[Refactor] 내부 자동화를 위한 관리자용 로그인 API 추가 (장기 refresh 토큰 기반)

src/main/java/com/kuit/findyou/domain/auth/controller/AuthController.java

@@ -3,21 +3,22 @@
 import com.kuit.findyou.domain.auth.dto.ReissueTokenRequest;
 import com.kuit.findyou.domain.auth.dto.ReissueTokenResponse;
 import com.kuit.findyou.domain.auth.dto.request.GuestLoginRequest;
+import com.kuit.findyou.domain.auth.dto.response.AdminLoginResponse;
 import com.kuit.findyou.domain.auth.dto.response.GuestLoginResponse;
 import com.kuit.findyou.domain.auth.dto.request.KakaoLoginRequest;
 import com.kuit.findyou.domain.auth.dto.response.KakaoLoginResponse;
 import com.kuit.findyou.domain.auth.service.AuthServiceFacade;
 import com.kuit.findyou.global.common.annotation.CustomExceptionDescription;
+import com.kuit.findyou.global.common.exception.CustomException;
 import com.kuit.findyou.global.common.response.BaseResponse;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.*;
 
+import static com.kuit.findyou.global.common.response.status.BaseExceptionResponseStatus.UNAUTHORIZED;
 import static com.kuit.findyou.global.common.swagger.SwaggerResponseDescription.*;
 
 @Tag(name = "Login", description = "로그인 관련 API")
@@ -28,6 +29,9 @@
 public class AuthController {
     private final AuthServiceFacade authServiceFacade;
 
+    @Value("${admin.api.key}")
+    private String adminApiKey;
+
     @Operation(
             summary = "카카오 로그인 API",
             description = "카카오 사용자 식별자를 이용해서 유저 정보와 엑세스 토큰을 얻을 수 있습니다. 가입된 회원인지 여부를 반환합니다."
@@ -58,4 +62,18 @@ public BaseResponse<GuestLoginResponse> guestLogin(@RequestBody GuestLoginReques
     public BaseResponse<ReissueTokenResponse> reissueToken(@RequestBody ReissueTokenRequest request){
         return BaseResponse.ok(authServiceFacade.reissueToken(request));
     }
+
+    @Operation(
+            summary = "서비스 계정 로그인 API (내부 자동화용)",
+            description = "내부 자동화/관리용 서비스 계정 토큰을 발급합니다. X-ADMIN-KEY 헤더가 필요합니다."
+    )
+    @PostMapping("/login/admin")
+    public BaseResponse<AdminLoginResponse> adminLogin(
+            @RequestHeader(value = "X-ADMIN-KEY", required = false) String adminKey
+    ) {
+        if (adminKey == null || adminKey.isBlank() || !adminApiKey.equals(adminKey)) {
+            throw new CustomException(UNAUTHORIZED);
+        }
+        return BaseResponse.ok(authServiceFacade.adminLogin());
+    }
 }

src/main/java/com/kuit/findyou/domain/auth/dto/response/AdminLoginResponse.java

@@ -0,0 +1,12 @@
+package com.kuit.findyou.domain.auth.dto.response;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+
+@Schema(description = "관리자 로그인 응답 DTO")
+public record AdminLoginResponse(
+        @Schema(description = "관리자 유저 식별자")
+        Long userId,
+        @Schema(description = "엑세스 토큰")
+        String accessToken
+) {
+}

src/main/java/com/kuit/findyou/domain/auth/service/AdminLoginService.java

@@ -0,0 +1,7 @@
+package com.kuit.findyou.domain.auth.service;
+
+import com.kuit.findyou.domain.auth.dto.response.AdminLoginResponse;
+
+public interface AdminLoginService {
+    AdminLoginResponse adminLogin();
+}

src/main/java/com/kuit/findyou/domain/auth/service/AdminLoginServiceImpl.java

@@ -0,0 +1,36 @@
+package com.kuit.findyou.domain.auth.service;
+
+import com.kuit.findyou.domain.auth.dto.response.AdminLoginResponse;
+import com.kuit.findyou.domain.user.model.Role;
+import com.kuit.findyou.domain.user.model.User;
+import com.kuit.findyou.domain.user.repository.UserRepository;
+import com.kuit.findyou.global.common.exception.CustomException;
+import com.kuit.findyou.global.jwt.util.JwtUtil;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Service;
+
+import static com.kuit.findyou.global.common.response.status.BaseExceptionResponseStatus.USER_NOT_FOUND;
+
+@RequiredArgsConstructor
+@Service
+public class AdminLoginServiceImpl implements AdminLoginService{
+    private final JwtUtil jwtUtil;
+    private final UserRepository userRepository;
+
+    @Value("${admin.admin-user-id}")
+    private Long adminUserId;
+
+    @Value("${admin.access-ttl-ms}")
+    private Long adminAccessTtlMs;
+
+    @Override
+    public AdminLoginResponse adminLogin() {
+        User user = userRepository.findById(adminUserId)
+                .orElseThrow(() -> new CustomException(USER_NOT_FOUND));
+
+        String accessToken = jwtUtil.createAccessJwt(user.getId(), Role.ADMIN, adminAccessTtlMs);
+
+        return new AdminLoginResponse(user.getId(), accessToken);
+    }
+}

src/main/java/com/kuit/findyou/domain/auth/service/AuthServiceFacade.java

@@ -4,6 +4,7 @@
 import com.kuit.findyou.domain.auth.dto.ReissueTokenResponse;
 import com.kuit.findyou.domain.auth.dto.request.GuestLoginRequest;
 import com.kuit.findyou.domain.auth.dto.request.KakaoLoginRequest;
+import com.kuit.findyou.domain.auth.dto.response.AdminLoginResponse;
 import com.kuit.findyou.domain.auth.dto.response.GuestLoginResponse;
 import com.kuit.findyou.domain.auth.dto.response.KakaoLoginResponse;
 import lombok.RequiredArgsConstructor;
@@ -14,6 +15,7 @@
 public class AuthServiceFacade {
     private final LoginService loginService;
     private final ReissueTokenService reissueTokenService;
+    private final AdminLoginService adminLoginService;
 
     public KakaoLoginResponse kakaoLogin(KakaoLoginRequest request) {
         return loginService.kakaoLogin(request);
@@ -26,4 +28,8 @@ public GuestLoginResponse guestLogin(GuestLoginRequest request) {
     public ReissueTokenResponse reissueToken(ReissueTokenRequest request) {
         return reissueTokenService.reissueToken(request);
     }
+
+    public AdminLoginResponse adminLogin() {
+        return adminLoginService.adminLogin();
+    }
 }

src/main/java/com/kuit/findyou/domain/image/controller/ImageController.java

@@ -29,7 +29,7 @@ public class ImageController {
 
     @Operation(summary = "신고글 이미지 업로드 API", description = "멀티파트 이미지 업로드 후 CDN URL 리스트 반환")
     @CustomExceptionDescription(IMAGE_UPLOAD)
-    @PreAuthorize("hasRole('ROLE_USER')")
+    @PreAuthorize("hasAnyRole('ROLE_USER','ROLE_ADMIN')")
     @PostMapping(value = "/upload", consumes = MULTIPART_FORM_DATA_VALUE)
     public BaseResponse<ReportImageResponse> uploadImages(@RequestPart(value = "files", required = false) List<MultipartFile> files, @LoginUserId Long userId) {
         List<String> urls = imageUploadService.uploadImages(files);

src/main/java/com/kuit/findyou/domain/user/model/Role.java

@@ -5,7 +5,7 @@
 @Getter
 public enum Role {
 
-    USER("회원"), GUEST("비회원");
+    USER("회원"), GUEST("비회원"), ADMIN("관리자");
 
     private final String value;
 

src/main/java/com/kuit/findyou/global/jwt/filter/AdminAllowlistFilter.java

@@ -0,0 +1,70 @@
+package com.kuit.findyou.global.jwt.filter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.List;
+
+@Component
+@RequiredArgsConstructor
+public class AdminAllowlistFilter extends OncePerRequestFilter {
+
+    private final AntPathMatcher matcher = new AntPathMatcher();
+
+    // ADMIN에게 허용되는 API
+    private static final List<Allow> ADMIN_ALLOWLIST = List.of(
+            new Allow(HttpMethod.GET.name(), "/api/v2/reports/protecting-reports/random-s3"),
+            new Allow(HttpMethod.GET.name(), "/api/v2/reports/missing-reports/random-s3"),
+            new Allow(HttpMethod.POST.name(), "/api/v2/images/upload")
+    );
+
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
+
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+
+        if (auth != null && auth.isAuthenticated()) {
+            boolean isAdmin = auth.getAuthorities().stream()
+                    .anyMatch(a -> a.getAuthority().equals("ROLE_ADMIN"));
+
+            if (isAdmin) {
+                String method = request.getMethod();
+                String path = request.getRequestURI();
+
+                boolean allowed = ADMIN_ALLOWLIST.stream()
+                        .anyMatch(a -> a.method.equals(method) && matcher.match(a.pathPattern, path));
+
+                if (!allowed) {
+                    throw new AccessDeniedException("ADMIN은 허용된 API만 호출할 수 있습니다.");
+                }
+            }
+        }
+
+        filterChain.doFilter(request, response);
+    }
+
+    private static class Allow {
+        final String method;
+        final String pathPattern;
+
+        private Allow(String method, String pathPattern) {
+            this.method = method;
+            this.pathPattern = pathPattern;
+        }
+    }
+}

src/main/java/com/kuit/findyou/global/jwt/security/CustomAccessDeniedHandler.java

@@ -21,7 +21,10 @@ public class CustomAccessDeniedHandler implements AccessDeniedHandler {
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException {
-        BaseErrorResponse body =  new BaseErrorResponse(FORBIDDEN);
+        String message = accessDeniedException.getMessage();
+        BaseErrorResponse body = (message == null || message.isBlank())
+                ? new BaseErrorResponse(FORBIDDEN)
+                : new BaseErrorResponse(FORBIDDEN, message);
         String json = objectMapper.writeValueAsString(body);
 
         response.setStatus(FORBIDDEN.getCode());

src/main/java/com/kuit/findyou/global/jwt/util/JwtUtil.java

@@ -61,6 +61,17 @@ public String createAccessJwt(Long userId, Role role) {
                 .compact();
     }
 
+    public String createAccessJwt(Long userId, Role role, long expireMs) {
+        return Jwts.builder()
+                .claim(JwtClaimKey.USER_ID.getKey(), userId)
+                .claim(JwtClaimKey.ROLE.getKey(), role.name())
+                .claim(JwtClaimKey.TOKEN_TYPE.getKey(), JwtTokenType.ACCESS_TOKEN)
+                .issuedAt(new Date(System.currentTimeMillis()))
+                .expiration(new Date(System.currentTimeMillis() + expireMs))
+                .signWith(secretKey)
+                .compact();
+    }
+
     public String createRefreshJwt(Long userId) {
         return Jwts.builder()
                 .id(UUID.randomUUID().toString())

src/main/resources/application.yml

@@ -193,3 +193,9 @@ management:
       exposure:
         include: health, info, prometheus
 
+
+admin:
+  admin-user-id: ${ADMIN_USER_ID}
+  access-ttl-ms: ${ADMIN_ACCESS_TTL_MS}
+  api:
+    key: ${ADMIN_API_KEY}