refactor: accessToken 재발급을 refreshToken 쿠키를 통해 하도록 (#452)

* feat: 리프레시 토큰 추출 구현

* test: 중복 사용되는 변수를 상수로 추출

* test: 리프레시 토큰 추출 테스트

* refactor: 쿠키의 리프레시 토큰으로 액세스 토큰 재발급하도록

* chore: 사용하지 않는 요청 Dto 제거

* refactor: auth 토큰에 SiteUser가 사용됨을 명시, 중복코드 제거

- AS-IS: long으로 SiteUser를 조회, SiteUser를 Subject로 만들어 authTokenProvider의 함수에 넘겨줬다.
- TO-BS: authToken에는 어차피 '의미상' SiteUser라는 개념이 사용될 수 밖에 없다. 따라서 관련 로직을 함수 내부로 옮긴다. 이로 인해서 중복 코드를 줄일수도 있다.

* test: 테스트 코드에 반영

* refactor: 리프레시 토큰 값이 비어있는 경우도 예외 처리

* test: 비어있는 리프레시 토큰 테스트 케이스 추가

* style: style 적용 안된 채로 rebase한 것들 reformat

Author: nayonsoso

src/main/java/com/example/solidconnection/auth/controller/AuthController.java

@@ -3,7 +3,6 @@
 import com.example.solidconnection.auth.dto.EmailSignInRequest;
 import com.example.solidconnection.auth.dto.EmailSignUpTokenRequest;
 import com.example.solidconnection.auth.dto.EmailSignUpTokenResponse;
-import com.example.solidconnection.auth.dto.ReissueRequest;
 import com.example.solidconnection.auth.dto.ReissueResponse;
 import com.example.solidconnection.auth.dto.SignInResponse;
 import com.example.solidconnection.auth.dto.SignUpRequest;
@@ -19,6 +18,7 @@
 import com.example.solidconnection.common.exception.ErrorCode;
 import com.example.solidconnection.common.resolver.AuthorizedUser;
 import com.example.solidconnection.siteuser.domain.AuthType;
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
@@ -118,10 +118,10 @@ public ResponseEntity<Void> quit(
 
     @PostMapping("/reissue")
     public ResponseEntity<ReissueResponse> reissueToken(
-            @AuthorizedUser long siteUserId,
-            @Valid @RequestBody ReissueRequest reissueRequest
+            HttpServletRequest request
     ) {
-        ReissueResponse reissueResponse = authService.reissue(siteUserId, reissueRequest);
+        String refreshToken = refreshTokenCookieManager.getRefreshToken(request);
+        ReissueResponse reissueResponse = authService.reissue(refreshToken);
         return ResponseEntity.ok(reissueResponse);
     }
 

src/main/java/com/example/solidconnection/auth/controller/RefreshTokenCookieManager.java

@@ -1,8 +1,14 @@
 package com.example.solidconnection.auth.controller;
 
+import static com.example.solidconnection.common.exception.ErrorCode.REFRESH_TOKEN_NOT_EXISTS;
+
 import com.example.solidconnection.auth.controller.config.RefreshTokenCookieProperties;
 import com.example.solidconnection.auth.domain.TokenType;
+import com.example.solidconnection.common.exception.CustomException;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.util.Arrays;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseCookie;
@@ -44,4 +50,26 @@ private void setRefreshTokenCookie(
                 .build();
         response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
     }
+
+    public String getRefreshToken(HttpServletRequest request) {
+        // 쿠키가 없거나 비어있는 경우 예외 발생
+        Cookie[] cookies = request.getCookies();
+        if (cookies == null || cookies.length == 0) {
+            throw new CustomException(REFRESH_TOKEN_NOT_EXISTS);
+        }
+
+        // refreshToken 쿠키가 없는 경우 예외 발생
+        Cookie refreshTokenCookie = Arrays.stream(cookies)
+                .filter(cookie -> COOKIE_NAME.equals(cookie.getName()))
+                .findFirst()
+                .orElseThrow(() -> new CustomException(REFRESH_TOKEN_NOT_EXISTS));
+
+        // 쿠키 값이 비어있는 경우 예외 발생
+        String refreshToken = refreshTokenCookie.getValue();
+        if (refreshToken == null || refreshToken.isBlank()) {
+            throw new CustomException(REFRESH_TOKEN_NOT_EXISTS);
+        }
+        return refreshToken;
+    }
 }
+

src/main/java/com/example/solidconnection/auth/dto/ReissueRequest.java

@@ -3,7 +3,6 @@
 import static com.example.solidconnection.common.exception.ErrorCode.REFRESH_TOKEN_EXPIRED;
 import static com.example.solidconnection.common.exception.ErrorCode.USER_NOT_FOUND;
 
-import com.example.solidconnection.auth.dto.ReissueRequest;
 import com.example.solidconnection.auth.dto.ReissueResponse;
 import com.example.solidconnection.auth.token.TokenBlackListService;
 import com.example.solidconnection.common.exception.CustomException;
@@ -28,12 +27,8 @@ public class AuthService {
      * - 리프레시 토큰을 삭제한다.
      * */
     public void signOut(String token) {
-        Subject subject = authTokenProvider.parseSubject(token);
-        long siteUserId = Long.parseLong(subject.value());
-        SiteUser siteUser = siteUserRepository.findById(siteUserId)
-                .orElseThrow(() -> new CustomException(USER_NOT_FOUND));
-
-        AccessToken accessToken = authTokenProvider.generateAccessToken(subject, siteUser.getRole());
+        SiteUser siteUser = authTokenProvider.parseSiteUser(token);
+        AccessToken accessToken = authTokenProvider.generateAccessToken(siteUser);
         authTokenProvider.deleteRefreshTokenByAccessToken(accessToken);
         tokenBlackListService.addToBlacklist(accessToken);
     }
@@ -58,17 +53,14 @@ public void quit(long siteUserId, String token) {
      * - 유효한 리프레시토큰이면, 액세스 토큰을 재발급한다.
      * - 그렇지 않으면 예외를 발생시킨다.
      * */
-    public ReissueResponse reissue(long siteUserId, ReissueRequest reissueRequest) {
+    public ReissueResponse reissue(String requestedRefreshToken) {
         // 리프레시 토큰 확인
-        String requestedRefreshToken = reissueRequest.refreshToken();
         if (!authTokenProvider.isValidRefreshToken(requestedRefreshToken)) {
             throw new CustomException(REFRESH_TOKEN_EXPIRED);
         }
         // 액세스 토큰 재발급
-        SiteUser siteUser = siteUserRepository.findById(siteUserId)
-                .orElseThrow(() -> new CustomException(USER_NOT_FOUND));
-        Subject subject = authTokenProvider.parseSubject(requestedRefreshToken);
-        AccessToken newAccessToken = authTokenProvider.generateAccessToken(subject, siteUser.getRole());
+        SiteUser siteUser = authTokenProvider.parseSiteUser(requestedRefreshToken);
+        AccessToken newAccessToken = authTokenProvider.generateAccessToken(siteUser);
         return ReissueResponse.from(newAccessToken);
     }
 }

src/main/java/com/example/solidconnection/auth/service/AuthService.java

@@ -1,8 +1,12 @@
 package com.example.solidconnection.auth.service;
 
+import static com.example.solidconnection.common.exception.ErrorCode.USER_NOT_FOUND;
+
 import com.example.solidconnection.auth.domain.TokenType;
+import com.example.solidconnection.common.exception.CustomException;
 import com.example.solidconnection.siteuser.domain.Role;
 import com.example.solidconnection.siteuser.domain.SiteUser;
+import com.example.solidconnection.siteuser.repository.SiteUserRepository;
 import java.util.Map;
 import java.util.Objects;
 import lombok.RequiredArgsConstructor;
@@ -17,15 +21,21 @@ public class AuthTokenProvider {
 
     private final RedisTemplate<String, String> redisTemplate;
     private final TokenProvider tokenProvider;
+    private final SiteUserRepository siteUserRepository;
 
-    public AccessToken generateAccessToken(Subject subject, Role role) {
+    public AccessToken generateAccessToken(SiteUser siteUser) {
+        Subject subject = toSubject(siteUser);
+        Role role = siteUser.getRole();
         String token = tokenProvider.generateToken(
-                subject.value(), Map.of(ROLE_CLAIM_KEY, role.name()), TokenType.ACCESS
+                subject.value(),
+                Map.of(ROLE_CLAIM_KEY, role.name()),
+                TokenType.ACCESS
         );
         return new AccessToken(subject, role, token);
     }
 
-    public RefreshToken generateAndSaveRefreshToken(Subject subject) {
+    public RefreshToken generateAndSaveRefreshToken(SiteUser siteUser) {
+        Subject subject = toSubject(siteUser);
         String token = tokenProvider.generateToken(subject.value(), TokenType.REFRESH);
         tokenProvider.saveToken(token, TokenType.REFRESH);
         return new RefreshToken(subject, token);
@@ -49,9 +59,11 @@ public void deleteRefreshTokenByAccessToken(AccessToken accessToken) {
         redisTemplate.delete(refreshTokenKey);
     }
 
-    public Subject parseSubject(String token) {
+    public SiteUser parseSiteUser(String token) {
         String subject = tokenProvider.parseSubject(token);
-        return new Subject(subject);
+        long siteUserId = Long.parseLong(subject);
+        return siteUserRepository.findById(siteUserId)
+                .orElseThrow(() -> new CustomException(USER_NOT_FOUND));
     }
 
     public Subject toSubject(SiteUser siteUser) {

src/main/java/com/example/solidconnection/auth/service/AuthTokenProvider.java

@@ -15,9 +15,8 @@ public class SignInService {
     @Transactional
     public SignInResponse signIn(SiteUser siteUser) {
         resetQuitedAt(siteUser);
-        Subject subject = authTokenProvider.toSubject(siteUser);
-        AccessToken accessToken = authTokenProvider.generateAccessToken(subject, siteUser.getRole());
-        RefreshToken refreshToken = authTokenProvider.generateAndSaveRefreshToken(subject);
+        AccessToken accessToken = authTokenProvider.generateAccessToken(siteUser);
+        RefreshToken refreshToken = authTokenProvider.generateAndSaveRefreshToken(siteUser);
         return SignInResponse.of(accessToken, refreshToken);
     }
 

src/main/java/com/example/solidconnection/auth/service/SignInService.java

@@ -56,6 +56,7 @@ public enum ErrorCode {
     ACCESS_TOKEN_EXPIRED(HttpStatus.UNAUTHORIZED.value(), "액세스 토큰이 만료되었습니다. 재발급 api를 호출해주세요."),
     REFRESH_TOKEN_EXPIRED(HttpStatus.UNAUTHORIZED.value(), "리프레시 토큰이 만료되었습니다. 다시 로그인을 진행해주세요."),
     ACCESS_DENIED(HttpStatus.FORBIDDEN.value(), "접근 권한이 없습니다."),
+    REFRESH_TOKEN_NOT_EXISTS(HttpStatus.BAD_REQUEST.value(), "리프레시 토큰이 존재하지 않습니다."),
     PASSWORD_MISMATCH(HttpStatus.BAD_REQUEST.value(), "비밀번호가 일치하지 않습니다."),
     PASSWORD_NOT_CHANGED(HttpStatus.BAD_REQUEST.value(), "현재 비밀번호와 새 비밀번호가 동일합니다."),
     PASSWORD_NOT_CONFIRMED(HttpStatus.BAD_REQUEST.value(), "새 비밀번호가 일치하지 않습니다."),

src/main/java/com/example/solidconnection/common/exception/ErrorCode.java

@@ -1,23 +1,33 @@
 package com.example.solidconnection.auth.controller;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
 import static org.junit.jupiter.api.Assertions.assertAll;
 import static org.mockito.BDDMockito.given;
 
 import com.example.solidconnection.auth.controller.config.RefreshTokenCookieProperties;
 import com.example.solidconnection.auth.domain.TokenType;
+import com.example.solidconnection.common.exception.CustomException;
+import com.example.solidconnection.common.exception.ErrorCode;
 import com.example.solidconnection.support.TestContainerSpringBootTest;
+import jakarta.servlet.http.Cookie;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 
 @DisplayName("리프레시 토큰 쿠키 매니저 테스트")
 @TestContainerSpringBootTest
 class RefreshTokenCookieManagerTest {
 
+    private static final String REFRESH_TOKEN_COOKIE_NAME = "refreshToken";
+
     @Autowired
     private RefreshTokenCookieManager cookieManager;
 
@@ -46,7 +56,7 @@ void setUp() {
         String header = response.getHeader("Set-Cookie");
         assertAll(
                 () -> assertThat(header).isNotNull(),
-                () -> assertThat(header).contains("refreshToken=" + refreshToken),
+                () -> assertThat(header).contains(REFRESH_TOKEN_COOKIE_NAME + "=" + refreshToken),
                 () -> assertThat(header).contains("HttpOnly"),
                 () -> assertThat(header).contains("Secure"),
                 () -> assertThat(header).contains("Path=/"),
@@ -68,14 +78,67 @@ void setUp() {
         String header = response.getHeader("Set-Cookie");
         assertAll(
                 () -> assertThat(header).isNotNull(),
-                () -> assertThat(header).contains("refreshToken="),
+                () -> assertThat(header).contains(REFRESH_TOKEN_COOKIE_NAME + "="),
                 () -> assertThat(header).contains("HttpOnly"),
                 () -> assertThat(header).contains("Secure"),
                 () -> assertThat(header).contains("Path=/"),
                 () -> assertThat(header).contains("Max-Age=0"),
-                () -> assertThat(header).contains("SameSite=Strict"),
                 () -> assertThat(header).contains("Domain=" + domain),
                 () -> assertThat(header).contains("SameSite=" + sameSite)
         );
     }
+
+    @Nested
+    class 쿠키에서_리프레시_토큰을_추출한다 {
+
+        @Test
+        void 리프레시_토큰이_있으면_정상_반환한다() {
+            // given
+            MockHttpServletRequest request = new MockHttpServletRequest();
+            String refreshToken = "test-refresh-token";
+            request.setCookies(new Cookie(REFRESH_TOKEN_COOKIE_NAME, refreshToken));
+
+            // when
+            String retrievedToken = cookieManager.getRefreshToken(request);
+
+            // then
+            assertThat(retrievedToken).isEqualTo(refreshToken);
+        }
+
+        @Test
+        void 쿠키가_없으면_예외가_발생한다() {
+            // given
+            MockHttpServletRequest request = new MockHttpServletRequest();
+
+            // when & then
+            assertThatCode(() -> cookieManager.getRefreshToken(request))
+                    .isInstanceOf(CustomException.class)
+                    .hasMessageContaining(ErrorCode.REFRESH_TOKEN_NOT_EXISTS.getMessage());
+        }
+
+        @Test
+        void 리프레시_토큰_쿠키가_없으면_예외가_발생한다() {
+            // given
+            MockHttpServletRequest request = new MockHttpServletRequest();
+            request.setCookies(new Cookie("otherCookie", "some-value"));
+
+            // when & then
+            assertThatCode(() -> cookieManager.getRefreshToken(request))
+                    .isInstanceOf(CustomException.class)
+                    .hasMessageContaining(ErrorCode.REFRESH_TOKEN_NOT_EXISTS.getMessage());
+        }
+
+        @ParameterizedTest
+        @ValueSource(strings = {"", " "})
+        void 리프레시_토큰_쿠키가_비어있으면_예외가_발생한다(String token) {
+            // given
+            MockHttpServletRequest request = new MockHttpServletRequest();
+            request.setCookies(new Cookie(REFRESH_TOKEN_COOKIE_NAME, token));
+
+            // when & then
+            assertThatCode(() -> cookieManager.getRefreshToken(request))
+                    .isInstanceOf(CustomException.class)
+                    .hasMessageContaining(ErrorCode.REFRESH_TOKEN_NOT_EXISTS.getMessage());
+        }
+    }
 }

src/test/java/com/example/solidconnection/auth/controller/RefreshTokenCookieManagerTest.java

@@ -6,7 +6,6 @@
 import static org.junit.jupiter.api.Assertions.assertAll;
 
 import com.example.solidconnection.auth.domain.TokenType;
-import com.example.solidconnection.auth.dto.ReissueRequest;
 import com.example.solidconnection.auth.dto.ReissueResponse;
 import com.example.solidconnection.auth.token.TokenBlackListService;
 import com.example.solidconnection.common.exception.CustomException;
@@ -45,14 +44,12 @@ class AuthServiceTest {
     private SiteUserRepository siteUserRepository;
 
     private SiteUser siteUser;
-    private Subject subject;
     private AccessToken accessToken;
 
     @BeforeEach
     void setUp() {
         siteUser = siteUserFixture.사용자();
-        subject = authTokenProvider.toSubject(siteUser);
-        accessToken = authTokenProvider.generateAccessToken(subject, siteUser.getRole());
+        accessToken = authTokenProvider.generateAccessToken(siteUser);
     }
 
     @Test
@@ -61,7 +58,7 @@ void setUp() {
         authService.signOut(accessToken.token());
 
         // then
-        String refreshTokenKey = TokenType.REFRESH.addPrefix(subject.value());
+        String refreshTokenKey = TokenType.REFRESH.addPrefix(accessToken.subject().value());
         assertAll(
                 () -> assertThat(redisTemplate.opsForValue().get(refreshTokenKey)).isNull(),
                 () -> assertThat(tokenBlackListService.isTokenBlacklisted(accessToken.token())).isTrue()
@@ -75,7 +72,7 @@ void setUp() {
 
         // then
         LocalDate tomorrow = LocalDate.now().plusDays(1);
-        String refreshTokenKey = TokenType.REFRESH.addPrefix(subject.value());
+        String refreshTokenKey = TokenType.REFRESH.addPrefix(accessToken.subject().value());
         SiteUser actualSitUser = siteUserRepository.findById(siteUser.getId()).orElseThrow();
         assertAll(
                 () -> assertThat(actualSitUser.getQuitedAt()).isEqualTo(tomorrow),
@@ -90,26 +87,24 @@ class 토큰을_재발급한다 {
         @Test
         void 요청의_리프레시_토큰이_저장되어_있으면_액세스_토큰을_재발급한다() {
             // given
-            RefreshToken refreshToken = authTokenProvider.generateAndSaveRefreshToken(new Subject("subject"));
-            ReissueRequest reissueRequest = new ReissueRequest(refreshToken.token());
+            RefreshToken refreshToken = authTokenProvider.generateAndSaveRefreshToken(siteUser);
 
             // when
-            ReissueResponse reissuedAccessToken = authService.reissue(siteUser.getId(), reissueRequest);
+            ReissueResponse reissuedAccessToken = authService.reissue(refreshToken.token());
 
-            // then - 요청의 리프레시 토큰과 재발급한 액세스 토큰의 subject 가 동일해야 한다.
-            Subject expectedSubject = authTokenProvider.parseSubject(refreshToken.token());
-            Subject actualSubject = authTokenProvider.parseSubject(reissuedAccessToken.accessToken());
-            assertThat(actualSubject).isEqualTo(expectedSubject);
+            // then - 요청의 리프레시 토큰과 재발급한 액세스 토큰의 주체가 동일해야 한다.
+            SiteUser actualSiteUser = authTokenProvider.parseSiteUser(refreshToken.token());
+            SiteUser expectedSiteUser = authTokenProvider.parseSiteUser(reissuedAccessToken.accessToken());
+            assertThat(actualSiteUser.getId()).isEqualTo(expectedSiteUser.getId());
         }
 
         @Test
         void 요청의_리프레시_토큰이_저장되어있지_않다면_예외가_발생한다() {
             // given
             String invalidRefreshToken = accessToken.token();
-            ReissueRequest reissueRequest = new ReissueRequest(invalidRefreshToken);
 
             // when, then
-            assertThatCode(() -> authService.reissue(siteUser.getId(), reissueRequest))
+            assertThatCode(() -> authService.reissue(invalidRefreshToken))
                     .isInstanceOf(CustomException.class)
                     .hasMessage(REFRESH_TOKEN_EXPIRED.getMessage());
         }