Merge pull request #23 from SW-rocket-dan/3-유저

[#21] [#22] 사용자는 로그아웃, 자동 로그인을 할 수 있다.

docs/README.md

@@ -47,7 +47,14 @@ grant_type=authorization_code&code=AUTH_CODE&redirect_uri=YOUR_REDIRECT_URI&clie
 - [X] API는 Swagger에서 확인 가능하다.
   - [X] http://localhost:8080/swagger-ui.html
 
-- 유저는 자동 로그인을 할 수 있다.
-- 유저는 로그아웃을 할 수 있다.
+- [X] 유저는 자동 로그인을 할 수 있다.
+  - [X] refresh token을 발급할 수 있다.
+  - [X] refresh token을 통해 access token을 재발급 받는다.
+  - [X] 프론트에서 access token 보낼 때 401 => refresh token 안보냄(사용자가 직접 로그아웃/블랙리스트 등)
+  - [X] 프론트에서 access token 보낼 때 403 => refresh token이 있으면 보내주세욥(모종의 이유로 토큰이 올바르지 않음. 재인증 필요)
+
+- [X] 유저는 로그아웃을 할 수 있다.
 - 유저는 회원탈퇴를 할 수 있다.
 - (유저는 회원정보를 수정할 수 있다.)
+
+- 블랙리스트를 직접 등록하여 차단할 수 있다.

src/main/java/app/cardcapture/auth/google/controller/GoogleAuthController.java

@@ -4,21 +4,30 @@
 import app.cardcapture.auth.google.dto.GoogleLoginRequestDto;
 import app.cardcapture.auth.google.dto.GoogleTokenResponseDto;
 import app.cardcapture.auth.google.service.GoogleAuthService;
-import app.cardcapture.auth.jwt.dto.JwtDto;
+import app.cardcapture.auth.jwt.domain.Claims;
+import app.cardcapture.auth.jwt.dto.JwtResponseDto;
+import app.cardcapture.auth.jwt.dto.RefreshTokenRequestDto;
 import app.cardcapture.auth.jwt.service.JwtComponent;
 import app.cardcapture.common.dto.SuccessResponseDto;
+import app.cardcapture.common.utils.TimeUtils;
 import app.cardcapture.user.domain.entity.User;
 import app.cardcapture.user.dto.UserDto;
 import app.cardcapture.user.service.UserService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.transaction.Transactional;
+import jakarta.validation.Valid;
 import lombok.AllArgsConstructor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.time.ZoneId;
+import java.util.Date;
 import java.util.Optional;
 
 @RestController
@@ -42,34 +51,54 @@ public ResponseEntity<SuccessResponseDto<GoogleLoginRequestDto>> getGoogleLoginD
                 .responseType(googleAuthConfig.getResponseType())
                 .clientId(googleAuthConfig.getClientId())
                 .build();
-
         SuccessResponseDto responseDto = SuccessResponseDto.create(googleLoginRequestDto);
 
         return ResponseEntity.ok(responseDto);
-    } // TODO: 쿠키에 넣어주면 프론트가 편할 수 있다 고려해볼 것
+    }
 
-    @GetMapping("/redirect") // TODO: 만약 access token이 만료됐으면, 프론트에서 refreshtoken이 있으면 보내달라는 의미로 에러코드를 다른 걸로 보내줘야함(상황에 따라 프론트에서 기대되는 동작이 다르기 때문에 이를 사전에 정해놓는 것 필요)
-    // 지금은 다 403보내고있는데, 이를 구분해주기위한 용도로 에러코드를 이용할 수 있다.
+    @GetMapping("/redirect")
     @Operation(summary = "구글 리다이렉트 엔드포인트", description = "구글 리다이렉트를 통해 받은 auth code를 받습니다. auth code를 이용하여 유저 정보를 가져올 것입니다.")
-    public ResponseEntity<SuccessResponseDto<JwtDto>> getGoogleRedirect(@RequestParam(name = "code") String authCode)
-        {
-            // TODO: Service로 좀 감추기 (테스트 관점에서도 복잡도 감소 가능)
-            GoogleTokenResponseDto googleTokenResponseDto = googleAuthService.getGoogleToken(authCode);
-            UserDto userDto = googleAuthService.getUserInfo(googleTokenResponseDto.getAccessToken());
+    @Transactional
+    public ResponseEntity<SuccessResponseDto<JwtResponseDto>> getGoogleRedirect(
+            @RequestParam(name = "code") String authCode
+    ) {
+        GoogleTokenResponseDto googleTokenResponseDto = googleAuthService.getGoogleToken(authCode);
+        UserDto userDto = googleAuthService.getUserInfo(googleTokenResponseDto.getAccessToken());
+
+        Optional<User> existingUserOpt = userService.findByGoogleId(userDto.getGoogleId());
+
+        User user = existingUserOpt.orElseGet(() -> {
+            return userService.save(userDto);
+        });
+
+        String jwt = jwtComponent.createAccessToken(user.getId(), "ROLE_USER", Date.from(user.getCreatedAt().atZone(ZoneId.systemDefault()).toInstant()));
+        String refreshToken = jwtComponent.createRefreshToken(user.getId());
+        JwtResponseDto jwtResponseDto = new JwtResponseDto(jwt, refreshToken);
 
+        SuccessResponseDto responseDto = SuccessResponseDto.create(jwtResponseDto);
 
-            Optional<User> existingUserOpt = userService.findByGoogleId(userDto.getGoogleId());
+        return ResponseEntity.ok(responseDto);
+    }
+
+    @PostMapping("/refresh")
+    @Operation(summary = "JWT 갱신", description = "리프레시 토큰을 이용하여 새로운 JWT를 반환합니다.")
+    public ResponseEntity<SuccessResponseDto<JwtResponseDto>> refreshJwt(
+            @RequestBody @Valid RefreshTokenRequestDto refreshTokenRequest
+    ) {
+        String refreshToken = refreshTokenRequest.refreshToken();
 
-            User user = existingUserOpt.orElseGet(() -> {
-                // 신규 유저라면 저장
-                return userService.save(userDto);
-            });
+        Claims claims = jwtComponent.verifyRefreshToken(refreshToken);
 
-            String jwt = jwtComponent.create(user.getId(), "ROLE_USER");
-            JwtDto jwtDto = new JwtDto(jwt);
+        Long userId = claims.getId();
+        UserDto userDto = userService.findUserById(userId);
 
-            SuccessResponseDto responseDto = SuccessResponseDto.create(jwtDto);
+        Date userCreatedAt = TimeUtils.toDate(userDto.getCreatedAt());
+        String newJwt = jwtComponent.createAccessToken(userId, "ROLE_USER", userCreatedAt);
+        String newRefreshToken = jwtComponent.createRefreshToken(userId);
 
-            return ResponseEntity.ok(responseDto);
+        JwtResponseDto jwtResponseDto = new JwtResponseDto(newJwt, newRefreshToken);
+        SuccessResponseDto responseDto = SuccessResponseDto.create(jwtResponseDto);
+
+        return ResponseEntity.ok(responseDto);
     }
-}
+}

src/main/java/app/cardcapture/auth/jwt/config/JwtConfig.java

@@ -7,6 +7,7 @@
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 
+import java.time.LocalDateTime;
 import java.util.Date;
 
 @Configuration
@@ -17,13 +18,22 @@
 public class JwtConfig {
     private String issuer;
     private String secret;
-    private Long expirationInSeconds;
+    private Long accessExpirationInSeconds;
+    private Long refreshExpirationInSeconds;
 
-    public long getExpirationMillis(long current) {
-        return current + expirationInSeconds * 1000L;
+    public long getAccessExpirationMillis(long current) {
+        return current + accessExpirationInSeconds * 1000L;
     }
 
-    public Date getExpirationDate(Date current) {
-        return new Date(getExpirationMillis(current.getTime()));
+    public Date getAccessExpirationDate(Date current) {
+        return new Date(getAccessExpirationMillis(current.getTime()));
+    }
+
+    public LocalDateTime getAccessExpirationDate(LocalDateTime current) {
+        return current.plusSeconds(accessExpirationInSeconds.intValue());
+    }
+
+    public Date getRefreshExpirationDate(Date current) {
+        return new Date(current.getTime() + refreshExpirationInSeconds * 1000L);
     }
 }

src/main/java/app/cardcapture/auth/jwt/controller/TokenController.java

@@ -0,0 +1,30 @@
+package app.cardcapture.auth.jwt.controller;
+
+import app.cardcapture.auth.jwt.service.TokenBlacklistService;
+import app.cardcapture.common.dto.SuccessResponseDto;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import lombok.AllArgsConstructor;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestHeader;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@Tag(name = "token", description = "The token API")
+@RequestMapping("/api/v1/token")
+@AllArgsConstructor
+public class TokenController {
+
+    private final TokenBlacklistService tokenBlacklistService;
+
+    @GetMapping("/logout")
+    @Operation(summary = "로그아웃", description = "JWT 토큰을 블랙리스트에 추가하여 로그아웃 처리합니다.")
+    public ResponseEntity<SuccessResponseDto<String>> logout(
+            @RequestHeader("Authorization") String authHeader
+    ) {
+        tokenBlacklistService.addToBlacklist(authHeader);
+        return ResponseEntity.ok(SuccessResponseDto.create("로그아웃 성공"));
+    }
+}

src/main/java/app/cardcapture/auth/jwt/domain/Claims.java

@@ -1,17 +1,20 @@
 package app.cardcapture.auth.jwt.domain;
 
+import app.cardcapture.common.utils.TimeUtils;
 import com.auth0.jwt.interfaces.DecodedJWT;
 import lombok.Getter;
 
+import java.time.LocalDateTime;
 import java.util.Date;
 
 @Getter
-public class Claims {
+public class Claims { //TODO: Access Token, Refresh Token 용 Claims 구분하기(NullpointerException 방지)
     private Long id;
     private String[] roles;
     private Date issuedAt;
     private Date expiresAt;
     private String issuer;
+    private Date createdAt;
 
     private Claims() {}
 
@@ -21,17 +24,23 @@ public Claims(DecodedJWT decodedJWT) {
         this.issuedAt = decodedJWT.getIssuedAt();
         this.expiresAt = decodedJWT.getExpiresAt();
         this.issuer = decodedJWT.getIssuer();
+        this.createdAt = decodedJWT.getClaim("created_at").asDate();
     }
 
-    public static Claims of(Long id, String role, String issuer) {
+    public static Claims of(Long id, String role, String issuer, Date createdAt) {
         Claims claims = new Claims();
 
         claims.id = id;
         claims.roles = new String[]{role};
         claims.issuedAt = new Date();
         claims.expiresAt = null;
         claims.issuer = issuer;
+        claims.createdAt = createdAt;
 
         return claims;
     }
+
+    public LocalDateTime getLoalDateCreatedAt() {
+        return TimeUtils.toLocalDateTime(createdAt);
+    }
 }

src/main/java/app/cardcapture/auth/jwt/domain/entity/TokenBlacklist.java

@@ -0,0 +1,41 @@
+package app.cardcapture.auth.jwt.domain.entity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EntityListeners;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.Table;
+import jakarta.validation.constraints.NotBlank;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import org.springframework.data.annotation.CreatedDate;
+import org.springframework.data.jpa.domain.support.AuditingEntityListener;
+
+import java.time.LocalDateTime;
+
+@Entity
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@Table(name = "token_blacklist")
+@EntityListeners(AuditingEntityListener.class)
+public class TokenBlacklist {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(nullable = false, unique = true)
+    private String token;
+
+    @Column(nullable = false)
+    @CreatedDate
+    private LocalDateTime createdAt;
+
+    @Column(nullable = false)
+    private LocalDateTime expiryDate;
+} // TODO: 배치로 만료된 토큰 삭제하기

src/main/java/app/cardcapture/auth/jwt/dto/JwtAuthorizationDto.java

@@ -1,12 +1,8 @@
 package app.cardcapture.auth.jwt.dto;
 
 import jakarta.validation.constraints.NotBlank;
-import lombok.AllArgsConstructor;
-import lombok.Getter;
 
-@Getter
-@AllArgsConstructor
-public class JwtAuthorizationDto {
-    @NotBlank
-    private String aceessToken;
-}
+public record JwtAuthorizationDto(
+        @NotBlank String aceessToken
+) {
+}

src/main/java/app/cardcapture/auth/jwt/dto/JwtResponseDto.java

@@ -0,0 +1,9 @@
+package app.cardcapture.auth.jwt.dto;
+
+import jakarta.validation.constraints.NotBlank;
+
+public record JwtResponseDto(
+        @NotBlank String accessToken,
+        @NotBlank String refreshToken
+) {
+}

src/main/java/app/cardcapture/auth/jwt/dto/RefreshTokenRequestDto.java

@@ -0,0 +1,8 @@
+package app.cardcapture.auth.jwt.dto;
+
+import jakarta.validation.constraints.NotBlank;
+
+public record RefreshTokenRequestDto(
+        @NotBlank String refreshToken
+) {
+}

src/main/java/app/cardcapture/auth/jwt/exception/InvalidTokenException.java

@@ -0,0 +1,11 @@
+package app.cardcapture.auth.jwt.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.FORBIDDEN)
+public class InvalidTokenException extends RuntimeException {
+    public InvalidTokenException(String message) {
+        super(message);
+    }
+}

src/main/java/app/cardcapture/auth/jwt/exception/TokenBlacklistedException.java

@@ -0,0 +1,11 @@
+package app.cardcapture.auth.jwt.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.UNAUTHORIZED)
+public class TokenBlacklistedException extends RuntimeException {
+    public TokenBlacklistedException(String message) {
+        super(message);
+    }
+}

src/main/java/app/cardcapture/auth/jwt/filter/JwtAuthenticationTokenFilter.java

@@ -36,7 +36,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
                 authHeader = authHeader.substring(7);
             }
             String authToken = authHeader;
-            Claims claims = jwtComponent.verify(authToken);
+            Claims claims = jwtComponent.verifyAccessToken(authToken);
             if (claims != null) {
                 Long userId = claims.getId();
                 if (userId != null) {

src/main/java/app/cardcapture/auth/jwt/repository/TokenBlacklistRepository.java

@@ -0,0 +1,10 @@
+package app.cardcapture.auth.jwt.repository;
+
+import app.cardcapture.auth.jwt.domain.entity.TokenBlacklist;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface TokenBlacklistRepository extends JpaRepository<TokenBlacklist, Long> {
+    boolean existsByToken(String token);
+}