/offboarding) - ✅ Department tree structure with email domain management - ✅ Company info management (single-record editing) - ✅ System functions CRUD (permission management) - ✅ Email account management (multi-account per employee) - ✅ Keycloak SSO integration (auth.lab.taipei) - ✅ Redis session storage (10.1.0.254:6379) - Solves Cookie 4KB limitation - Cross-system session sharing - Sliding expiration (8 hours) - Automatic token refresh Technical Stack: Backend: - FastAPI + SQLAlchemy - PostgreSQL 16 (10.1.0.20:5433) - Keycloak Admin API integration - Docker Mailserver integration (SSH) - Alembic migrations Frontend: - Next.js 14 (App Router) - NextAuth 4 with Keycloak Provider - Redis session storage (ioredis) - Tailwind CSS Infrastructure: - Redis 7 (10.1.0.254:6379) - Session + Cache - Keycloak 26.1.0 (auth.lab.taipei) - Docker Mailserver (10.1.0.254) Architecture Highlights: - Session管理由 Keycloak + Redis 統一控制 - 支援多系統 (HR/WebMail/Calendar/Drive/Office) 共享 session - Token 自動刷新,異質服務整合 - 未來可無縫遷移到雲端 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-23 20:12:43 +08:00
commit 360533393f
386 changed files with 70353 additions and 0 deletions
--- a/check_keycloak_clients.md
+++ b/check_keycloak_clients.md
@@ -0,0 +1,57 @@
+# HR Portal Keycloak 整合檢查
+
+## Keycloak 資訊
+- **URL**: https://auth.ease.taipei
+- **Realm**: porscheworld
+- **管理員**: admin
+
+## 需要的 Clients
+
+### 1. hr-portal-web (前端)
+- **Client ID**: hr-portal-web
+- **Client Type**: Public (SPA)
+- **Valid Redirect URIs**:
+  - http://localhost:10180/* (開發環境)
+  - http://10.1.0.245:10180/* (開發環境 - IP)
+  - https://hr.ease.taipei/* (測試/正式環境)
+- **Web Origins**: 同上
+- **Client Secret**: HdQMzecymLixWDJ1dgdH0Ql5rEVU1S5S (已在 frontend/.env.local)
+
+### 2. hr-backend (後端)
+- **Client ID**: hr-backend
+- **Client Type**: Confidential
+- **Service Account Enabled**: Yes
+- **Valid Redirect URIs**:
+  - http://localhost:10181/* (開發環境)
+  - https://hr-api.ease.taipei/* (測試/正式環境)
+- **Client Secret**: ddyW9zuy7sHDMF8HRh60gEoiGBh698Ew6XHKenwp2c0 (已在 backend/.env)
+
+## 檢查步驟
+
+1. 登入 Keycloak Admin Console: https://auth.ease.taipei/admin
+2. 選擇 Realm: porscheworld
+3. 進入 Clients 頁面
+4. 檢查是否存在:
+   - [ ] hr-portal-web
+   - [ ] hr-backend
+
+## 如果 Clients 不存在
+
+需要創建這兩個 Clients,參考 Gitea 的整合方式:
+- Gitea Client ID: gitea
+- 可以參考 Gitea 的配置來設定 HR Portal
+
+## 測試用戶
+
+建議在 Keycloak 中創建測試用戶:
+- Username: hr-test
+- Email: hr-test@lab.taipei
+- Password: (設定測試密碼)
+- 用於開發和測試 HR Portal 功能
+
+## 當前環境說明
+
+- **開發環境**: 10.1.0.245 (Windows) - 前端 10180 / 後端 10181
+- **測試環境**: 透過 Traefik 反向代理 - https://hr.ease.taipei
+- **SSO**: 共用 10.1.0.254 的 Keycloak (auth.ease.taipei)
+- **資料庫**: 10.1.0.20:5433 (PostgreSQL 16, admin 用戶)