Merge pull request #78 from Geumpumta/feat/block-multi-device-login

feat: 중복 로그인 차단 정책 추가

Author: kon28289

src/main/java/com/gpt/geumpumtabackend/global/oauth/handler/OAuth2AuthenticationSuccessHandler.java

@@ -1,9 +1,7 @@
 package com.gpt.geumpumtabackend.global.oauth.handler;
 
-
-
-import com.gpt.geumpumtabackend.global.jwt.JwtHandler;
 import com.gpt.geumpumtabackend.global.jwt.JwtUserClaim;
+import com.gpt.geumpumtabackend.global.oauth.service.OAuthLoginPolicyService;
 import com.gpt.geumpumtabackend.global.oauth.service.OAuth2UserPrincipal;
 import com.gpt.geumpumtabackend.global.oauth.util.RedirectUrlValidator;
 import com.gpt.geumpumtabackend.global.oauth.util.StateUtil;
@@ -20,13 +18,14 @@
 import org.springframework.web.util.UriComponentsBuilder;
 
 import java.io.IOException;
+import java.util.Optional;
 
 @Component
 @RequiredArgsConstructor
 @Slf4j
 public class OAuth2AuthenticationSuccessHandler implements AuthenticationSuccessHandler {
 
-    private final JwtHandler jwtHandler;
+    private final OAuthLoginPolicyService oAuthLoginPolicyService;
 
     @Override
     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
@@ -45,15 +44,22 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
         Boolean isWithdrawn = principal.getUser().getDeletedAt() != null;
 
         JwtUserClaim jwtUserClaim = new JwtUserClaim(userId, role, isWithdrawn);
-        Token token = jwtHandler.createTokens(jwtUserClaim);
+        Optional<Token> token = oAuthLoginPolicyService.issueTokenIfNoActiveSession(jwtUserClaim);
+        if (token.isEmpty()) {
+            String blockedUrl = UriComponentsBuilder.fromUriString(redirectUri)
+                    .queryParam("error", "already_logged_in")
+                    .build().toUriString();
+            response.sendRedirect(blockedUrl);
+            return;
+        }
+        Token issuedToken = token.get();
 
         // 토큰 붙여서 리다이렉트
         String redirectUrl = UriComponentsBuilder.fromUriString(redirectUri)
-                .queryParam("accessToken", token.getAccessToken())
-                .queryParam("refreshToken", token.getRefreshToken())
+                .queryParam("accessToken", issuedToken.getAccessToken())
+                .queryParam("refreshToken", issuedToken.getRefreshToken())
                 .build().toUriString();
 
-        System.out.println(redirectUrl);
         response.sendRedirect(redirectUrl);
     }
 }

src/main/java/com/gpt/geumpumtabackend/global/oauth/service/OAuthLoginPolicyService.java

@@ -0,0 +1,45 @@
+package com.gpt.geumpumtabackend.global.oauth.service;
+
+import com.gpt.geumpumtabackend.global.jwt.JwtHandler;
+import com.gpt.geumpumtabackend.global.jwt.JwtUserClaim;
+import com.gpt.geumpumtabackend.global.exception.BusinessException;
+import com.gpt.geumpumtabackend.global.exception.ExceptionType;
+import com.gpt.geumpumtabackend.token.domain.RefreshToken;
+import com.gpt.geumpumtabackend.token.domain.Token;
+import com.gpt.geumpumtabackend.token.repository.RefreshTokenRepository;
+import com.gpt.geumpumtabackend.user.repository.UserRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.util.Optional;
+
+@Service
+@RequiredArgsConstructor
+public class OAuthLoginPolicyService {
+
+    private static final ZoneId KST = ZoneId.of("Asia/Seoul");
+
+    private final UserRepository userRepository;
+    private final RefreshTokenRepository refreshTokenRepository;
+    private final JwtHandler jwtHandler;
+
+    @Transactional
+    public Optional<Token> issueTokenIfNoActiveSession(JwtUserClaim jwtUserClaim) {
+        userRepository.findByIdForUpdate(jwtUserClaim.userId())
+                .orElseThrow(() -> new BusinessException(ExceptionType.USER_NOT_FOUND));
+
+        Optional<RefreshToken> existingToken = refreshTokenRepository.findByUserId(jwtUserClaim.userId());
+        if (existingToken.isPresent()) {
+            LocalDateTime now = LocalDateTime.now(KST);
+            if (existingToken.get().getExpiredAt().isAfter(now)) {
+                return Optional.empty();
+            }
+            refreshTokenRepository.deleteByUserId(jwtUserClaim.userId());
+        }
+
+        return Optional.of(jwtHandler.createTokens(jwtUserClaim));
+    }
+}

src/main/java/com/gpt/geumpumtabackend/user/repository/UserRepository.java

@@ -2,10 +2,12 @@
 
 import com.gpt.geumpumtabackend.global.oauth.user.OAuth2Provider;
 import com.gpt.geumpumtabackend.user.domain.User;
-import jakarta.validation.constraints.Pattern;
+import jakarta.persistence.LockModeType;
+import org.springframework.data.jpa.repository.Lock;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
 
-import java.util.List;
 import java.util.Optional;
 
 public interface UserRepository extends JpaRepository<User, Long> {
@@ -26,4 +28,8 @@ public interface UserRepository extends JpaRepository<User, Long> {
     boolean existsBySchoolEmail(String schoolEmail);
 
     Optional<User> findByFcmToken(String fcmToken);
+
+    @Lock(LockModeType.PESSIMISTIC_WRITE)
+    @Query("SELECT u FROM User u WHERE u.id = :userId")
+    Optional<User> findByIdForUpdate(@Param("userId") Long userId);
 }

src/test/java/com/gpt/geumpumtabackend/unit/oauth/service/OAuthLoginPolicyServiceTest.java

@@ -0,0 +1,102 @@
+package com.gpt.geumpumtabackend.unit.oauth.service;
+
+import com.gpt.geumpumtabackend.global.exception.BusinessException;
+import com.gpt.geumpumtabackend.global.jwt.JwtHandler;
+import com.gpt.geumpumtabackend.global.jwt.JwtUserClaim;
+import com.gpt.geumpumtabackend.global.oauth.service.OAuthLoginPolicyService;
+import com.gpt.geumpumtabackend.token.domain.RefreshToken;
+import com.gpt.geumpumtabackend.token.domain.Token;
+import com.gpt.geumpumtabackend.token.repository.RefreshTokenRepository;
+import com.gpt.geumpumtabackend.user.domain.User;
+import com.gpt.geumpumtabackend.user.domain.UserRole;
+import com.gpt.geumpumtabackend.user.repository.UserRepository;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import java.util.Optional;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class OAuthLoginPolicyServiceTest {
+
+    @Mock
+    private UserRepository userRepository;
+
+    @Mock
+    private RefreshTokenRepository refreshTokenRepository;
+
+    @Mock
+    private JwtHandler jwtHandler;
+
+    private OAuthLoginPolicyService oAuthLoginPolicyService;
+
+    @BeforeEach
+    void setUp() {
+        oAuthLoginPolicyService = new OAuthLoginPolicyService(userRepository, refreshTokenRepository, jwtHandler);
+    }
+
+    @Test
+    void 활성_세션이_있으면_토큰_발급을_차단한다() {
+        Long userId = 1L;
+        JwtUserClaim claim = new JwtUserClaim(userId, UserRole.USER, false);
+        RefreshToken activeToken = RefreshToken.builder()
+                .userId(userId)
+                .refreshToken("active-token")
+                .times(3600L)
+                .build();
+
+        when(userRepository.findByIdForUpdate(userId)).thenReturn(Optional.of(mock(User.class)));
+        when(refreshTokenRepository.findByUserId(userId)).thenReturn(Optional.of(activeToken));
+
+        Optional<Token> result = oAuthLoginPolicyService.issueTokenIfNoActiveSession(claim);
+
+        assertThat(result).isEmpty();
+        verify(jwtHandler, never()).createTokens(any());
+        verify(refreshTokenRepository, never()).deleteByUserId(userId);
+    }
+
+    @Test
+    void 만료된_토큰만_있으면_삭제후_새_토큰을_발급한다() {
+        Long userId = 1L;
+        JwtUserClaim claim = new JwtUserClaim(userId, UserRole.USER, false);
+        RefreshToken expiredToken = RefreshToken.builder()
+                .userId(userId)
+                .refreshToken("expired-token")
+                .times(-1L)
+                .build();
+        Token issuedToken = Token.builder()
+                .accessToken("new-access")
+                .refreshToken("new-refresh")
+                .build();
+
+        when(userRepository.findByIdForUpdate(userId)).thenReturn(Optional.of(mock(User.class)));
+        when(refreshTokenRepository.findByUserId(userId)).thenReturn(Optional.of(expiredToken));
+        when(jwtHandler.createTokens(claim)).thenReturn(issuedToken);
+
+        Optional<Token> result = oAuthLoginPolicyService.issueTokenIfNoActiveSession(claim);
+
+        assertThat(result).contains(issuedToken);
+        verify(refreshTokenRepository).deleteByUserId(userId);
+        verify(jwtHandler).createTokens(claim);
+    }
+
+    @Test
+    void 사용자_락_대상_없으면_예외를_던진다() {
+        Long userId = 1L;
+        JwtUserClaim claim = new JwtUserClaim(userId, UserRole.USER, false);
+
+        when(userRepository.findByIdForUpdate(userId)).thenReturn(Optional.empty());
+
+        assertThatThrownBy(() -> oAuthLoginPolicyService.issueTokenIfNoActiveSession(claim))
+                .isInstanceOf(BusinessException.class);
+
+        verify(refreshTokenRepository, never()).findByUserId(anyLong());
+        verify(jwtHandler, never()).createTokens(any());
+    }
+}