[BACKEND] 토큰 권한 수정 및 관리자 용 로그인 추가 (#84)

ddoed · web-flow · commit 981572adff4a · 2025-11-11T15:16:43.000+09:00
## 📝작업 내용

- 이메일, 비밀번호 입력으로 로그인
- ADMIN 권한 추가 및 jwt 권한 세부 설정
- POST users/login: 관리자용 로그인(이메일, 비밀번호로 로그인 가능)
- DELETE users/all: 관리자만 삭제 가능하도록 변경, 관리자 제외 삭제
- data.sql 테스트 용 기본 유저 추가
diff --git a/backend/src/main/java/com/cmg/comtogether/common/config/SwaggerConfig.java b/backend/src/main/java/com/cmg/comtogether/common/config/SwaggerConfig.java
@@ -36,7 +36,7 @@ public OpenAPI openAPI() {
     @Bean
     public OpenApiCustomizer oauthSecurityIgnoreCustomizer() {
         return openApi -> openApi.getPaths().forEach((path, pathItem) -> {
-            if (path.startsWith("/oauth") || path.startsWith("/refresh") || path.startsWith("/users/all")) {
+            if (path.startsWith("/users/login") || path.startsWith("/oauth") || path.startsWith("/refresh")) {
                 pathItem.readOperations().forEach(operation -> operation.setSecurity(Collections.emptyList()));
             }
         });
diff --git a/backend/src/main/java/com/cmg/comtogether/common/exception/ErrorCode.java b/backend/src/main/java/com/cmg/comtogether/common/exception/ErrorCode.java
@@ -20,6 +20,7 @@ public enum ErrorCode {
     TOKEN_EXPIRED(401, "AUTH-002", "토큰이 만료되었습니다."),
     INVALID_TOKEN(401, "AUTH-003", "유효하지 않은 토큰입니다."),
     FORBIDDEN(403, "AUTH-004", "접근 권한이 없습니다."),
+    INVALID_PASSWORD(401, "AUTH-005", "비밀번호가 일치하지 않습니다."),
 
     // 카카오 API
     OAUTH_INVALID_CODE(400, "OAUTH-000", "유효하지 않은 인가 코드입니다."),
diff --git a/backend/src/main/java/com/cmg/comtogether/common/security/CustomUserDetails.java b/backend/src/main/java/com/cmg/comtogether/common/security/CustomUserDetails.java
@@ -19,18 +19,17 @@ public CustomUserDetails(User user) {
 
     @Override
     public Collection<? extends GrantedAuthority> getAuthorities() {
-        // Role 기반 권한
-        return Collections.singleton(() -> "ROLE_USER");
+        return Collections.singleton(() -> "ROLE_" + user.getRole().name());
     }
 
     @Override
     public String getPassword() {
-        return null;
+        return user.getPassword();
     }
 
     @Override
     public String getUsername() {
-        return String.valueOf(user.getUserId());
+        return user.getEmail();
     }
 
     @Override
diff --git a/backend/src/main/java/com/cmg/comtogether/common/security/CustomUserDetailsService.java b/backend/src/main/java/com/cmg/comtogether/common/security/CustomUserDetailsService.java
@@ -16,8 +16,14 @@ public class CustomUserDetailsService implements UserDetailsService {
     private final UserRepository userRepository;
 
     @Override
-    public UserDetails loadUserByUsername(String userId) throws UsernameNotFoundException {
-        User user = userRepository.findById(Long.valueOf(userId))
+    public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
+        User user = userRepository.findByEmail(email)
+                .orElseThrow(() -> new UsernameNotFoundException(ErrorCode.USER_NOT_FOUND.getMessage()));
+        return new CustomUserDetails(user);
+    }
+
+    public UserDetails loadUserById(Long userId) {
+        User user = userRepository.findById(userId)
                 .orElseThrow(() -> new UsernameNotFoundException(ErrorCode.USER_NOT_FOUND.getMessage()));
         return new CustomUserDetails(user);
     }
diff --git a/backend/src/main/java/com/cmg/comtogether/common/security/config/SecurityConfig.java b/backend/src/main/java/com/cmg/comtogether/common/security/config/SecurityConfig.java
@@ -41,9 +41,12 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, CorsConfigurat
                                 "/v3/api-docs/**",
                                 "/products/**",
                                 "/guide/**",
-                                "/users/all",
-                                "/glossary/**"
+                                "/glossary/**",
+                                "/users/login"
                         ).permitAll()
+                        .requestMatchers(
+                                "/users/all"
+                        ).hasRole("ADMIN")
                         .anyRequest().authenticated()
                 )
                 .exceptionHandling(ex -> ex
diff --git a/backend/src/main/java/com/cmg/comtogether/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/com/cmg/comtogether/jwt/filter/JwtAuthenticationFilter.java
@@ -10,14 +10,12 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
-import java.util.List;
 
 @Slf4j
 @Component
@@ -43,19 +41,14 @@ protected void doFilterInternal(HttpServletRequest request,
         try {
             if (token != null) {
                 jwtTokenProvider.validateToken(token);
-
                 Long userId = jwtTokenProvider.getUserId(token);
-                String role = "ROLE_USER";
-
-                UserDetails userDetails =
-                        customUserDetailsService.loadUserByUsername(String.valueOf(userId));
+                UserDetails userDetails = customUserDetailsService.loadUserById(userId);
 
                 UsernamePasswordAuthenticationToken authentication =
                         new UsernamePasswordAuthenticationToken(
                                 userDetails,
                                 null,
-                                List.of(new SimpleGrantedAuthority(role))
-                        );
+                                userDetails.getAuthorities());
 
                 SecurityContextHolder.getContext().setAuthentication(authentication);
             }
diff --git a/backend/src/main/java/com/cmg/comtogether/jwt/service/JwtService.java b/backend/src/main/java/com/cmg/comtogether/jwt/service/JwtService.java
@@ -7,19 +7,23 @@
 import com.cmg.comtogether.jwt.util.JwtTokenProvider;
 import com.cmg.comtogether.jwt.dto.TokenDto;
 import com.cmg.comtogether.user.entity.User;
+import com.cmg.comtogether.user.repository.UserRepository;
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
 
 @Service
 @RequiredArgsConstructor
 public class JwtService {
 
     private final JwtTokenProvider jwtTokenProvider;
     private final RefreshTokenRepository refreshTokenRepository;
+    private final UserRepository userRepository;
 
+    @Transactional
     public TokenDto generateToken(User user) {
-        String accessToken = jwtTokenProvider.createAccessToken(user.getUserId());
-        String refreshToken = jwtTokenProvider.createRefreshToken(user.getUserId());
+        String accessToken = jwtTokenProvider.createAccessToken(user);
+        String refreshToken = jwtTokenProvider.createRefreshToken(user);
 
         refreshTokenRepository.findByUserId(user.getUserId())
                 .ifPresentOrElse(
@@ -33,14 +37,16 @@ public TokenDto generateToken(User user) {
                 .build();
     }
 
+    @Transactional
     public TokenDto refreshAccessToken(String refreshToken) {
         jwtTokenProvider.validateToken(refreshToken);
         RefreshToken stored = refreshTokenRepository.findByRefreshToken(refreshToken)
                 .orElseThrow(() -> new BusinessException(ErrorCode.UNAUTHORIZED));
 
         Long userId = jwtTokenProvider.getUserId(refreshToken);
-        String newAccessToken = jwtTokenProvider.createAccessToken(userId);
-        String newRefreshToken = jwtTokenProvider.createRefreshToken(userId);
+        User user = userRepository.findById(userId).orElseThrow(() -> new BusinessException(ErrorCode.USER_NOT_FOUND));
+        String newAccessToken = jwtTokenProvider.createAccessToken(user);
+        String newRefreshToken = jwtTokenProvider.createRefreshToken(user);
 
         stored.updateToken(newRefreshToken);
         refreshTokenRepository.save(stored);
diff --git a/backend/src/main/java/com/cmg/comtogether/jwt/util/JwtTokenProvider.java b/backend/src/main/java/com/cmg/comtogether/jwt/util/JwtTokenProvider.java
@@ -2,6 +2,7 @@
 
 import com.cmg.comtogether.common.exception.BusinessException;
 import com.cmg.comtogether.common.exception.ErrorCode;
+import com.cmg.comtogether.user.entity.User;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.MalformedJwtException;
@@ -25,21 +26,21 @@ public class JwtTokenProvider {
     @Value("${jwt.refresh-token-expire-time}")
     private long refreshTokenExpireTime;
 
-    public String createAccessToken(Long userId) {
-        return createToken(userId, accessTokenExpireTime);
+    public String createAccessToken(User user) {
+        return createToken(user, accessTokenExpireTime);
     }
 
-    public String createRefreshToken(Long userId) {
-        return createToken(userId, refreshTokenExpireTime);
+    public String createRefreshToken(User user) {
+        return createToken(user, refreshTokenExpireTime);
     }
 
-    private String createToken(Long userId, long validity) {
+    private String createToken(User user, long validity) {
         Date now = new Date();
         Date expiry = new Date(now.getTime() + validity);
 
         return Jwts.builder()
-                .setSubject(String.valueOf(userId))
-                .claim("auth", "ROLE_USER")
+                .setSubject(String.valueOf(user.getUserId()))
+                .claim("auth", user.getRole())
                 .claim("jti", UUID.randomUUID().toString())
                 .setIssuedAt(now)
                 .setExpiration(expiry)
diff --git a/backend/src/main/java/com/cmg/comtogether/user/controller/UserController.java b/backend/src/main/java/com/cmg/comtogether/user/controller/UserController.java
@@ -2,6 +2,8 @@
 
 import com.cmg.comtogether.common.response.ApiResponse;
 import com.cmg.comtogether.common.security.CustomUserDetails;
+import com.cmg.comtogether.jwt.dto.TokenDto;
+import com.cmg.comtogether.user.dto.LoginRequestDto;
 import com.cmg.comtogether.user.dto.UserInitializeRequestDto;
 import com.cmg.comtogether.user.dto.UserResponseDto;
 import com.cmg.comtogether.user.entity.User;
@@ -21,6 +23,13 @@ public class UserController {
 
     private final UserService userService;
 
+    @PostMapping("/login")
+    public ResponseEntity<ApiResponse<TokenDto>> login(
+            @Valid @RequestBody LoginRequestDto loginRequestDto) {
+        TokenDto tokenDto = userService.login(loginRequestDto.getEmail(), loginRequestDto.getPassword());
+        return ResponseEntity.ok(ApiResponse.success(tokenDto));
+    }
+
     @PostMapping("/logout")
     public ResponseEntity<ApiResponse<Void>> logout(@AuthenticationPrincipal CustomUserDetails userDetails) {
         userService.logout(userDetails.getUser().getUserId());
diff --git a/backend/src/main/java/com/cmg/comtogether/user/dto/LoginRequestDto.java b/backend/src/main/java/com/cmg/comtogether/user/dto/LoginRequestDto.java
@@ -0,0 +1,20 @@
+package com.cmg.comtogether.user.dto;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+
+@Getter
+@Builder
+@AllArgsConstructor
+public class LoginRequestDto {
+
+    @Email
+    @NotBlank(message = "이메일은 필수 값 입니다.")
+    private String email;
+
+    @NotBlank(message = "비밀번호는 필수 값 입니다.")
+    private String password;
+}
diff --git a/backend/src/main/java/com/cmg/comtogether/user/entity/Role.java b/backend/src/main/java/com/cmg/comtogether/user/entity/Role.java
@@ -1,5 +1,5 @@
 package com.cmg.comtogether.user.entity;
 
 public enum Role {
-    BEGINNER, EXPERT
+    BEGINNER, EXPERT, ADMIN
 }
diff --git a/backend/src/main/java/com/cmg/comtogether/user/entity/User.java b/backend/src/main/java/com/cmg/comtogether/user/entity/User.java
@@ -24,15 +24,18 @@ public class User {
     @Column(nullable = false, unique = true)
     private String email;
 
+    @Column
+    private String password;
+
     @Enumerated(EnumType.STRING)
     @Column(nullable = false)
     private Role role = Role.BEGINNER;
 
     @Enumerated(EnumType.STRING)
-    @Column(nullable = false)
+    @Column
     private SocialType socialType;
 
-    @Column(nullable = false, unique = true)
+    @Column(unique = true)
     private String socialId;
 
     @Builder.Default
diff --git a/backend/src/main/java/com/cmg/comtogether/user/repository/UserRepository.java b/backend/src/main/java/com/cmg/comtogether/user/repository/UserRepository.java
@@ -1,5 +1,6 @@
 package com.cmg.comtogether.user.repository;
 
+import com.cmg.comtogether.user.entity.Role;
 import com.cmg.comtogether.user.entity.User;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
@@ -17,4 +18,8 @@ public interface UserRepository extends JpaRepository<User, Long> {
             "left join fetch ui.interest i " +
             "where u.userId = :userId")
     Optional<User> findByIdWithInterests(@Param("userId") Long userId);
+
+    Optional<User> findByEmail(String email);
+
+    void deleteAllByRoleNot(Role role);
 }
diff --git a/backend/src/main/java/com/cmg/comtogether/user/service/UserService.java b/backend/src/main/java/com/cmg/comtogether/user/service/UserService.java
@@ -4,14 +4,17 @@
 import com.cmg.comtogether.common.exception.ErrorCode;
 import com.cmg.comtogether.interest.entity.Interest;
 import com.cmg.comtogether.interest.service.InterestService;
+import com.cmg.comtogether.jwt.dto.TokenDto;
 import com.cmg.comtogether.jwt.service.JwtService;
 import com.cmg.comtogether.user.dto.UserInitializeRequestDto;
 import com.cmg.comtogether.user.dto.UserResponseDto;
+import com.cmg.comtogether.user.entity.Role;
 import com.cmg.comtogether.user.entity.User;
 import com.cmg.comtogether.user.mapper.UserMapper;
 import com.cmg.comtogether.user.repository.UserRepository;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -28,6 +31,7 @@ public class UserService {
     private final UserRepository userRepository;
     private final InterestService interestService;
     private final JwtService jwtService;
+    private final PasswordEncoder passwordEncoder;
 
     public void logout(Long userId) {
         if (!userRepository.existsById(userId)) {
@@ -74,7 +78,19 @@ public void deleteUser(User user) {
         userRepository.delete(deleteUser.get());
     }
 
+    @Transactional
     public void deleteAllUsers() {
-        userRepository.deleteAll();
+        userRepository.deleteAllByRoleNot(Role.ADMIN);
+    }
+
+    public TokenDto login(String email, String password) {
+        User user = userRepository.findByEmail(email)
+                .orElseThrow(() -> new BusinessException(ErrorCode.USER_NOT_FOUND));
+
+        if (!passwordEncoder.matches(password, user.getPassword())) {
+            throw new BusinessException(ErrorCode.INVALID_PASSWORD);
+        }
+
+        return jwtService.generateToken(user);
     }
 }
diff --git a/backend/src/main/resources/data.sql b/backend/src/main/resources/data.sql
@@ -3,6 +3,13 @@ INSERT INTO interest (name, is_custom) VALUES ('디자인', false);
 INSERT INTO interest (name, is_custom) VALUES ('게임', false);
 INSERT INTO interest (name, is_custom) VALUES ('커스텀', true);
 
+INSERT INTO user (name, email, password, role, social_type, social_id, point, profile_image_url, initialized)
+VALUES ('admin01', 'admin01@comtogether.com','$2a$10$bfTyi9V6o3kaOJnehJufCeLinAOXzkZrqdLOmMV9rFWj.SmHCo3Vy', 'ADMIN', NULL, NULL, 0, NULL,TRUE);
+INSERT INTO user (name, email, password, role, social_type, social_id, point, profile_image_url, initialized)
+VALUES ('expert01', 'expert01@comtogether.com', '$2a$10$aBLIdWBNt5te1Rf57lh/b.XYs9pshgW9xj.E3JI5w.BGg8x8j/N8O', 'EXPERT', NULL, NULL, 0, NULL, TRUE);
+INSERT INTO user (name, email, password, role, social_type, social_id, point, profile_image_url, initialized)
+VALUES ('beginner01', 'beginner01@comtogether.com', '$2a$10$q2cPZqXqu04FzPBV7Np94OtEi9M1P3q7/keSVGwPVZSonutRdWggm', 'BEGINNER', NULL, NULL, 0, NULL, TRUE);
+
 -- Guide 테이블 샘플 데이터
 INSERT INTO guide (category, intro, detail, caution, beginner) VALUES
     ('cpu',

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public OpenAPI openAPI() {`
`36`	`36`	`@Bean`
`37`	`37`	`public OpenApiCustomizer oauthSecurityIgnoreCustomizer() {`
`38`	`38`	`return openApi -> openApi.getPaths().forEach((path, pathItem) -> {`
`39`		`- if (path.startsWith("/oauth") \|\| path.startsWith("/refresh") \|\| path.startsWith("/users/all")) {`
	`39`	`+ if (path.startsWith("/users/login") \|\| path.startsWith("/oauth") \|\| path.startsWith("/refresh")) {`
`40`	`40`	`pathItem.readOperations().forEach(operation -> operation.setSecurity(Collections.emptyList()));`
`41`	`41`	`}`
`42`	`42`	`});`
Original file line number	Diff line number	Diff line change
`@@ -19,18 +19,17 @@ public CustomUserDetails(User user) {`
`19`	`19`
`20`	`20`	`@Override`
`21`	`21`	`public Collection<? extends GrantedAuthority> getAuthorities() {`
`22`		`- // Role 기반 권한`
`23`		`- return Collections.singleton(() -> "ROLE_USER");`
	`22`	`+ return Collections.singleton(() -> "ROLE_" + user.getRole().name());`
`24`	`23`	`}`
`25`	`24`
`26`	`25`	`@Override`
`27`	`26`	`public String getPassword() {`
`28`		`- return null;`
	`27`	`+ return user.getPassword();`
`29`	`28`	`}`
`30`	`29`
`31`	`30`	`@Override`
`32`	`31`	`public String getUsername() {`
`33`		`- return String.valueOf(user.getUserId());`
	`32`	`+ return user.getEmail();`
`34`	`33`	`}`
`35`	`34`
`36`	`35`	`@Override`