[FIX] SMS 인증 API 보안 개선

src/main/java/com/teambiund/bander/auth_server/auth/controller/PhoneNumberController.java

@@ -0,0 +1,55 @@
+package com.teambiund.bander.auth_server.auth.controller;
+
+import com.teambiund.bander.auth_server.auth.service.auth_service.AuthService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.Parameter;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.ExampleObject;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.responses.ApiResponses;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@Tag(name = "휴대폰 번호 확인", description = "휴대폰 번호 인증 여부 확인 API")
+@RestController
+@RequiredArgsConstructor
+@Slf4j
+@RequestMapping("/api/v1/phone-number")
+public class PhoneNumberController {
+
+  private final AuthService authService;
+
+  @Operation(
+      summary = "휴대폰 번호 등록 여부 확인",
+      description =
+          "사용자 ID로 휴대폰 번호가 등록되어 있는지 확인합니다. "
+              + "휴대폰 인증이 완료된 사용자는 true, 아직 인증하지 않은 사용자는 false를 반환합니다.")
+  @ApiResponses(
+      value = {
+        @ApiResponse(
+            responseCode = "200",
+            description = "조회 성공",
+            content =
+                @Content(
+                    mediaType = "application/json",
+                    schema = @Schema(implementation = Boolean.class),
+                    examples = {
+                      @ExampleObject(name = "인증 완료", value = "true"),
+                      @ExampleObject(name = "인증 미완료", value = "false")
+                    }))
+      })
+  @GetMapping("/{userId}")
+  public ResponseEntity<Boolean> hasPhoneNumber(
+      @Parameter(description = "확인할 사용자 ID", required = true, example = "12345")
+          @PathVariable(name = "userId")
+          String userId) {
+    return ResponseEntity.ok(authService.hasPhoneNumber(userId));
+  }
+}

src/main/java/com/teambiund/bander/auth_server/auth/controller/SmsConfirmController.java

@@ -1,14 +1,16 @@
 package com.teambiund.bander.auth_server.auth.controller;
 
+import com.teambiund.bander.auth_server.auth.dto.request.SmsCodeRequest;
+import com.teambiund.bander.auth_server.auth.dto.request.SmsVerifyRequest;
 import com.teambiund.bander.auth_server.auth.service.update.SmsConfirmService;
 import io.swagger.v3.oas.annotations.Operation;
-import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.ExampleObject;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
 
@@ -26,18 +28,22 @@ public class SmsConfirmController {
         @ApiResponse(responseCode = "200", description = "인증 코드 발급 성공"),
         @ApiResponse(
             responseCode = "400",
-            description = "이미 발급된 인증 코드가 있음",
+            description = "이미 발급된 인증 코드가 있음 또는 잘못된 요청",
             content = @Content(mediaType = "application/json"))
       })
-  @PostMapping("/{userId}/{phoneNumber}")
-  public void generateCode(
-      @Parameter(description = "사용자 ID", required = true, example = "user-id-123")
-          @PathVariable(name = "userId")
-          String userId,
-      @Parameter(description = "전화번호", required = true, example = "01012345678")
-          @PathVariable(name = "phoneNumber")
-          String phoneNumber) {
-    smsConfirmService.generateCode(userId, phoneNumber);
+  @io.swagger.v3.oas.annotations.parameters.RequestBody(
+      description = "SMS 인증 코드 발급 요청",
+      required = true,
+      content =
+          @Content(
+              mediaType = "application/json",
+              schema = @Schema(implementation = SmsCodeRequest.class),
+              examples =
+                  @ExampleObject(
+                      value = "{\"userId\": \"user-id-123\", \"phoneNumber\": \"01012345678\"}")))
+  @PostMapping("/request")
+  public void generateCode(@Valid @RequestBody SmsCodeRequest request) {
+    smsConfirmService.generateCode(request.getUserId(), request.getPhoneNumber());
   }
 
   @Operation(
@@ -55,20 +61,24 @@ public void generateCode(
                     examples = @ExampleObject(value = "true"))),
         @ApiResponse(
             responseCode = "400",
-            description = "잘못된 인증 코드",
+            description = "잘못된 인증 코드 또는 잘못된 요청",
             content = @Content(mediaType = "application/json"))
       })
-  @GetMapping("/{userId}/{phoneNumber}")
-  public boolean confirmSms(
-      @Parameter(description = "인증 코드", required = true, example = "123456") @RequestParam
-          String code,
-      @Parameter(description = "사용자 ID", required = true, example = "user-id-123")
-          @PathVariable(name = "userId")
-          String userId,
-      @Parameter(description = "전화번호", required = true, example = "01012345678")
-          @PathVariable(name = "phoneNumber")
-          String phoneNumber) {
-    return smsConfirmService.confirmSms(userId, phoneNumber, code);
+  @io.swagger.v3.oas.annotations.parameters.RequestBody(
+      description = "SMS 인증 확인 요청",
+      required = true,
+      content =
+          @Content(
+              mediaType = "application/json",
+              schema = @Schema(implementation = SmsVerifyRequest.class),
+              examples =
+                  @ExampleObject(
+                      value =
+                          "{\"userId\": \"user-id-123\", \"phoneNumber\": \"01012345678\", \"code\": \"123456\"}")))
+  @PostMapping("/verify")
+  public boolean confirmSms(@Valid @RequestBody SmsVerifyRequest request) {
+    return smsConfirmService.confirmSms(
+        request.getUserId(), request.getPhoneNumber(), request.getCode());
   }
 
   @Operation(summary = "SMS 인증 코드 재발신", description = "SMS 인증 코드를 재발신합니다.")
@@ -81,16 +91,24 @@ public boolean confirmSms(
                 @Content(
                     mediaType = "application/json",
                     schema = @Schema(implementation = Boolean.class),
-                    examples = @ExampleObject(value = "true")))
+                    examples = @ExampleObject(value = "true"))),
+        @ApiResponse(
+            responseCode = "400",
+            description = "잘못된 요청",
+            content = @Content(mediaType = "application/json"))
       })
-  @PutMapping("/{userId}/{phoneNumber}")
-  public boolean resendSms(
-      @Parameter(description = "사용자 ID", required = true, example = "user-id-123")
-          @PathVariable(name = "userId")
-          String userId,
-      @Parameter(description = "전화번호", required = true, example = "01012345678")
-          @PathVariable(name = "phoneNumber")
-          String phoneNumber) {
-    return smsConfirmService.resendSms(userId, phoneNumber);
+  @io.swagger.v3.oas.annotations.parameters.RequestBody(
+      description = "SMS 인증 코드 재발신 요청",
+      required = true,
+      content =
+          @Content(
+              mediaType = "application/json",
+              schema = @Schema(implementation = SmsCodeRequest.class),
+              examples =
+                  @ExampleObject(
+                      value = "{\"userId\": \"user-id-123\", \"phoneNumber\": \"01012345678\"}")))
+  @PostMapping("/resend")
+  public boolean resendSms(@Valid @RequestBody SmsCodeRequest request) {
+    return smsConfirmService.resendSms(request.getUserId(), request.getPhoneNumber());
   }
-}
+}

src/main/java/com/teambiund/bander/auth_server/auth/dto/request/SmsCodeRequest.java

@@ -0,0 +1,15 @@
+package com.teambiund.bander.auth_server.auth.dto.request;
+
+import com.teambiund.bander.auth_server.auth.validation.PhoneNumber;
+import jakarta.validation.constraints.NotBlank;
+import lombok.Data;
+
+@Data
+public class SmsCodeRequest {
+  @NotBlank(message = "사용자 ID는 필수 입력 항목입니다")
+  private String userId;
+
+  @NotBlank(message = "전화번호는 필수 입력 항목입니다")
+  @PhoneNumber
+  private String phoneNumber;
+}

src/main/java/com/teambiund/bander/auth_server/auth/dto/request/SmsVerifyRequest.java

@@ -0,0 +1,20 @@
+package com.teambiund.bander.auth_server.auth.dto.request;
+
+import com.teambiund.bander.auth_server.auth.validation.PhoneNumber;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
+import lombok.Data;
+
+@Data
+public class SmsVerifyRequest {
+  @NotBlank(message = "사용자 ID는 필수 입력 항목입니다")
+  private String userId;
+
+  @NotBlank(message = "전화번호는 필수 입력 항목입니다")
+  @PhoneNumber
+  private String phoneNumber;
+
+  @NotBlank(message = "인증 코드는 필수 입력 항목입니다")
+  @Size(min = 6, max = 6, message = "인증 코드는 6자리여야 합니다")
+  private String code;
+}

src/main/java/com/teambiund/bander/auth_server/auth/service/auth_service/AuthService.java

@@ -23,4 +23,12 @@ public SimpleAuthResponse getAuth(String userId) throws CustomException {
         .map(SimpleAuthResponse::from)
         .orElseThrow(() -> new CustomException(AuthErrorCode.USER_NOT_FOUND));
   }
+
+  @Transactional(readOnly = true)
+  public boolean hasPhoneNumber(String userId) {
+    return authRepository
+        .findById(userId)
+        .map(auth -> auth.getPhoneNumber() != null && !auth.getPhoneNumber().isBlank())
+        .orElse(false);
+  }
 }