[feat] 6주차 과제

practice/build.gradle

@@ -22,14 +22,34 @@ repositories {
 }
 
 dependencies {
+	//Web
 	implementation 'org.springframework.boot:spring-boot-starter-web'
+
+	//Lombok
 	compileOnly 'org.projectlombok:lombok'
 	annotationProcessor 'org.projectlombok:lombok'
+
+	//Test
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'io.rest-assured:rest-assured'
+
+	//Database
 	implementation 'org.postgresql:postgresql'
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+
+	//Validation
 	implementation 'org.springframework.boot:spring-boot-starter-validation'
-	testImplementation 'io.rest-assured:rest-assured'
+
+	//Jwt
+	implementation group: 'io.jsonwebtoken', name: 'jjwt-api', version: '0.11.5'
+	implementation group: 'io.jsonwebtoken', name: 'jjwt-impl', version: '0.11.5'
+	implementation group: 'io.jsonwebtoken', name: 'jjwt-jackson', version: '0.11.5'
+
+	//Security
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+
+	//Redis
+	implementation 'org.springframework.boot:spring-boot-starter-data-redis'
 }
 
 tasks.named('test') {

practice/src/main/java/org/sopt/practice/auth/PrincipalHandler.java

@@ -0,0 +1,26 @@
+package org.sopt.practice.auth;
+
+import org.sopt.practice.common.dto.ErrorMessage;
+import org.sopt.practice.exception.UnauthorizedException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+@Component
+public class PrincipalHandler {
+
+    private static final String ANONYMOUS_USER = "anonymousUser";
+
+    public Long getUserIdFromPrincipal() {
+        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        isPrincipalNull(principal);
+        return Long.valueOf(principal.toString());
+    }
+
+    public void isPrincipalNull(
+            final Object principal
+    ) {
+        if (principal.toString().equals(ANONYMOUS_USER)) {
+            throw new UnauthorizedException(ErrorMessage.JWT_UNAUTHORIZED);
+        }
+    }
+}

practice/src/main/java/org/sopt/practice/auth/UserAuthentication.java

@@ -0,0 +1,17 @@
+package org.sopt.practice.auth;
+
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+
+public class UserAuthentication extends UsernamePasswordAuthenticationToken {
+
+    public UserAuthentication(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
+        super(principal, credentials, authorities);
+    }
+
+    public static UserAuthentication createUserAuthentication(Long userId) {
+        return new UserAuthentication(userId, null, null);
+    }
+}

practice/src/main/java/org/sopt/practice/auth/config/SecurityConfig.java

@@ -0,0 +1,48 @@
+package org.sopt.practice.auth.config;
+
+import lombok.RequiredArgsConstructor;
+import org.sopt.practice.auth.filter.JwtAuthenticationFilter;
+import org.sopt.practice.auth.handler.CustomAccessDeniedHandler;
+import org.sopt.practice.auth.handler.CustomJwtAuthenticationEntryPoint;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer;
+
+@Configuration
+@RequiredArgsConstructor
+@EnableWebSecurity //web Security를 사용할 수 있게
+public class SecurityConfig {
+    private final JwtAuthenticationFilter jwtAuthenticationFilter;
+    private final CustomJwtAuthenticationEntryPoint customJwtAuthenticationEntryPoint;
+    private final CustomAccessDeniedHandler customAccessDeniedHandler;
+
+
+    private static final String[] AUTH_WHITE_LIST = {"/api/v1/login", "/api/v1/reissue"};
+
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http.csrf(AbstractHttpConfigurer::disable)
+                .formLogin(AbstractHttpConfigurer::disable)
+                .requestCache(RequestCacheConfigurer::disable)
+                .httpBasic(AbstractHttpConfigurer::disable)
+                .exceptionHandling(exception ->
+                {
+                    exception.authenticationEntryPoint(customJwtAuthenticationEntryPoint);
+                    exception.accessDeniedHandler(customAccessDeniedHandler);
+                });
+
+
+        http.authorizeHttpRequests(auth -> {
+                    auth.requestMatchers(AUTH_WHITE_LIST).permitAll();
+                    auth.anyRequest().authenticated();
+                })
+                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+}

practice/src/main/java/org/sopt/practice/auth/filter/JwtAuthenticationFilter.java

@@ -0,0 +1,59 @@
+package org.sopt.practice.auth.filter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.sopt.practice.auth.UserAuthentication;
+import org.sopt.practice.service.jwt.JwtTokenProvider;
+import org.sopt.practice.exception.BusinessException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+import static org.sopt.practice.service.jwt.JwtValidationType.VALID_ACCESS;
+
+@Component
+@RequiredArgsConstructor
+@Slf4j
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+
+    private final JwtTokenProvider jwtTokenProvider;
+
+    @Override
+    protected void doFilterInternal(@NonNull HttpServletRequest request,
+                                    @NonNull HttpServletResponse response,
+                                    @NonNull FilterChain filterChain) throws ServletException, IOException {
+
+
+        final String token = getJwtFromRequest(request);
+
+        try {
+            if (jwtTokenProvider.validateToken(token) == VALID_ACCESS) {//유효하다면 authentication 등록
+                Long memberId = jwtTokenProvider.getUserFromJwt(token);
+                UserAuthentication authentication = UserAuthentication.createUserAuthentication(memberId);
+                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+                SecurityContextHolder.getContext().setAuthentication(authentication);
+            }
+        } catch (BusinessException e) {
+            request.setAttribute("errorMessage", e.getErrorMessage());
+        }
+
+        filterChain.doFilter(request, response);
+    }
+
+    private String getJwtFromRequest(HttpServletRequest request) {
+        String bearerToken = request.getHeader("Authorization");
+        if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
+            return bearerToken.substring("Bearer ".length());
+        }
+        return null;
+    }
+}

practice/src/main/java/org/sopt/practice/auth/handler/CustomAccessDeniedHandler.java

@@ -0,0 +1,23 @@
+package org.sopt.practice.auth.handler;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+@Component
+public class CustomAccessDeniedHandler implements AccessDeniedHandler {
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        setResponse(response);
+    }
+
+    private void setResponse(HttpServletResponse response) {
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+    }
+}
+

practice/src/main/java/org/sopt/practice/auth/handler/CustomJwtAuthenticationEntryPoint.java

@@ -0,0 +1,37 @@
+package org.sopt.practice.auth.handler;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.sopt.practice.common.dto.ErrorMessage;
+import org.sopt.practice.common.dto.ErrorResponse;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+@Component
+@RequiredArgsConstructor
+@Slf4j
+public class CustomJwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
+    private final ObjectMapper objectMapper;
+
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
+        log.error("Unauthorized error: {}", authException.getMessage());
+        ErrorMessage errorMessage = (ErrorMessage) request.getAttribute("errorMessage");
+        setResponse(response, errorMessage);
+    }
+
+    private void setResponse(HttpServletResponse response, ErrorMessage errorMessage) throws IOException {
+        response.setContentType("application/json");
+        response.setCharacterEncoding("UTF-8");
+        response.setStatus(errorMessage.getStatus());
+
+        response.getWriter().write(objectMapper.writeValueAsString(ErrorResponse.of(errorMessage)));
+    }
+}

practice/src/main/java/org/sopt/practice/auth/redis/RefreshTokenService.java

@@ -0,0 +1,35 @@
+package org.sopt.practice.auth.redis;
+
+import lombok.RequiredArgsConstructor;
+import org.sopt.practice.auth.redis.domain.Token;
+import org.sopt.practice.auth.redis.repository.TokenRepository;
+import org.sopt.practice.common.dto.ErrorMessage;
+import org.sopt.practice.exception.NotFoundException;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+@RequiredArgsConstructor
+public class RefreshTokenService {
+
+    private final RedisTemplate<String, Object> redisTemplate;
+    private final TokenRepository tokenRepository;
+
+    @Transactional
+    public void saveRefreshToken(final Long userId, final String refreshToken) {
+        tokenRepository.save(Token.of(userId, refreshToken));
+    }
+
+    public Long findUserIdByRefreshToken(final String refreshToken) {
+        Token token = tokenRepository.findByRefreshToken(refreshToken)
+                .orElseThrow(() -> new NotFoundException(ErrorMessage.REFRESHTOKEN_NOT_FOUND));
+        return token.getId();
+    }
+
+    @Transactional
+    public void deleteRefreshToken(final Long userId) {
+        Token token = tokenRepository.findById(userId).orElseThrow(() -> new NotFoundException(ErrorMessage.REFRESHTOKEN_NOT_FOUND));
+        tokenRepository.delete(token);
+    }
+}

practice/src/main/java/org/sopt/practice/auth/redis/config/RedisConfig.java

@@ -0,0 +1,32 @@
+package org.sopt.practice.auth.redis.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.serializer.StringRedisSerializer;
+
+@Configuration
+public class RedisConfig {
+
+    @Value("${spring.data.redis.host}")
+    private String host;
+
+    @Value("${spring.data.redis.port}")
+    private int port;
+
+    @Bean
+    public RedisConnectionFactory redisConnectionFactory() {
+        return new LettuceConnectionFactory(host, port);
+    }
+    @Bean
+    public RedisTemplate<String, Object> redisTemplate() {
+        RedisTemplate<String, Object> redisTemplate = new RedisTemplate<>();
+        redisTemplate.setConnectionFactory(redisConnectionFactory());
+        redisTemplate.setKeySerializer(new StringRedisSerializer());
+        redisTemplate.setValueSerializer(new StringRedisSerializer());
+        return redisTemplate;
+    }
+}

practice/src/main/java/org/sopt/practice/auth/redis/domain/Token.java

@@ -0,0 +1,28 @@
+package org.sopt.practice.auth.redis.domain;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import org.springframework.data.annotation.Id;
+import org.springframework.data.redis.core.RedisHash;
+import org.springframework.data.redis.core.index.Indexed;
+
+@RedisHash(value = "", timeToLive = 24 * 60 * 60 * 1000L * 1)//value = key에 붙을 prefix
+@AllArgsConstructor
+@Getter
+@Builder
+public class Token {
+
+    @Id//키는 prefix:id로 저장됨
+    private Long id;
+
+    @Indexed//해당 어노테이션 사용시 이 값으로 객ㄱ체 값을 찾을 수 있음
+    private String refreshToken;
+
+    public static Token of(final Long id, final String refreshToken) {
+        return Token.builder()
+                .id(id)
+                .refreshToken(refreshToken)
+                .build();
+    }
+}

practice/src/main/java/org/sopt/practice/auth/redis/repository/TokenRepository.java

@@ -0,0 +1,12 @@
+package org.sopt.practice.auth.redis.repository;
+
+import org.sopt.practice.auth.redis.domain.Token;
+import org.springframework.data.repository.CrudRepository;
+
+import java.util.Optional;
+
+public interface TokenRepository extends CrudRepository<Token, Long> {
+    Optional<Token> findByRefreshToken(final String refreshToken);
+    Optional<Token> findById(final Long id);
+
+}

practice/src/main/java/org/sopt/practice/common/dto/GlobalExceptionHandler.java → practice/src/main/java/org/sopt/practice/common/GlobalExceptionHandler.java

@@ -1,7 +1,10 @@
-package org.sopt.practice.common.dto;
+package org.sopt.practice.common;
 
+import lombok.extern.slf4j.Slf4j;
+import org.sopt.practice.common.dto.ErrorResponse;
 import org.sopt.practice.exception.ForbiddenException;
 import org.sopt.practice.exception.NotFoundException;
+import org.sopt.practice.exception.UnauthorizedException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.MethodArgumentNotValidException;
@@ -13,6 +16,11 @@
 @RestControllerAdvice
 public class GlobalExceptionHandler {
 
+    @ExceptionHandler(UnauthorizedException.class)
+    public ResponseEntity<ErrorResponse> handleUnauthorizedException(final UnauthorizedException e) {
+        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(ErrorResponse.of(e.getErrorMessage()));
+    }
+
     @ExceptionHandler(MethodArgumentNotValidException.class)
     public ResponseEntity<ErrorResponse> handleMethodArgumentNotValidException(final MethodArgumentNotValidException e) {
         return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(ErrorResponse.of(HttpStatus.BAD_REQUEST.value(), Objects.requireNonNull(e.getBindingResult().getFieldError().getDefaultMessage())));