refactor(security): JWT/Principal에 team 노출 및 권한 체크 개선

Author: CSE-Shaco

src/main/java/inha/gdgoc/domain/auth/controller/AuthController.java

@@ -14,6 +14,7 @@
 import inha.gdgoc.domain.auth.service.MailService;
 import inha.gdgoc.domain.auth.service.RefreshTokenService;
 import inha.gdgoc.domain.user.entity.User;
+import inha.gdgoc.domain.user.enums.TeamType;
 import inha.gdgoc.domain.user.enums.UserRole;
 import inha.gdgoc.domain.user.repository.UserRepository;
 import inha.gdgoc.global.config.jwt.TokenProvider;
@@ -165,15 +166,30 @@ public ResponseEntity<ApiResponse<Void, Void>> resetPassword(@RequestBody Passwo
      * 예) /api/v1/auth/LEAD, /api/v1/auth/ORGANIZER, /api/v1/auth/ADMIN
      */
     @GetMapping("/{role}")
-    public ResponseEntity<ApiResponse<Void, ?>> checkRole(@AuthenticationPrincipal TokenProvider.CustomUserDetails me, @PathVariable UserRole role) {
+    public ResponseEntity<ApiResponse<Void, ?>> checkRoleOrTeam(@AuthenticationPrincipal TokenProvider.CustomUserDetails me, @PathVariable UserRole role, @RequestParam(value = "team", required = false) TeamType requiredTeam) {
+        // 1) 인증 체크
         if (me == null) {
             return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
                     .body(ApiResponse.error(GlobalErrorCode.UNAUTHORIZED_USER.getStatus()
                             .value(), GlobalErrorCode.UNAUTHORIZED_USER.getMessage(), null));
         }
 
-        if (UserRole.hasAtLeast(me.getRole(), role)) {
-            return ResponseEntity.ok(ApiResponse.ok("ROLE_CHECK_PASSED", null));
+        // 2) role check
+        final boolean roleOk = UserRole.hasAtLeast(me.getRole(), role);
+
+        // 3) team check if team parameter exists
+        boolean teamOk = false;
+        if (requiredTeam != null) {
+            if (UserRole.hasAtLeast(me.getRole(), UserRole.ORGANIZER)) {
+                teamOk = true;
+            } else {
+                teamOk = (me.getTeam() != null && me.getTeam() == requiredTeam);
+            }
+        }
+
+        // 4) OR 조건으로 최종 판정
+        if (roleOk || teamOk) {
+            return ResponseEntity.ok(ApiResponse.ok("ROLE_OR_TEAM_CHECK_PASSED", null));
         }
 
         return ResponseEntity.status(HttpStatus.FORBIDDEN)

src/main/java/inha/gdgoc/global/config/jwt/TokenProvider.java

@@ -1,19 +1,11 @@
 package inha.gdgoc.global.config.jwt;
 
-import static inha.gdgoc.global.exception.GlobalErrorCode.INVALID_JWT_REQUEST;
-
 import inha.gdgoc.domain.auth.enums.LoginType;
 import inha.gdgoc.domain.user.entity.User;
 import inha.gdgoc.domain.user.enums.TeamType;
 import inha.gdgoc.domain.user.enums.UserRole;
 import inha.gdgoc.global.exception.BusinessException;
 import io.jsonwebtoken.*;
-import java.time.Duration;
-import java.util.Base64;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Set;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -22,9 +14,15 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.stereotype.Service;
 
+import java.time.Duration;
+import java.util.*;
+
+import static inha.gdgoc.global.exception.GlobalErrorCode.INVALID_JWT_REQUEST;
+
 @RequiredArgsConstructor
 @Service
 public class TokenProvider {
+
     private final JwtProperties jwtProperties;
 
     // 자체 로그인용 토큰 생성
@@ -44,8 +42,7 @@ public String generateRefreshToken(User user, Duration expiredAt, LoginType logi
         return makeToken(new Date(now.getTime() + expiredAt.toMillis()), user, loginType);
     }
 
-    public Claims validToken(String token) throws ExpiredJwtException, UnsupportedJwtException,
-            MalformedJwtException, SignatureException, IllegalArgumentException {
+    public Claims validToken(String token) throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {
         return getClaims(token);
     }
 
@@ -62,32 +59,31 @@ public Authentication getAuthentication(String token) {
         String roleStr = claims.get("role", String.class);
         if (roleStr == null) throw new BusinessException(INVALID_JWT_REQUEST);
         UserRole userRole = UserRole.valueOf(roleStr);
-        String roleName = "ROLE_" + userRole.name();
-        Set<SimpleGrantedAuthority> authorities =
-                Collections.singleton(new SimpleGrantedAuthority(roleName));
 
-        // team (선택) - 토큰에는 enum name(String)으로 저장됨. null/오타는 무시.
+        // 권한 세트 구성
+        Set<SimpleGrantedAuthority> authorities = new HashSet<>();
+        // 1) 역할 권한
+        authorities.add(new SimpleGrantedAuthority("ROLE_" + userRole.name()));
+
+        // 2) 팀 권한 (선택)
         TeamType team = null;
         String teamStr = claims.get("team", String.class);
         if (teamStr != null && !teamStr.isBlank()) {
             try {
                 team = TeamType.valueOf(teamStr);
+                authorities.add(new SimpleGrantedAuthority("TEAM_" + team.name()));
             } catch (IllegalArgumentException ignored) {
-                // 구버전 토큰 또는 잘못된 값이면 null 유지
             }
         }
 
-        CustomUserDetails userDetails =
-                new CustomUserDetails(userId, username, "", authorities, userRole, team);
+        CustomUserDetails userDetails = new CustomUserDetails(userId, username, "", authorities, userRole, team);
 
         return new UsernamePasswordAuthenticationToken(userDetails, null, authorities);
     }
 
     private String makeToken(Date expiry, User user, LoginType loginType) {
         Date now = new Date();
-        String issuer = (loginType == LoginType.SELF_SIGNUP)
-                ? jwtProperties.getSelfIssuer()
-                : jwtProperties.getGoogleIssuer();
+        String issuer = (loginType == LoginType.SELF_SIGNUP) ? jwtProperties.getSelfIssuer() : jwtProperties.getGoogleIssuer();
 
         // team: enum name 저장(예: "PR_DESIGN"), 없으면 null
         String teamEnumName = (user.getTeam() == null) ? null : user.getTeam().name();
@@ -102,8 +98,8 @@ private String makeToken(Date expiry, User user, LoginType loginType) {
                 .claim("loginType", loginType.name())
                 .claim("role", user.getUserRole().name())
                 .claim("team", teamEnumName)
-                .signWith(SignatureAlgorithm.HS256,
-                        Base64.getEncoder().encodeToString(jwtProperties.getSecretKey().getBytes()))
+                .signWith(SignatureAlgorithm.HS256, Base64.getEncoder()
+                        .encodeToString(jwtProperties.getSecretKey().getBytes()))
                 .compact();
     }
 
@@ -116,16 +112,12 @@ private Claims getClaims(String token) {
 
     @Getter
     public static class CustomUserDetails extends org.springframework.security.core.userdetails.User {
+
         private final Long userId;
         private final UserRole role;
         private final TeamType team;
 
-        public CustomUserDetails(Long userId,
-                                 String username,
-                                 String password,
-                                 Collection<? extends GrantedAuthority> authorities,
-                                 UserRole role,
-                                 TeamType team) {
+        public CustomUserDetails(Long userId, String username, String password, Collection<? extends GrantedAuthority> authorities, UserRole role, TeamType team) {
             super(username, password, authorities);
             this.userId = userId;
             this.role = role;

src/main/java/inha/gdgoc/global/exception/BusinessException.java

@@ -12,4 +12,8 @@ public BusinessException(ErrorCode errorCode) {
         this.errorCode = errorCode;
     }
 
+    public BusinessException(ErrorCode errorCode, String message) {
+        super(message);
+        this.errorCode = errorCode;
+    }
 }