[FEAT] 인증 흐름 및 관리자 권한 처리 개선

[sableye9]

관련 이슈

• closed: [FEAT] 인증 흐름 및 관리자 권한 처리 개선 #142

작업 내용

• 일반 로그인 요청/응답 DTO 추가
• JWT 생성 및 인증 필터 로직 정리
• 사용자 조회 기준 정리
• OAuth 로그인 성공 처리 보완
• SecurityConfig 권한 처리 정리
• CORS 설정 추가

체크 리스트

• PR 제목 규칙을 준수했습니다
• 관련 이슈를 연결했습니다
• 본문 내용을 명확하게 작성했습니다
• 정상 작동을 로컬 환경에서 검증했습니다

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

이 Pull Request는 애플리케이션의 전반적인 인증 흐름과 사용자 권한 처리 방식을 개선하는 데 중점을 둡니다. 일반 로그인 및 OAuth2 로그인 모두에서 사용자 이메일을 기반으로 한 인증을 강화하고, JWT 토큰에 사용자 역할을 명시적으로 포함시켜 권한 관리를 더욱 세밀하게 만들었습니다. 또한, 보안 설정을 모듈화하고 CORS 정책을 별도로 관리하여 시스템의 유연성과 유지보수성을 향상했습니다.

Highlights

• 인증 흐름 개선: 일반 로그인 요청/응답 DTO를 추가하고, 로그인 시 이메일을 기반으로 사용자를 조회하며, 역할(role) 정보를 포함한 Access Token과 Refresh Token을 발급하도록 인증 로직을 개선했습니다.
• JWT 토큰 관리 강화: JWT 생성 시 사용자 역할(role)을 클레임에 포함시키고, 토큰에서 이메일과 역할을 추출하는 새로운 메서드를 추가하여 토큰의 유연성과 보안을 높였습니다.
• 사용자 조회 기준 통일: 사용자 인증 및 조회를 닉네임 대신 이메일을 기준으로 하도록 변경하여 일관성을 확보했습니다.
• OAuth2 로그인 처리 보완: OAuth2 로그인 성공 시 사용자를 조회하거나 새로 생성하고, 역할 정보를 포함한 JWT Access/Refresh Token을 발급하여 프론트엔드로 전달하도록 로직을 개선했습니다.
• 보안 설정 및 CORS 분리: CORS 설정을 별도의 CorsConfig 클래스로 분리하고, SecurityConfig에서는 정적 리소스에 대한 접근 허용 경로를 추가하여 보안 설정을 명확히 했습니다.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR includes important changes to improve authentication and authorization logic. Overall, the changes are positive, such as using DTOs and cleaning up the logic. However, some security and performance issues were found. In particular, passing tokens as URL parameters after OAuth2 login is a significant security risk and must be corrected. Also, there are opportunities to improve performance by removing duplicate database queries and Redis storage logic. Finally, the compilation error caused by separating the CORS configuration into CorsConfig must also be fixed. Please refer to the individual code review comments for details.

I am having trouble creating individual review comments. Click here to see my feedback.

src/main/java/com/aibe/team2/domain/auth/util/OAuth2SuccessHandler.java (51-56)

Passing JWT tokens in URL query parameters is a significant security vulnerability. URLs can be exposed in server logs, browser history, etc., which can lead to token theft. It is recommended to use the previous implementation of transmitting tokens via secure HttpOnly cookies.

Also, the redirect URL is hardcoded. It is better to manage this value in a configuration file such as application.properties for maintainability.

        org.springframework.http.ResponseCookie accessTokenCookie = org.springframework.http.ResponseCookie.from("accessToken", accessToken)
                .path("/")
                .httpOnly(true)
                .secure(true)
                .sameSite("Lax")
                .maxAge(3600) // 1시간, 설정값으로 관리하는 것을 권장합니다.
                .build();

        org.springframework.http.ResponseCookie refreshTokenCookie = org.springframework.http.ResponseCookie.from("refreshToken", refreshToken)
                .path("/")
                .httpOnly(true)
                .secure(true)
                .sameSite("Lax")
                .maxAge(604800) // 7일, 설정값으로 관리하는 것을 권장합니다.
                .build();

        response.addHeader(org.springframework.http.HttpHeaders.SET_COOKIE, accessTokenCookie.toString());
        response.addHeader(org.springframework.http.HttpHeaders.SET_COOKIE, refreshTokenCookie.toString());

        // TODO: targetUrl을 설정 파일에서 관리하도록 변경
        String targetUrl = "http://localhost:5173/AIBE4_FinalProject_Team2_FE/oauth/callback";

References

1. To prevent token theft, do not pass JWT tokens in URL query parameters. Instead, transmit them using secure, HTTP-only cookies.

src/main/java/com/aibe/team2/global/config/SecurityConfig.java (105-117)

After moving the corsConfigurationSource Bean to CorsConfig, the corsConfigurationSource() method call on line 50 of SecurityConfig was not updated. This will cause a compilation error. You should inject CorsConfigurationSource as a dependency into SecurityConfig and use it.

src/main/java/com/aibe/team2/domain/auth/controller/AuthController.java (49-55)

The Authentication object returned by authenticationManager.authenticate() already contains user information. Utilizing this information can reduce unnecessary database calls to retrieve the user. You can obtain the Member object by retrieving CustomUserDetails via authentication.getPrincipal().

            Authentication authentication = authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(email, password)
            );

            // 2. 사용자 조회
            com.aibe.team2.domain.auth.dto.CustomUserDetails userDetails = (com.aibe.team2.domain.auth.dto.CustomUserDetails) authentication.getPrincipal();
            Member member = userDetails.getMember();

src/main/java/com/aibe/team2/domain/auth/controller/AuthController.java (61-64)

The jwtTokenProvider.createRefreshToken() method already saves the refresh token to Redis. Therefore, there is no need to save it again here. This code should be removed.

src/main/java/com/aibe/team2/domain/auth/controller/AuthController.java (134-137)

There is no need to make an additional database call to retrieve the Member object. You can directly extract the role information from the refresh token. This reduces unnecessary database queries and improves performance.

        String role = jwtTokenProvider.getRole(refreshToken);
        String newAccessToken = jwtTokenProvider.createAccessToken(email, role);

src/main/java/com/aibe/team2/global/config/CorsConfig.java (18-20)

The allowed Origin is hardcoded. Considering deployment to various environments such as development, staging, and production, it is recommended to configure this value in the application.properties file and inject it using the @Value annotation.