[BE] 기존 jwt 토큰 응답 방식을 쿠키로 변경하고 path 및 보안 설정 #131
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,9 @@ | ||
| package kr.momo.controller.auth; | ||
|
|
||
| import jakarta.servlet.http.Cookie; | ||
| import jakarta.servlet.http.HttpServletRequest; | ||
| import java.util.Arrays; | ||
| import java.util.Optional; | ||
| import kr.momo.service.auth.JwtManager; | ||
| import lombok.NonNull; | ||
| import lombok.RequiredArgsConstructor; | ||
|
|
@@ -16,8 +18,7 @@ | |
| @RequiredArgsConstructor | ||
| public class AuthArgumentResolver implements HandlerMethodArgumentResolver { | ||
|
|
||
| private static final String ACCESS_TOKEN = "ACCESS_TOKEN"; | ||
|
|
||
| private final JwtManager jwtManager; | ||
|
|
||
|
|
@@ -34,15 +35,21 @@ public Long resolveArgument( | |
| @NonNull NativeWebRequest webRequest, | ||
| WebDataBinderFactory binderFactory | ||
| ) { | ||
| HttpServletRequest request = (HttpServletRequest) webRequest.getNativeRequest(); | ||
| Cookie[] cookies = request.getCookies(); | ||
| String token = getCookieValue(cookies).orElse(""); | ||
|
|
||
| return jwtManager.extract(token); | ||
| } | ||
|
|
||
| private Optional<String> getCookieValue(Cookie[] cookies) { | ||
| if (cookies == null) { | ||
| return Optional.empty(); | ||
| } | ||
|
|
||
| return Arrays.stream(cookies) | ||
| .filter(cookie -> ACCESS_TOKEN.equals(cookie.getName())) | ||
| .map(Cookie::getValue) | ||
| .findFirst(); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,7 +10,6 @@ | |
| import kr.momo.exception.MomoException; | ||
| import kr.momo.exception.code.MeetingErrorCode; | ||
| import kr.momo.service.attendee.dto.AttendeeLoginRequest; | ||
| import kr.momo.service.auth.JwtManager; | ||
| import lombok.RequiredArgsConstructor; | ||
| import org.springframework.stereotype.Service; | ||
|
|
@@ -25,7 +24,7 @@ public class AttendeeService { | |
| private final JwtManager jwtManager; | ||
|
|
||
| @Transactional | ||
| public String login(String uuid, AttendeeLoginRequest request) { | ||
| Meeting meeting = meetingRepository.findByUuid(uuid) | ||
| .orElseThrow(() -> new MomoException(MeetingErrorCode.INVALID_UUID)); | ||
|
|
||
|
|
@@ -37,14 +36,14 @@ public TokenResponse login(String uuid, AttendeeLoginRequest request) { | |
| .orElseGet(() -> signup(meeting, name, password)); | ||
| } | ||
|
|
||
| private String verifyPassword(Attendee attendee, AttendeePassword password) { | ||
| attendee.verifyPassword(password); | ||
| return jwtManager.generate(attendee.getId()); | ||
| } | ||
|
|
||
| private String signup(Meeting meeting, AttendeeName name, AttendeePassword password) { | ||
| Attendee attendee = new Attendee(meeting, name, password, Role.GUEST); | ||
| attendeeRepository.save(attendee); | ||
| return jwtManager.generate(attendee.getId()); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,17 @@ | ||
| package kr.momo.controller.attendee; | ||
|
|
||
| import static org.assertj.core.api.Assertions.assertThat; | ||
|
|
||
| import io.restassured.RestAssured; | ||
| import io.restassured.http.ContentType; | ||
| import kr.momo.domain.attendee.Attendee; | ||
| import kr.momo.domain.attendee.AttendeeRepository; | ||
| import kr.momo.domain.meeting.Meeting; | ||
| import kr.momo.domain.meeting.MeetingRepository; | ||
| import kr.momo.fixture.AttendeeFixture; | ||
| import kr.momo.fixture.MeetingFixture; | ||
| import kr.momo.service.attendee.dto.AttendeeLoginRequest; | ||
| import kr.momo.service.auth.JwtManager; | ||
| import kr.momo.support.IsolateDatabase; | ||
| import org.junit.jupiter.api.BeforeEach; | ||
| import org.junit.jupiter.api.DisplayName; | ||
|
|
@@ -33,6 +35,9 @@ class AttendeeControllerTest { | |
| @Autowired | ||
| private MeetingRepository meetingRepository; | ||
|
|
||
| @Autowired | ||
| private JwtManager jwtManager; | ||
|
|
||
| @BeforeEach | ||
| void setUp() { | ||
| RestAssured.port = port; | ||
|
|
@@ -42,16 +47,18 @@ void setUp() { | |
| @Test | ||
| void login() { | ||
| Meeting meeting = meetingRepository.save(MeetingFixture.COFFEE.create()); | ||
| Attendee attendee = attendeeRepository.save(AttendeeFixture.HOST_JAZZ.create(meeting)); | ||
|
|
||
| AttendeeLoginRequest request = new AttendeeLoginRequest(attendee.name(), attendee.password()); | ||
|
|
||
| String token = RestAssured.given().log().all() | ||
| .contentType(ContentType.JSON) | ||
| .body(request) | ||
| .when().post("/api/v1/meetings/{uuid}/login", meeting.getUuid()) | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.OK.value()) | ||
| .extract().cookie("ACCESS_TOKEN"); | ||
|
|
||
| assertThat(jwtManager.extract(token)).isEqualTo(attendee.getId()); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -153,9 +153,9 @@ void lock() { | |
| String token = getToken(attendee, meeting); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
|
|
||
| .contentType(ContentType.JSON) | ||
| .pathParam("uuid", meeting.getUuid()) | ||
| .when().patch("/api/v1/meetings/{uuid}/lock") | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.OK.value()); | ||
|
|
@@ -170,9 +170,9 @@ void lockWithInvalidUUID() { | |
| String token = getToken(attendee, meeting); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
| .contentType(ContentType.JSON) | ||
| .pathParam("uuid", invalidUUID) | ||
| .when().patch("/api/v1/meetings/{uuid}/lock") | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.NOT_FOUND.value()); | ||
|
|
@@ -186,9 +186,9 @@ void lockWithNoPermission() { | |
| String token = getToken(attendee, meeting); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
| .contentType(ContentType.JSON) | ||
| .pathParam("uuid", meeting.getUuid()) | ||
| .when().patch("/api/v1/meetings/{uuid}/lock") | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.FORBIDDEN.value()); | ||
|
|
@@ -202,9 +202,9 @@ void unlock() { | |
| String token = getToken(attendee, meeting); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
| .contentType(ContentType.JSON) | ||
| .pathParam("uuid", meeting.getUuid()) | ||
| .when().patch("/api/v1/meetings/{uuid}/unlock") | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.OK.value()); | ||
|
|
@@ -219,9 +219,9 @@ void unlockWithInvalidUUID() { | |
| String token = getToken(attendee, meeting); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
| .contentType(ContentType.JSON) | ||
| .pathParam("uuid", invalidUUID) | ||
| .when().patch("/api/v1/meetings/{uuid}/unlock") | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.BAD_REQUEST.value()); | ||
|
|
@@ -235,9 +235,9 @@ void unlockWithNoPermission() { | |
| String token = getToken(attendee, meeting); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
| .contentType(ContentType.JSON) | ||
| .pathParam("uuid", meeting.getUuid()) | ||
| .when().patch("/api/v1/meetings/{uuid}/unlock") | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.FORBIDDEN.value()); | ||
|
|
@@ -252,6 +252,6 @@ private String getToken(Attendee attendee, Meeting meeting) { | |
| .when().post("/api/v1/meetings/{uuid}/login", meeting.getUuid()) | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.OK.value()) | ||
| .extract().cookie("ACCESS_TOKEN"); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -74,7 +74,7 @@ void create() { | |
| .when().post("/api/v1/meetings/{uuid}/login", meeting.getUuid()) | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.OK.value()) | ||
| .extract().cookie("ACCESS_TOKEN"); | ||
|
|
||
| List<LocalTime> times = List.of(Timeslot.TIME_0100.getLocalTime(), Timeslot.TIME_0130.getLocalTime()); | ||
| List<DateTimesCreateRequest> dateTimes = List.of( | ||
|
|
@@ -85,7 +85,7 @@ void create() { | |
| ScheduleCreateRequest scheduleCreateRequest = new ScheduleCreateRequest(attendee.name(), dateTimes); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
| .pathParam("uuid", meeting.getUuid()) | ||
| .contentType(ContentType.JSON) | ||
| .body(scheduleCreateRequest) | ||
|
|
@@ -130,10 +130,10 @@ void findMySchedule() { | |
| .when().post("/api/v1/meetings/{uuid}/login", meeting.getUuid()) | ||
| .then().log().all() | ||
| .statusCode(HttpStatus.OK.value()) | ||
| .extract().cookie("ACCESS_TOKEN"); | ||
|
|
||
| RestAssured.given().log().all() | ||
| .cookie("ACCESS_TOKEN", token) | ||
| .pathParam("uuid", meeting.getUuid()) | ||
| .contentType(ContentType.JSON) | ||
| .when().get("/api/v1/meetings/{uuid}/attendees/me/schedules") | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,6 +12,9 @@ | |
| import kr.momo.fixture.MeetingFixture; | ||
| import org.junit.jupiter.api.DisplayName; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.junit.jupiter.params.ParameterizedTest; | ||
| import org.junit.jupiter.params.provider.NullAndEmptySource; | ||
| import org.junit.jupiter.params.provider.ValueSource; | ||
|
|
||
| class JwtManagerTest { | ||
|
|
||
|
|
@@ -30,11 +33,11 @@ void generate() { | |
| assertThat(attendeeId).isEqualTo(attendee.getId()); | ||
| } | ||
|
|
||
| @DisplayName("토큰이 null이거나 올바르지 않을 경우 예외를 발생시킨다.") | ||
| @ParameterizedTest | ||
| @NullAndEmptySource | ||
| @ValueSource(strings = {"invalidToken"}) | ||
| void throwExceptionForInvalidToken(String token) { | ||
| assertThatThrownBy(() -> jwtManager.extract(token)) | ||
| .isInstanceOf(MomoException.class) | ||
| .hasMessage(AuthErrorCode.INVALID_TOKEN.message()); | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
궁금해서 SET-COOKIE 에 들어갈 key-value 이름 컨벤션도 찾아봤는데 역시나 이상없네요 👍