Feat/#8

build.gradle

@@ -31,6 +31,9 @@ dependencies {
 
 	// Security
 	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
+	runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.5'
+	runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.11.5'
 
 	// Database & Cache
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'

src/main/java/com/whereyouad/WhereYouAd/domains/user/application/dto/request/LoginRequest.java

@@ -0,0 +1,12 @@
+package com.whereyouad.WhereYouAd.domains.user.application.dto.request;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+
+public record LoginRequest(
+        @NotBlank(message = "이메일은 필수입니다.")
+        @Email(message = "이메일 형식이 올바르지 않습니다.")
+        String email,
+        @NotBlank(message = "비밀번호는 필수입니다.")
+        String password
+) {}

src/main/java/com/whereyouad/WhereYouAd/domains/user/domain/service/AuthService.java

@@ -0,0 +1,86 @@
+package com.whereyouad.WhereYouAd.domains.user.domain.service;
+
+import com.whereyouad.WhereYouAd.domains.user.application.dto.request.LoginRequest;
+import com.whereyouad.WhereYouAd.domains.user.exception.code.AuthErrorCode;
+import com.whereyouad.WhereYouAd.domains.user.persistence.entity.RefreshToken;
+import com.whereyouad.WhereYouAd.domains.user.persistence.repository.RefreshTokenRepository;
+import com.whereyouad.WhereYouAd.global.exception.AppException;
+import com.whereyouad.WhereYouAd.global.security.jwt.CustomUserDetailsService;
+import com.whereyouad.WhereYouAd.global.security.jwt.JwtTokenProvider;
+import com.whereyouad.WhereYouAd.global.security.jwt.dto.TokenResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+@RequiredArgsConstructor
+public class AuthService {
+
+    private final AuthenticationManagerBuilder authenticationManagerBuilder;
+    private final JwtTokenProvider jwtTokenProvider;
+    private final RefreshTokenRepository refreshTokenRepository;
+    private final CustomUserDetailsService customUserDetailsService;
+
+    //최초 로그인을 통해 AccessToken 과 RefreshToken 발급 받는 메서드
+    @Transactional
+    public TokenResponse login(LoginRequest request) {
+        //email, password 기반 Spring Security가 사용할 인증 객체(AuthenticationToken) 생성
+        UsernamePasswordAuthenticationToken authenticationToken =
+                new UsernamePasswordAuthenticationToken(request.email(), request.password());
+
+        //실제 password 검증
+        // authenticate()가 실행되면 CustomUserDetailsService.loadUserByUsername이 호출되어 DB의 유저 정보와 비교합니다.
+        Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
+
+        //인증 정보 기반 JWT 토큰(Access & Refresh) 생성
+        TokenResponse tokenResponse = jwtTokenProvider.generateToken(authentication);
+
+        //RefreshToken 저장 -> 없으면 생성, 이미 있으면 update
+        RefreshToken refreshToken = refreshTokenRepository.findByKeyId(request.email())
+                .map(entity -> entity.updateValue(tokenResponse.refreshToken()))
+                .orElse(RefreshToken.builder()
+                        .keyId(request.email())
+                        .value(tokenResponse.refreshToken()).
+                        build());
+
+        refreshTokenRepository.save(refreshToken);
+
+        return tokenResponse;
+    }
+
+    //기존 AccessToken 만료 시 RefreshToken을 통해 AccessToken & RefreshToken 을 재발급 받는 메서드
+    @Transactional
+    public TokenResponse reIssue(String refreshToken) {
+        jwtTokenProvider.validateToken(refreshToken); //refreshToken 자체에 문제가 있을 시 해당 부분에서 예외 발생
+
+        String email = jwtTokenProvider.getSubject(refreshToken); //refreshToken 에서 사용자 email 값 추출
+
+        //기존에 해당 email의 RefreshToken 이 있는지 조회
+        RefreshToken savedRefreshToken = refreshTokenRepository.findByKeyId(email)
+                .orElseThrow(() -> new AppException(AuthErrorCode.TOKEN_EXPIRED));
+
+        //해당 저장된 RefreshToken 과 입력받은 RefreshToken 이 동일한지 확인
+        if (!savedRefreshToken.getValue().equals(refreshToken)) {
+            throw new AppException(AuthErrorCode.INVALID_TOKEN_FORMAT);
+        }
+
+        //새로운 토큰 생성을 위해 유저 최신 정보 조회
+        UserDetails userDetails = customUserDetailsService.loadUserByUsername(email);
+
+        // Spring Security 인증 객체 생성
+        UsernamePasswordAuthenticationToken authentication =
+                new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
+
+        //새로운 Access & RefreshToken 생성 및 저장
+        TokenResponse tokenResponse = jwtTokenProvider.generateToken(authentication);
+        savedRefreshToken.updateValue(tokenResponse.refreshToken());
+        refreshTokenRepository.save(savedRefreshToken);
+
+        //새로운 Access & RefreshToken 반환
+        return tokenResponse;
+    }
+}

src/main/java/com/whereyouad/WhereYouAd/domains/user/exception/code/AuthErrorCode.java

@@ -0,0 +1,24 @@
+package com.whereyouad.WhereYouAd.domains.user.exception.code;
+
+import com.whereyouad.WhereYouAd.global.exception.BaseErrorCode;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import org.springframework.http.HttpStatus;
+
+@Getter
+@AllArgsConstructor
+public enum AuthErrorCode implements BaseErrorCode {
+    //토큰 관련
+    TOKEN_EXPIRED(HttpStatus.UNAUTHORIZED, "AUTH_401_2", "토큰이 만료되었습니다."),
+    INVALID_TOKEN_FORMAT(HttpStatus.UNAUTHORIZED, "AUTH_401_3", "잘못된 토큰 형식입니다."),
+
+    // 로그인 실패 (비밀번호 틀림 or 계정 없음)
+    LOGIN_FAILED(HttpStatus.UNAUTHORIZED, "AUTH_401_1", "아이디 또는 비밀번호가 일치하지 않습니다."),
+
+    USER_NOT_FOUND(HttpStatus.NOT_FOUND, "AUTH_401_4", "해당 이메일의 회원이 존재하지 않습니다.")
+    ;
+
+    private final HttpStatus httpStatus;
+    private final String code;
+    private final String message;
+}

src/main/java/com/whereyouad/WhereYouAd/domains/user/persistence/entity/RefreshToken.java

@@ -0,0 +1,29 @@
+package com.whereyouad.WhereYouAd.domains.user.persistence.entity;
+
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Table;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+
+@Entity
+@Table(name = "refresh_tokens")
+@Getter
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class RefreshToken {
+
+    @Id
+    private String keyId; //유저의 이메일(Key)
+
+    private String value; //Refresh Token 값(Value)
+
+    //토큰 갱신 메서드
+    public RefreshToken updateValue(String token) {
+        this.value = token;
+        return this;
+    }
+}

src/main/java/com/whereyouad/WhereYouAd/domains/user/persistence/repository/RefreshTokenRepository.java

@@ -0,0 +1,13 @@
+package com.whereyouad.WhereYouAd.domains.user.persistence.repository;
+
+import com.whereyouad.WhereYouAd.domains.user.persistence.entity.RefreshToken;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+
+import java.util.Optional;
+
+public interface RefreshTokenRepository extends JpaRepository<RefreshToken, String> {
+    @Query("select r from RefreshToken r where r.keyId = :keyId")
+    Optional<RefreshToken> findByKeyId(@Param("keyId") String keyId);
+}

src/main/java/com/whereyouad/WhereYouAd/domains/user/presentation/AuthController.java

@@ -0,0 +1,64 @@
+package com.whereyouad.WhereYouAd.domains.user.presentation;
+
+import com.whereyouad.WhereYouAd.domains.user.application.dto.request.LoginRequest;
+import com.whereyouad.WhereYouAd.domains.user.domain.service.AuthService;
+import com.whereyouad.WhereYouAd.domains.user.presentation.docs.AuthControllerDocs;
+import com.whereyouad.WhereYouAd.global.response.DataResponse;
+import com.whereyouad.WhereYouAd.global.security.jwt.dto.TokenResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseCookie;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/auth")
+@RequiredArgsConstructor
+public class AuthController implements AuthControllerDocs {
+
+    private final AuthService authService;
+
+    @PostMapping("/login")
+    public ResponseEntity<DataResponse<TokenResponse>> login(@RequestBody LoginRequest request) {
+
+        TokenResponse tokenResponse = authService.login(request);
+
+        ResponseCookie httpOnlyCookie = ResponseCookie.from("refresh_token", tokenResponse.refreshToken())
+                .httpOnly(true)
+//                .secure(true) //<-- HTTPS 에서만 쿠키 전송하도록 설정
+                .secure(false) //<-- Postman 테스트 용이를 위해 false
+                .path("/")
+                .maxAge(60 * 60 * 24 * 7) // 7일
+//                .sameSite("None") //<-- 크로스 사이트 전송 정책, 프론트와 연동시 해당 코드 활성화
+                .sameSite("Strict") //<-- 개발 or 테스트 or Postman 을 위해 임시 Strict
+                .build();
+
+        return ResponseEntity.ok()
+                .header(HttpHeaders.SET_COOKIE, httpOnlyCookie.toString()) //생성한 RefreshToken 쿠키를 헤더에 설정
+                .header(HttpHeaders.AUTHORIZATION, "Bearer " + tokenResponse.accessToken()) //AccessToken 을 Authorization 헤더에도 추가(편의사항)
+                .body(DataResponse.from(tokenResponse));
+    }
+
+    @PostMapping("/reissue")
+    public ResponseEntity<DataResponse<TokenResponse>> reIssue(
+            @CookieValue(name = "refresh_token") String refreshToken
+    )
+    {
+        TokenResponse tokenResponse = authService.reIssue(refreshToken);
+
+        ResponseCookie httpOnlyCookie = ResponseCookie.from("refresh_token", tokenResponse.refreshToken())
+                .httpOnly(true)
+//                .secure(true)
+                .secure(false)
+                .path("/")
+                .maxAge(60 * 60 * 24 * 7) // 7일
+//                .sameSite("None")
+                .sameSite("Strict")
+                .build();
+
+        return ResponseEntity.ok()
+                .header(HttpHeaders.SET_COOKIE, httpOnlyCookie.toString()) //생성한 RefreshToken 쿠키를 헤더에 설정
+                .header(HttpHeaders.AUTHORIZATION, "Bearer " + tokenResponse.accessToken()) //AccessToken 을 Authorization 헤더에도 추가(편의사항)
+                .body(DataResponse.from(tokenResponse));
+    }
+}

src/main/java/com/whereyouad/WhereYouAd/domains/user/presentation/docs/AuthControllerDocs.java

@@ -0,0 +1,34 @@
+package com.whereyouad.WhereYouAd.domains.user.presentation.docs;
+
+import com.whereyouad.WhereYouAd.domains.user.application.dto.request.LoginRequest;
+import com.whereyouad.WhereYouAd.global.response.DataResponse;
+import com.whereyouad.WhereYouAd.global.security.jwt.dto.TokenResponse;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.responses.ApiResponses;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.RequestBody;
+
+public interface AuthControllerDocs {
+    @Operation(
+            summary = "로그인 API",
+            description = "이메일, 비밀번호를 입력받아 로그인 진행, AccessToken 을 body 로 반환 & RefreshToken 은 쿠키로 반환"
+    )
+    @ApiResponses({
+            @ApiResponse(responseCode = "200", description = "성공"),
+            @ApiResponse(responseCode = "401_1", description = "실패")
+    })
+    public ResponseEntity<DataResponse<TokenResponse>> login(@RequestBody LoginRequest request);
+
+    @Operation(
+            summary = "AccessToken 재발급 API",
+            description = "AccessToken 만료 시 쿠키에 있는 RefreshToken 을 사용해 AccessToken & RefreshToken 을 재발급"
+    )
+    @ApiResponses({
+            @ApiResponse(responseCode = "200", description = "성공"),
+            @ApiResponse(responseCode = "401_2", description = "실패(RefreshToken 만료, 재로그인 필요)"),
+            @ApiResponse(responseCode = "401_3", description = "실패(RefreshToken 옳지 않은 값)")
+    })
+    public ResponseEntity<DataResponse<TokenResponse>> reIssue(@CookieValue(name = "refresh_token") String refreshToken);
+}

src/main/java/com/whereyouad/WhereYouAd/global/exception/GlobalExceptionHandler.java

@@ -1,8 +1,12 @@
 package com.whereyouad.WhereYouAd.global.exception;
 
+import com.whereyouad.WhereYouAd.domains.user.exception.code.AuthErrorCode;
 import com.whereyouad.WhereYouAd.global.response.ErrorResponse;
+import io.jsonwebtoken.JwtException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.InternalAuthenticationServiceException;
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
@@ -62,4 +66,42 @@ public ResponseEntity<ErrorResponse> handleNotValidException(MethodArgumentNotVa
                 .status(HttpStatus.BAD_REQUEST)
                 .body(errorResponse);
     }
+
+    /**
+     * 로그인 실패 처리 (비밀번호 틀림, 이메일 없음 등)
+     * Spring Security에서 발생하는 BadCredentialsException을 잡아서
+     * AUTH_401_3 에러 코드로 반환
+     */
+    @ExceptionHandler({BadCredentialsException.class, InternalAuthenticationServiceException.class})
+    public ResponseEntity<ErrorResponse> handleLoginException(Exception e, HttpServletRequest request) {
+        log.error("로그인 실패: {}", e.getMessage());
+
+        ErrorResponse errorResponse = ErrorResponse.of(
+                AuthErrorCode.LOGIN_FAILED,
+                request
+        );
+
+        return ResponseEntity
+                .status(AuthErrorCode.LOGIN_FAILED.getHttpStatus())
+                .body(errorResponse);
+    }
+
+    /**
+     * JWT 토큰 유효성 검사 실패 처리 (reissue 과정에서 조작된 토큰 등)
+     * SignatureException, MalformedJwtException, UnsupportedJwtException 등을
+     * JwtTokenProvider에서 catch하여 JwtException("Invalid Token")으로 던지고 있음
+     */
+    @ExceptionHandler({JwtException.class, IllegalArgumentException.class})
+    public ResponseEntity<ErrorResponse> handleJwtException(Exception e, HttpServletRequest request) {
+        log.warn("유효하지 않은 JWT 토큰입니다: {}", e.getMessage());
+
+        ErrorResponse errorResponse = ErrorResponse.of(
+                AuthErrorCode.INVALID_TOKEN_FORMAT,
+                request
+        );
+
+        return ResponseEntity
+                .status(AuthErrorCode.INVALID_TOKEN_FORMAT.getHttpStatus())
+                .body(errorResponse);
+    }
 }

src/main/java/com/whereyouad/WhereYouAd/global/security/SecurityConfig.java

@@ -1,22 +1,45 @@
 package com.whereyouad.WhereYouAd.global.security;
 
+import com.whereyouad.WhereYouAd.global.security.jwt.*;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
+@RequiredArgsConstructor
+@EnableWebSecurity
 public class SecurityConfig {
 
+    private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
+    private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
+    private final JwtAuthenticationFilter jwtAuthenticationFilter;
+
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
                 .csrf(csrf -> csrf.disable()) //CSRF 보호 비활성화
+                .sessionManagement(session -> session
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS) //세션 관리 정책을 STATELESS -> JWT 사용하므로
+                )
+                .exceptionHandling(exception -> exception //예외 처리
+                        .authenticationEntryPoint(jwtAuthenticationEntryPoint) //인증 실패 시(로그인 미진행, 토큰 만료 등)
+                        .accessDeniedHandler(jwtAccessDeniedHandler) //인가 실패 시(권한 부족등)(현재 로직에서는 동작 X -> 모두 ROLE_USER 이므로)
+                )
                 .authorizeHttpRequests(auth -> auth
-                        .anyRequest().permitAll() //우선 모든 접근 허용 -> 추후 로그인 구현 이후 접근 제한 예정
-                );
+                        .requestMatchers("/swagger-ui/**", "/v3/api-docs/**", "/swagger-ui.html").permitAll() //swagger 접근 허용
+                        .requestMatchers("/api/users/signup", "/api/auth/**").permitAll() //로그인, 회원가입 접근 허용
+                        .anyRequest().authenticated() //이외 접근은 인증 필요
+                )
+                //Spring Security 의 기본 UsernamePasswordAuthenticationFilter 앞에 JwtAuthenticationFilter 등록
+                //Spring Security 가 기본 로그인을 수행하기 전에, JWT 토큰을 먼저 검사해서 유효하면 바로 인증 처리 하기 위해
+                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }