[FEAT] Docs 작업(Swagger, Security, Cors) (#77)

* 📝docs: Swagger 작업 진행

* ✨feat: 인증/인가 추가 작업

* ✨feat: cors 작업

* 🐛fix: 코드 리뷰 피드백 반영

Author: Be-HinD

build.gradle

@@ -45,6 +45,8 @@ dependencies {
     developmentOnly 'com.h2database:h2'
     testImplementation 'com.h2database:h2'
 
+    //Swagger
+    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.7.0'
 
 }
 

src/main/java/team/wego/wegobackend/auth/application/AuthService.java

@@ -71,10 +71,10 @@ public LoginResponse login(LoginRequest request) {
             throw new DeletedUserException();
         }
 
-        String accessToken = jwtTokenProvider.createAccessToken(user.getEmail(),
+        String accessToken = jwtTokenProvider.createAccessToken(user.getId(), user.getEmail(),
             user.getRole().name());
 
-        String refreshToken = jwtTokenProvider.createRefreshToken(user.getEmail());
+        String refreshToken = jwtTokenProvider.createRefreshToken(user.getId(), user.getEmail());
 
         Long expiresIn = jwtTokenProvider.getAccessTokenExpiresIn();
 
@@ -99,10 +99,8 @@ public RefreshResponse refresh(String refreshToken) {
             throw new DeletedUserException();
         }
 
-        String newAccessToken = jwtTokenProvider.createAccessToken(
-            user.getEmail(),
-            user.getRole().name()
-        );
+        String newAccessToken = jwtTokenProvider.createAccessToken(user.getId(), user.getEmail(),
+            user.getRole().name());
 
         Long expiresIn = jwtTokenProvider.getAccessTokenExpiresIn();
 

src/main/java/team/wego/wegobackend/auth/presentation/AuthController.java

@@ -25,7 +25,7 @@
 @RestController
 @RequiredArgsConstructor
 @RequestMapping("/api/v1/auth")
-public class AuthController {
+public class AuthController implements AuthControllerDocs {
 
     private final AuthService authService;
 

src/main/java/team/wego/wegobackend/auth/presentation/AuthControllerDocs.java

@@ -0,0 +1,36 @@
+package team.wego.wegobackend.auth.presentation;
+
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.validation.Valid;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.RequestBody;
+import team.wego.wegobackend.auth.application.dto.request.LoginRequest;
+import team.wego.wegobackend.auth.application.dto.request.SignupRequest;
+import team.wego.wegobackend.auth.application.dto.response.LoginResponse;
+import team.wego.wegobackend.auth.application.dto.response.RefreshResponse;
+import team.wego.wegobackend.auth.application.dto.response.SignupResponse;
+import team.wego.wegobackend.common.response.ApiResponse;
+
+@Tag(name = "인증/인가 API", description = "인증 및 인가에 대한 API 리스트 \uD83D\uDC08")
+public interface AuthControllerDocs {
+
+    @Operation(summary = "회원가입", description = "회원가입을 위한 엔드포인트")
+    ResponseEntity<ApiResponse<SignupResponse>> signup(
+        @Valid @RequestBody SignupRequest request);
+
+    @Operation(summary = "로그인", description = "로그인을 위한 엔드포인트")
+    ResponseEntity<ApiResponse<LoginResponse>> login(
+        @Valid @RequestBody LoginRequest request,
+        HttpServletResponse response);
+
+    @Operation(summary = "로그아웃", description = "리프레시 토큰 쿠키만 삭제합니다.")
+    ResponseEntity<ApiResponse<Void>> logout(HttpServletResponse response);
+
+    @Operation(summary = "액세스 토큰 재발급", description = "리프레시 토큰 만료가 안되었을 경우 액세스 토큰을 재발급합니다.")
+    ResponseEntity<ApiResponse<RefreshResponse>> refresh(
+        @CookieValue(name = "refreshToken", required = false) String refreshToken);
+    
+}

src/main/java/team/wego/wegobackend/common/config/CorsConfig.java

@@ -0,0 +1,27 @@
+package team.wego.wegobackend.common.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class CorsConfig {
+    @Bean
+    public WebMvcConfigurer corsConfigurer() {
+        return new WebMvcConfigurer() {
+            @Override
+            public void addCorsMappings(CorsRegistry registry) {
+                registry.addMapping("/**")
+                    .allowedOrigins(
+                        "http://localhost:3000",
+                        "https://wego.monster"
+                    )
+                    .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
+                    .allowedHeaders("*")
+                    .allowCredentials(true)
+                    .maxAge(3600);
+            }
+        };
+    }
+}

src/main/java/team/wego/wegobackend/common/config/SwaggerConfig.java

@@ -0,0 +1,40 @@
+package team.wego.wegobackend.common.config;
+
+import io.swagger.v3.oas.models.Components;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import java.util.List;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class SwaggerConfig {
+
+    @Bean
+    public OpenAPI openAPI() {
+        SecurityScheme securityScheme = new SecurityScheme()
+            .type(SecurityScheme.Type.HTTP)
+            .scheme("bearer")
+            .bearerFormat("JWT")
+            .in(SecurityScheme.In.HEADER)
+            .name("Authorization");
+
+        SecurityRequirement securityRequirement = new SecurityRequirement()
+            .addList("bearerAuth");
+
+        return new OpenAPI()
+            .components(new Components()
+                .addSecuritySchemes("bearerAuth", securityScheme))
+            .security(List.of(securityRequirement))
+            .info(apiInfo());
+    }
+
+    private Info apiInfo() {
+        return new Info()
+            .title("WeGo-API Documentation")
+            .description("Welcome To WeGo-API Documentation \uD83D\uDE0A")
+            .version("1.0.0");
+    }
+}

src/main/java/team/wego/wegobackend/common/security/JwtAuthenticationFilter.java

@@ -2,7 +2,6 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -12,11 +11,11 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.stereotype.Component;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.StringUtils;
+import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 import team.wego.wegobackend.auth.exception.UserNotFoundException;
 import team.wego.wegobackend.common.response.ErrorResponse;
@@ -53,7 +52,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 
                 String email = jwtTokenProvider.getEmailFromToken(jwt);
 
-                UserDetails userDetails = userDetailsService.loadUserByUsername(email);
+                CustomUserDetails userDetails = (CustomUserDetails) userDetailsService.loadUserByUsername(email);
 
                 UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                     userDetails, null, userDetails.getAuthorities());
@@ -66,11 +65,16 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 
                 log.debug("JWT 인증 성공: {}", email);
 
-                filterChain.doFilter(request, response);
-                return;
             }
+            else {
+                if(!isPublicEndpoint(request)) {
+                    sendJsonError(response, "토큰을 찾을 수 없습니다.");
+                    return;
+                }
+            }
+
+            filterChain.doFilter(request, response);
 
-            sendJsonError(response, "토큰을 찾을 수 없습니다.");
 
         } catch (ExpiredTokenException | InvalidTokenException |UserNotFoundException e) {
             sendJsonError(response, e.getMessage());
@@ -107,4 +111,25 @@ private void sendJsonError(HttpServletResponse response, String message) throws
 
         objectMapper.writeValue(response.getWriter(), errorResponse);
     }
+
+    /**
+     * Public 엔드포인트 확인
+     */
+    private boolean isPublicEndpoint(HttpServletRequest request) {
+        String path = request.getRequestURI();
+        String method = request.getMethod();
+
+        if (CorsUtils.isPreFlightRequest(request)) {
+            return true;
+        }
+
+        //TODO : PUBLIC_PATTERNS 관리 포인트 개선 필요 (메서드까지 관리 확장)
+        if ("GET".equals(method) && pathMatcher.match("/api/v1/users/*", path)) {
+            return true;
+        }
+
+        // SecurityEndpoints.PUBLIC_PATTERNS 체크
+        return Arrays.stream(SecurityEndpoints.PUBLIC_PATTERNS)
+            .anyMatch(pattern -> pathMatcher.match(pattern, path));
+    }
 }

src/main/java/team/wego/wegobackend/common/security/SecurityConfig.java

@@ -3,6 +3,7 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig;
@@ -29,6 +30,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
         http
             .authorizeHttpRequests((auth) -> auth
+                .requestMatchers(HttpMethod.GET, "/api/v1/users/*").permitAll()
                 .requestMatchers(SecurityEndpoints.PUBLIC_PATTERNS).permitAll()
                 .anyRequest().authenticated()
             );

src/main/java/team/wego/wegobackend/common/security/SecurityEndpoints.java

@@ -4,9 +4,15 @@ public class SecurityEndpoints {
 
     public static final String[] PUBLIC_PATTERNS = {
         "/api/v*/auth/**",
-        "/api/v*/docs/**",
         "/api/v*/health",
         "/h2-console/**",
-        "/error"
+        "/error",
+
+        //SpringDoc
+        "/swagger-ui/**",
+        "/swagger-ui.html",
+        "/api-docs/**",
+        "/v*/api-docs/**",
     };
+
 }

src/main/java/team/wego/wegobackend/common/security/jwt/JwtTokenProvider.java

@@ -46,20 +46,21 @@ protected void init() {
     /**
      * JWT 토큰 생성
      */
-    public String createAccessToken(String email, String role) {
-        return createToken(email, role, accessTokenExpiration, "access");
+    public String createAccessToken(Long userId, String email, String role) {
+        return createToken(userId, email, role, accessTokenExpiration, "access");
     }
 
-    public String createRefreshToken(String email) {
-        return createToken(email, null, refreshTokenExpiration, "refresh");
+    public String createRefreshToken(Long userId, String email) {
+        return createToken(userId, email, null, refreshTokenExpiration, "refresh");
     }
 
-    private String createToken(String email, String role, long expiration, String type) {
+    private String createToken(Long userId, String email, String role, long expiration, String type) {
         Date now = new Date();
         Date expiryDate = new Date(now.getTime() + expiration);
 
         JwtBuilder builder = Jwts.builder()
             .subject(email)
+            .claim("userId", userId)
             .claim("type", type)
             .issuedAt(now)
             .expiration(expiryDate);
@@ -71,12 +72,16 @@ private String createToken(String email, String role, long expiration, String ty
         return builder.signWith(secretKey, Jwts.SIG.HS256).compact();
     }
 
+    public String getTokenUserId(String token) {
+        return getClaims(token).get("userId", String.class);
+    }
+
     public String getEmailFromToken(String token) {
         return getClaims(token).getSubject();
     }
 
-    public String getRoleFromToken(String token) {
-        return getClaims(token).get("role", String.class);
+    public Long getRoleFromToken(String token) {
+        return getClaims(token).get("role", Long.class);
     }
 
     public String getTokenType(String token) {