Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] 로그아웃, 토큰 재발급 #14

Merged
merged 4 commits into from
Sep 26, 2024
Merged

[Feature] 로그아웃, 토큰 재발급 #14

merged 4 commits into from
Sep 26, 2024

Conversation

heejjinkim
Copy link
Collaborator

✏️ Description

  • 로그아웃:
    • security 로그아웃
    • 리프레시 토큰 삭제
  • 토큰 재발급:
    • refresh token 유효성 확인
    • access token 만료 여부 확인
    • access, refresh token 모두 재발급

🙏🏻 To Reviewers

  • Messages to the Reviewers

💡 Issue Number

@heejjinkim
feature: 로그아웃 구현
74afe97 
security 기본 로그아웃 사용
저장된 refresh token 삭제하는 핸들러 추가

related to: #11
@heejjinkim
feature: 토큰 재발급 구현
b96fba0 
related to: #11
@minje0204 minje0204 changed the base branch from develop to ci-cd September 24, 2024 12:42
@minje0204 minje0204 changed the base branch from ci-cd to develop September 24, 2024 12:42
minje0204
minje0204 approved these changes Sep 24, 2024
View reviewed changes
Copy link
Collaborator

@minje0204 minje0204 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

수고하셨습니다~!

src/main/java/com/_119/wepro/member/service/ReissueService.java Outdated
refreshToken = extractToken(refreshToken);
accessToken = extractToken(accessToken);

validateAccessTokenExpired(accessToken);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AccessToken 유효성검사를 하는 메서드로 보이는데 맞을까요?

아니면 Access token이 진짜 만료되었는지 체크하는껄까요?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Access Token이 진짜 만료되었는지 체크하는 메서드입니다. Refresh Token을 얻은 공격자가 재발급을 통해 Access Token을 탈취하는 것을 방지하고자 넣은 로직입니다.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

이해했습니다 그렇게 악용될 수 도 있겠네요!

src/main/java/com/_119/wepro/member/service/ReissueService.java Outdated

public void reissue(String refreshToken, String accessToken, HttpServletResponse response) {
refreshToken = extractToken(refreshToken);
accessToken = extractToken(accessToken);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

매개변수에 재할당보다는 새롭게 변수를 만들어주는게 좋을 것 같아요!

src/main/java/com/_119/wepro/member/service/ReissueService.java Outdated
validateAccessTokenExpired(accessToken);
String providerId = jwtTokenProvider.parseExpiredToken(accessToken).getSubject();

validateRefreshToken(refreshToken, providerId);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[OPTIONAL]
Token이라는 도메인 class를 만든다면 validate 하는 부분을 도메인 class에 넣어서 캡슐화시킬 수도 있을 것 같네요

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

원래 토큰 담당자가 JwtTokenProvider인데, 여기에다가 validate 하도록 수정할까요?

@minje0204
Copy link
Collaborator

충돌나는 부분 수정해두었습니답

@heejjinkim heejjinkim merged commit 14fef5e into develop Sep 26, 2024
@heejjinkim heejjinkim self-assigned this Oct 11, 2024
@heejjinkim heejjinkim added the ✨ feature New feature or request label Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minje0204 minje0204 minje0204 approved these changes

Assignees

@heejjinkim heejjinkim

Labels
✨ feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@heejjinkim @minje0204