YAPP-Github · devmizz · Jul 20, 2024 · Jul 10, 2024 · Jul 18, 2024 · Jul 18, 2024
diff --git a/app/api/build.gradle b/app/api/build.gradle
@@ -15,6 +15,7 @@ allprojects {
  implementation 'nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.3.0'
 
  implementation "org.springframework.boot:spring-boot-starter-web"
+ implementation 'org.springframework.boot:spring-boot-starter-security'
  implementation 'org.springframework.boot:spring-boot-starter-validation'
  testImplementation "org.springframework.boot:spring-boot-starter-test"
  }

diff --git a/app/api/common-api/build.gradle b/app/api/common-api/build.gradle
@@ -1,9 +1,6 @@
 dependencies {
  implementation project(":app:domain:user-domain")
 
- // spring-security
- implementation 'org.springframework.boot:spring-boot-starter-security'
-
  // jwt
  implementation 'io.jsonwebtoken:jjwt-api:0.12.5'
  runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.12.5'

diff --git a/app/api/common-api/src/main/java/org/example/config/SecurityConfig.java b/app/api/common-api/src/main/java/org/example/config/SecurityConfig.java
@@ -81,8 +81,10 @@ private RequestMatcher getMatcherForUserAndAdmin() {
  return RequestMatchers.anyOf(
  antMatcher(HttpMethod.GET, "/api/v1/shows/interests"),
  antMatcher(HttpMethod.POST, "/api/v1/users/logout"),
+ antMatcher(HttpMethod.POST, "/api/v1/users/withdrawal"),
  antMatcher(HttpMethod.POST, "/api/v1/shows/**/interest"),
- antMatcher(HttpMethod.POST, "/api/v1/shows/**/alert")
+ antMatcher(HttpMethod.POST, "/api/v1/shows/**/alert"),
+ antMatcher(HttpMethod.POST, "/api/v1/genres/**")
  );
  }
 }
diff --git a/app/api/common-api/src/main/java/org/example/filter/JWTFilter.java b/app/api/common-api/src/main/java/org/example/filter/JWTFilter.java
@@ -8,14 +8,12 @@
 import java.io.IOException;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
-import org.example.exception.BusinessException;
 import org.example.repository.TokenRepository;
 import org.example.security.dto.AuthenticatedUser;
 import org.example.security.dto.TokenParam;
 import org.example.security.dto.UserParam;
 import org.example.security.token.JWTHandler;
-import org.example.security.token.RefreshTokenProcessor;
-import org.example.security.vo.TokenError;
+import org.example.security.token.TokenProcessor;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -27,7 +25,7 @@
 public class JWTFilter extends OncePerRequestFilter {
 
  private final JWTHandler jwtHandler;
- private final RefreshTokenProcessor refreshTokenProcessor;
+ private final TokenProcessor tokenProcessor;
  private final TokenRepository tokenRepository;
 
  @Override
@@ -37,7 +35,7 @@ protected void doFilterInternal(
  FilterChain filterChain
  ) throws ServletException, IOException {
  if (request.getHeader("Refresh") != null) {
- TokenParam token = refreshTokenProcessor.reissueToken(request);
+ TokenParam token = tokenProcessor.reissueToken(request);
  response.getWriter().write(new ObjectMapper().writeValueAsString(token));
  return;
  }
@@ -52,16 +50,10 @@ protected void doFilterInternal(
  private void handleAccessToken(HttpServletRequest request) {
  String accessToken = jwtHandler.extractAccessToken(request);
  UserParam userParam = jwtHandler.extractUserFrom(accessToken);
- verifyLogoutAccessToken(userParam);
+ tokenProcessor.verifyAccessTokenBlacklist(userParam, accessToken);
  saveOnSecurityContextHolder(userParam);
  }
 
- public void verifyLogoutAccessToken(UserParam userParam) {
- if (tokenRepository.existAccessToken(userParam.userId().toString())) {
- throw new BusinessException(TokenError.INVALID_TOKEN);
- }
- }
-
  private void saveOnSecurityContextHolder(UserParam userParam) {
  AuthenticatedUser authenticatedUser = AuthenticatedUser.builder()
  .userId(userParam.userId())

diff --git a/app/api/common-api/src/main/java/org/example/repository/TokenRepository.java b/app/api/common-api/src/main/java/org/example/repository/TokenRepository.java
@@ -1,14 +1,19 @@
 package org.example.repository;
 
 import java.util.Optional;
+import java.util.UUID;
 import org.springframework.stereotype.Component;
 
 @Component
 public interface TokenRepository {
 
- void save(String userId, String refreshToken);
+ void saveBlacklistAccessToken(UUID userId, String accessToken);
+
+ void saveRefreshToken(UUID userId, String refreshToken);
 
  Optional<String> getExistRefreshToken(String userId);
 
- Boolean existAccessToken(String userId);
+ boolean existAccessTokenInBlacklist(UUID userId, String accessToken);
+
+ void deleteRefreshToken(UUID userId);
 }
diff --git a/app/api/common-api/src/main/java/org/example/security/dto/UserParam.java b/app/api/common-api/src/main/java/org/example/security/dto/UserParam.java
@@ -3,6 +3,7 @@
 import java.util.Map;
 import java.util.UUID;
 import lombok.Builder;
+import org.example.entity.User;
 import org.example.vo.UserRoleApiType;
 
 @Builder
@@ -11,13 +12,6 @@ public record UserParam(
  UserRoleApiType role
 ) {
 
- public Map<String, String> getTokenClaim() {
- return Map.of(
- "userId", userId.toString(),
- "role", role.name()
- );
- }
-
  public static UserParam fromPayload(Object payload) {
  Map<String, String> claim = (Map<String, String>) payload;
 
@@ -26,4 +20,18 @@ public static UserParam fromPayload(Object payload) {
  .role(UserRoleApiType.valueOf(claim.get("role")))
  .build();
  }
+
+ public static UserParam from(User user) {
+ return UserParam.builder()
+ .userId(user.getId())
+ .role(UserRoleApiType.from(user.getUserRole()))
+ .build();
+ }
+
+ public Map<String, String> getTokenClaim() {
+ return Map.of(
+ "userId", userId.toString(),
+ "role", role.name()
+ );
+ }
 }
diff --git a/...a/org/example/security/vo/TokenError.java → ...rg/example/security/error/TokenError.java b/...a/org/example/security/vo/TokenError.java → ...rg/example/security/error/TokenError.java
@@ -1,4 +1,4 @@
-package org.example.security.vo;
+package org.example.security.error;
 
 import org.example.exception.BusinessError;
 
@@ -78,7 +78,7 @@ public int getHttpStatus() {
 
  @Override
  public String getErrorCode() {
- return "TKN-003";
+ return "TKN-004";
  }
 
  @Override
@@ -100,7 +100,7 @@ public int getHttpStatus() {
 
  @Override
  public String getErrorCode() {
- return "TKN-004";
+ return "TKN-005";
  }
 
  @Override
@@ -112,5 +112,27 @@ public String getClientMessage() {
  public String getLogMessage() {
  return "만료되지 않은 토큰에 대해, 만료 상황에 대한 로직이 시행되었습니다.";
  }
+ },
+
+ BLACKLIST_ACCESS_TOKEN {
+ @Override
+ public int getHttpStatus() {
+ return 401;
+ }
+
+ @Override
+ public String getErrorCode() {
+ return "TKN-006";
+ }
+
+ @Override
+ public String getClientMessage() {
+ return "유효하지 않은 토큰입니다.";
+ }
+
+ @Override
+ public String getLogMessage() {
+ return "블랙리스트에 등록된 토큰입니다.";
+ }
  }
 }
diff --git a/app/api/common-api/src/main/java/org/example/security/token/JWTGenerator.java b/app/api/common-api/src/main/java/org/example/security/token/JWTGenerator.java
@@ -3,12 +3,10 @@
 import io.jsonwebtoken.Jwts;
 import java.util.Date;
 import lombok.RequiredArgsConstructor;
-import org.example.exception.BusinessException;
 import org.example.property.TokenProperty;
 import org.example.repository.TokenRepository;
 import org.example.security.dto.TokenParam;
 import org.example.security.dto.UserParam;
-import org.example.security.vo.TokenError;
 import org.springframework.stereotype.Component;
 
 @Component
@@ -24,7 +22,7 @@ public TokenParam generate(UserParam userParam, Date from) {
  .refreshToken(createRefreshToken(userParam, from))
  .build();
 
- tokenRepository.save(userParam.userId().toString(), tokenParam.refreshToken());
+ tokenRepository.saveRefreshToken(userParam.userId(), tokenParam.refreshToken());
  return tokenParam;
  }
 
@@ -49,10 +47,4 @@ private String createRefreshToken(UserParam userParam, Date from) {
  .signWith(tokenProperty.getBase64URLSecretKey())
  .compact();
  }
-
- public String getExistRefreshToken(UserParam userParam) {
- return tokenRepository.getExistRefreshToken(userParam.userId().toString())
- .orElseThrow(() -> new BusinessException(TokenError.WRONG_HEADER));
- }
-
 }
diff --git a/app/api/common-api/src/main/java/org/example/security/token/JWTHandler.java b/app/api/common-api/src/main/java/org/example/security/token/JWTHandler.java
@@ -9,7 +9,7 @@
 import org.example.exception.BusinessException;
 import org.example.property.TokenProperty;
 import org.example.security.dto.UserParam;
-import org.example.security.vo.TokenError;
+import org.example.security.error.TokenError;
 import org.springframework.stereotype.Component;
 
 @Component

diff --git a/app/api/common-api/src/main/java/org/example/security/token/RefreshTokenProcessor.java b/app/api/common-api/src/main/java/org/example/security/token/RefreshTokenProcessor.java
diff --git a/app/api/common-api/src/main/java/org/example/security/token/TokenProcessor.java b/app/api/common-api/src/main/java/org/example/security/token/TokenProcessor.java
@@ -0,0 +1,52 @@
+package org.example.security.token;
+
+import jakarta.servlet.http.HttpServletRequest;
+import java.util.Date;
+import java.util.UUID;
+import lombok.RequiredArgsConstructor;
+import org.example.exception.BusinessException;
+import org.example.repository.TokenRepository;
+import org.example.security.dto.TokenParam;
+import org.example.security.dto.UserParam;
+import org.example.security.error.TokenError;
+import org.springframework.stereotype.Component;
+
+@Component
+@RequiredArgsConstructor
+public class TokenProcessor {
+
+ private final JWTHandler jwtHandler;
+ private final JWTGenerator jwtGenerator;
+ private final TokenRepository tokenRepository;
+
+ public TokenParam reissueToken(HttpServletRequest request) {
+ String refreshToken = jwtHandler.extractRefreshToken(request);
+ UserParam userParam = jwtHandler.extractUserFrom(refreshToken);
+
+ String oldRefreshToken = getExistRefreshToken(userParam);
+ if (!refreshToken.equals(oldRefreshToken)) {
+ throw new BusinessException(TokenError.INVALID_TOKEN);
+ }
+
+ return jwtGenerator.generate(userParam, new Date());
+ }
+
+ public void verifyAccessTokenBlacklist(UserParam userParam, String accessKey) {
+ if (tokenRepository.existAccessTokenInBlacklist(userParam.userId(), accessKey)) {
+ throw new BusinessException(TokenError.BLACKLIST_ACCESS_TOKEN);
+ }
+ }
+
+ public void makeAccessTokenBlacklistAndDeleteRefreshToken(
+ String accessToken,
+ UUID userId
+ ) {
+ tokenRepository.saveBlacklistAccessToken(userId, accessToken);
+ tokenRepository.deleteRefreshToken(userId);
+ }
+
+ private String getExistRefreshToken(UserParam userParam) {
+ return tokenRepository.getExistRefreshToken(userParam.userId().toString())
+ .orElseThrow(() -> new BusinessException(TokenError.WRONG_HEADER));
+ }
+}
diff --git a/app/api/common-api/src/test/java/org/example/security/token/JWTHandlerTest.java b/app/api/common-api/src/test/java/org/example/security/token/JWTHandlerTest.java
@@ -11,7 +11,7 @@
 import org.example.repository.TokenRepository;
 import org.example.security.dto.TokenParam;
 import org.example.security.dto.UserParam;
-import org.example.security.vo.TokenError;
+import org.example.security.error.TokenError;
 import org.example.vo.UserRoleApiType;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;

diff --git a/app/api/user-api/src/main/java/org/example/controller/UserController.java b/app/api/user-api/src/main/java/org/example/controller/UserController.java
@@ -6,9 +6,13 @@
 import lombok.RequiredArgsConstructor;
 import org.example.controller.dto.request.LoginApiRequest;
 import org.example.controller.dto.request.LogoutApiRequest;
+import org.example.controller.dto.request.WithdrawalApiRequest;
 import org.example.controller.dto.response.LoginApiResponse;
+import org.example.security.dto.AuthenticatedUser;
+import org.example.security.dto.TokenParam;
 import org.example.service.UserService;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -25,14 +29,33 @@ public class UserController {
  @PostMapping("/login")
  @Operation(summary = "로그인", description = "회원가입 / 로그인")
  public ResponseEntity<LoginApiResponse> signUp(@Valid @RequestBody LoginApiRequest request) {
- return ResponseEntity.ok(new LoginApiResponse(
- "accessToken", "refreshToken"
- ));
+ TokenParam token = userService.login(request.toServiceType());
+
+ return ResponseEntity.ok(
+ LoginApiResponse.builder()
+ .accessToken(token.accessToken())
+ .refreshToken(token.refreshToken())
+ .build()
+ );
  }
 
  @PostMapping("/logout")
  @Operation(summary = "로그아웃")
- public ResponseEntity<Void> logout(@Valid @RequestBody LogoutApiRequest request) {
+ public ResponseEntity<Void> logout(
+ @AuthenticationPrincipal AuthenticatedUser user,
+ @RequestBody LogoutApiRequest request
+ ) {
+ userService.logout(request.toServiceRequest(user.userId()));
+ return ResponseEntity.noContent().build();
+ }
+
+ @PostMapping("/withdrawal")
+ @Operation(summary = "회원탈퇴")
+ public ResponseEntity<Void> withdraw(
+ @AuthenticationPrincipal AuthenticatedUser user,
+ @RequestBody WithdrawalApiRequest request
+ ) {
+ userService.withdraw(request.toServiceRequest(user.userId()));
  return ResponseEntity.noContent().build();
  }
 }