#37 - Feat: JWT AccessToken 화이트 리스트 방식 적용(2차 화이트리스트 검증)

likelion-backendschool · Nov 9, 2022 · 9ea8927 · 9ea8927
1 parent 7b5090d
commit 9ea8927
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 7 deletions.
diff --git a/4Week_Mission/mutbooks/src/main/java/com/example/mutbooks/app/member/entity/Member.java b/4Week_Mission/mutbooks/src/main/java/com/example/mutbooks/app/member/entity/Member.java
@@ -35,6 +35,10 @@ public class Member extends BaseEntity {
 
     private int restCash;      // 예치금
 
+    // accessToken
+    @Column(columnDefinition = "TEXT")
+    private String accessToken;
+
     // Member 의 memberExtra 에 값이 저장될 때, MemberExtra 도 같이 저장되도록
     @OneToOne(mappedBy = "member", cascade = CascadeType.ALL)
     private MemberExtra memberExtra;

diff --git a/...Mission/mutbooks/src/main/java/com/example/mutbooks/app/member/service/MemberService.java b/...Mission/mutbooks/src/main/java/com/example/mutbooks/app/member/service/MemberService.java
@@ -1,6 +1,5 @@
 package com.example.mutbooks.app.member.service;
 
-import com.example.mutbooks.app.security.dto.MemberContext;
 import com.example.mutbooks.app.cash.entity.CashLog;
 import com.example.mutbooks.app.cash.service.CashService;
 import com.example.mutbooks.app.mail.service.MailService;
@@ -13,6 +12,7 @@
 import com.example.mutbooks.app.member.form.PwdModifyForm;
 import com.example.mutbooks.app.member.form.WithdrawAccountForm;
 import com.example.mutbooks.app.member.repository.MemberRepository;
+import com.example.mutbooks.app.security.dto.MemberContext;
 import com.example.mutbooks.app.security.jwt.JwtProvider;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -21,6 +21,7 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.util.StringUtils;
 
 import java.util.Map;
 import java.util.UUID;
@@ -161,10 +162,24 @@ public void createBankInfo(Member member, WithdrawAccountForm withDrawAccountFor
         //forceAuthentication(member);
     }
 
+    // AccessToken 발급(발급된게 있으면 바로 리턴)
+    @Transactional
     public String genAccessToken(Member member) {
-        Map<String, Object> claims = member.getAccessTokenClaims();
-        String accessToken = jwtProvider.generateAccessToken(claims, 60 * 60 * 24 * 90);  // 유효기간 90일
+        // 1. DB에서 AccessToken 조회
+        String accessToken = member.getAccessToken();
+        // 2. 만료시, 토큰 새로 발급
+        if (StringUtils.hasLength(accessToken) == false) {
+            // 지금으로부터 100년간의 유효기간을 가지는 토큰을 생성, DB에 토큰 저장
+            Map<String, Object> claims = member.getAccessTokenClaims();
+            accessToken = jwtProvider.generateAccessToken(claims, 60L * 60 * 24 * 365 * 100);
+            member.setAccessToken(accessToken);
+        }
 
         return accessToken;
     }
+
+    // 해당 토큰이 화이트 리스트에 있는지 검증
+    public boolean verifyWithWhiteList(Member member, String token) {
+        return member.getAccessToken().equals(token);
+    }
 }
diff --git a/...tbooks/src/main/java/com/example/mutbooks/app/security/filter/JwtAuthorizationFilter.java b/...tbooks/src/main/java/com/example/mutbooks/app/security/filter/JwtAuthorizationFilter.java
@@ -35,16 +35,19 @@ public class JwtAuthorizationFilter extends OncePerRequestFilter {
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
         String barerToken = request.getHeader("Authorization");
-        // 토큰 유효성 검증
+        // 1. 1차 체크(정보가 변조되지 않았는지 검증)
         if(barerToken != null) {
-            String token = barerToken.substring("Barer ".length());
+            // accessToken에서 회원 정보 가져오려면 Authentication에서 Bearer 제거 필요
+            String token = barerToken.substring("Bearer ".length());
             // 토큰이 유효하면 회원 정보 얻어서 강제 로그인 처리
             if(jwtProvider.verify(token)) {
                 Map<String, Object> claims = jwtProvider.getClaims(token);
                 String username = (String) claims.get("username");
                 Member member = memberService.findByUsername(username);
 
-                if(member != null) {
+                // 2. 2차 체크(해당 엑세스 토큰이 화이트 리스트에 포함되는지 검증)
+                if (memberService.verifyWithWhiteList(member, token)) {
+                    // 강제 로그인 처리
                     forceAuthentication(member);
                 }
             }

diff --git a/4Week_Mission/mutbooks/src/main/java/com/example/mutbooks/app/security/jwt/JwtProvider.java b/4Week_Mission/mutbooks/src/main/java/com/example/mutbooks/app/security/jwt/JwtProvider.java
@@ -25,7 +25,7 @@ private SecretKey getSecretKey() {
     }
 
     // JWT Access Token 발급
-    public String generateAccessToken(Map<String, Object> claims, int seconds) {
+    public String generateAccessToken(Map<String, Object> claims, long seconds) {
         long now = new Date().getTime();
         Date accessTokenExpiresIn = new Date(now + 1000L * seconds);