♻️ CORS 설정 리팩토링 및 OAuth2 콜백 로그 추가

- CORS 허용 도메인 설정을 properties 배열로 변경하여 List 형태로 주입
- CORS maxAge를 상수(1시간)로 처리
- OAuth2 콜백 컨트롤러에 디버깅용 로그 추가
- 변경된 CORS 설정에 맞춰 Spring Security config 수정

ref: #145

Author: cheshireHYUN

src/main/java/com/boggle_boggle/bbegok/config/properties/CorsProperties.java

@@ -4,13 +4,15 @@
 import lombok.Setter;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
+import java.util.List;
+
 @Getter
 @Setter
 @ConfigurationProperties(prefix = "cors")
 public class CorsProperties {
-    private String allowedOrigins;
-    private String allowedMethods;
+    private List<String> allowedOrigins;
+    private List<String> allowedMethods;
     private String allowedHeaders;
     private Boolean allowCredentials;
-    private Long maxAge;
+    private Long maxAge = 3600L; // 기본 1시간
 }

src/main/java/com/boggle_boggle/bbegok/config/security/SecurityConfig.java

@@ -85,10 +85,10 @@ public UrlBasedCorsConfigurationSource corsConfigurationSource() {
         UrlBasedCorsConfigurationSource corsConfigSource = new UrlBasedCorsConfigurationSource();
 
         CorsConfiguration corsConfig = new CorsConfiguration();
+        corsConfig.setAllowCredentials(Boolean.TRUE.equals(corsProperties.getAllowCredentials()));
+        corsConfig.setAllowedOrigins(corsProperties.getAllowedOrigins());
+        corsConfig.setAllowedMethods(corsProperties.getAllowedMethods());
         corsConfig.setAllowedHeaders(Arrays.asList(corsProperties.getAllowedHeaders().split(",")));
-        corsConfig.setAllowedMethods(Arrays.asList(corsProperties.getAllowedMethods().split(",")));
-        corsConfig.setAllowedOrigins(Arrays.asList(corsProperties.getAllowedOrigins().split(",")));
-        corsConfig.setAllowCredentials(corsProperties.getAllowCredentials());
         corsConfig.setMaxAge(corsConfig.getMaxAge());
 
         corsConfigSource.registerCorsConfiguration("/**", corsConfig);

src/main/java/com/boggle_boggle/bbegok/controller/OAuth2AuthController.java

@@ -28,6 +28,7 @@
 import jakarta.servlet.http.HttpSession;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -44,6 +45,7 @@
 @RestController
 @RequestMapping("/auth")
 @RequiredArgsConstructor
+@Slf4j
 public class OAuth2AuthController {
     private static final String preSignupIdCookieName = "pre_signup_id";
     private final OAuth2LoginService oauth2LoginService;
@@ -91,10 +93,7 @@ public DataResponseDto<Void> signup(@Valid @RequestBody SignupRequest signupRequ
     public void authorize(@RequestParam("provider") ProviderType providerType,
                           @RequestParam("redirect") String redirectFront, HttpSession session,
                                                           HttpServletResponse response) throws IOException {
-        List<String> origins = Arrays.stream(corsProperties.getAllowedOrigins().split(","))
-                .map(String::trim)
-                .filter(s -> !s.isBlank())
-                .toList();
+        List<String> origins = corsProperties.getAllowedOrigins();
 
         if (origins.stream().noneMatch(redirectFront::startsWith)) {
             response.sendError(400, "invalid front url");
@@ -121,6 +120,8 @@ public void oauth2Callback(
         OauthValidateUtil.validateState(request, state);
         OAuthLoginResponse oauthLoginResponse = oauth2LoginService.processOAuth2Callback(providerType, code, state);
 
+        log.info("[OAuth Controller] Callback Service 정상 실행 - status: {}", oauthLoginResponse.getStatus());
+
         if(oauthLoginResponse.getStatus() == SignStatus.EXISTING_USER) { //기존유저 - RefreshToken 및 DiviceId만 쿠키에 포함해서 리다이렉트
             queryService.setLoginCookie(request, response, oauthLoginResponse);
         } else if(oauthLoginResponse.getStatus() == SignStatus.SIGNUP_REQUIRED) { //신규유저 - preSignupUd를 쿠키에 포함해서 리다이렉트
@@ -129,14 +130,24 @@ public void oauth2Callback(
             throw new GeneralException(Code.BAD_REQUEST);
         }
 
+        log.info("[OAuth Controller] 쿠키 셋팅 완료");
+
         //https://{프론트}/auth?status={}'으로 redirect
         HttpSession session = request.getSession();
         String redirectFront = (String) session.getAttribute("redirect_front");
-        if (redirectFront == null || corsProperties.getAllowedOrigins().lines().noneMatch(redirectFront::startsWith)) {
+        log.info("[OAuth Controller] redirectFront : {}", redirectFront);
+        log.info("Allowed origins list:");
+        List<String> origins = corsProperties.getAllowedOrigins();
+        for(String str : origins) log.info("-> {}",str);
+
+        log.info("true or false : {}, {}",redirectFront == null, !origins.contains(redirectFront));
+        if (redirectFront == null || !origins.contains(redirectFront)) {
             response.sendError(400, "invalid redirect front url");
             return;
         }
 
+        log.info("[OAuth Controller] 리다이렉트 셋팅하기");
+
         session.removeAttribute("redirect_front");
         session.removeAttribute("oauth2_state");
 
@@ -147,6 +158,7 @@ public void oauth2Callback(
                 .build()
                 .toUriString();
 
+        log.info("[OAuth Controller] 리다이렉트 꼬");
         response.sendRedirect(frontUrl);
     }
 

src/main/resources/application.properties

@@ -23,8 +23,16 @@ logging.level.com.boggle_boggle.bbegok=INFO
 bbaegok.root-domain=${ROOT_DOMAIN_NAME}
 
 # cors
-cors.allowed-origins=https://localhost:5173,https://${ROOT_DOMAIN_NAME},https://${FRONT_DEV_DOMAIN_NAME},https://appleid.apple.com
-cors.allowed-methods=GET,POST,PUT,PATCH,DELETE,OPTIONS
+cors.allowed-origins[0]=https://localhost:5173
+cors.allowed-origins[1]=https://${ROOT_DOMAIN_NAME}
+cors.allowed-origins[2]=https://${FRONT_DEV_DOMAIN_NAME}
+cors.allowed-origins[3]=https://appleid.apple.com
+cors.allowed-methods[0]=GET
+cors.allowed-methods[1]=POST
+cors.allowed-methods[2]=PUT
+cors.allowed-methods[3]=PATCH
+cors.allowed-methods[4]=DELETE
+cors.allowed-methods[5]=OPTIONS
 cors.allowed-headers=*
 cors.allow-credentials=true