[Fix] 요청한 클라이언트의 주소를 Origin 대신 Refer, Body 로 받도록 수정

Author: leegwichan

src/main/java/timeeat/client/oauth/OauthClient.java

@@ -32,7 +32,7 @@ public URI getOauthLoginUrl(String origin) {
 
         return UriComponentsBuilder.fromUriString("https://kauth.kakao.com/oauth/authorize")
                 .queryParam("client_id", properties.getClientId())
-                .queryParam("redirect_uri", origin + properties.getRedirectPath())
+                .queryParam("redirect_uri", createRedirectUri(origin))
                 .queryParam("response_type", "code")
                 .build()
                 .toUri();
@@ -44,7 +44,7 @@ public OauthToken requestOauthToken(String code, String origin) {
         MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
         body.add("grant_type", "authorization_code");
         body.add("client_id", properties.getClientId());
-        body.add("redirect_uri", origin + properties.getRedirectPath());
+        body.add("redirect_uri", createRedirectUri(origin));
         body.add("code", code);
 
         return restClient.post()
@@ -61,6 +61,13 @@ private void validateOrigin(String origin) {
         }
     }
 
+    private String createRedirectUri(String origin) {
+        return UriComponentsBuilder.fromUriString(origin)
+                .path(properties.getRedirectPath())
+                .build()
+                .toString();
+    }
+
     public OauthMemberInformation requestMemberInformation(OauthToken token) {
         return restClient.get()
                 .uri("https://kapi.kakao.com/v2/user/me")

src/main/java/timeeat/client/oauth/OauthProperties.java

@@ -4,6 +4,7 @@
 import java.util.List;
 import lombok.Getter;
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import timeeat.exception.InitializeException;
 
 @Getter
 @ConfigurationProperties(prefix = "oauth")
@@ -25,22 +26,19 @@ public OauthProperties(String clientId, String redirectPath, List<String> allowe
 
     private void validateClientId(String clientId) {
         if (clientId == null || clientId.isBlank()) {
-            // TODO InitializeException 을 이용
-            throw new RuntimeException("Client ID must not be null or empty");
+            throw new InitializeException("Client ID must not be null or empty");
         }
     }
 
     private void validateRedirectPath(String redirectPath) {
         if (redirectPath == null || !redirectPath.startsWith("/")) {
-            // TODO InitializeException 을 이용
-            throw new RuntimeException("Redirect path must not be null or start with '/'");
+            throw new InitializeException("Redirect path must not be null or start with '/'");
         }
     }
 
     private void validateOrigins(List<String> origins) {
         if (origins == null || origins.isEmpty()) {
-            // TODO InitializeException 을 이용
-            throw new RuntimeException("Allowed origins must not be null or empty");
+            throw new InitializeException("Allowed origins must not be null or empty");
         }
         origins.forEach(this::validateOrigin);
     }
@@ -50,18 +48,21 @@ private void validateOrigin(String origin) {
         try {
             uri = new URI(origin);
         } catch (Exception e) {
-            // TODO InitializeException 을 이용
-            throw new RuntimeException("Allowed origin must be a valid origin form: " + origin, e);
+            throw new InitializeException("Allowed origin must be a valid origin form: " + origin, e);
         }
 
         if (uri.getScheme() == null || uri.getHost() == null || !uri.getPath().isBlank()) {
-            // TODO InitializeException 을 이용
-            throw new RuntimeException("Allowed origin must be a valid origin form: " + origin);
+            throw new InitializeException("Allowed origin must be a valid origin form: " + origin);
         }
     }
 
     public boolean isAllowedOrigin(String origin) {
         return allowedOrigins.stream()
-                .anyMatch(allowedOrigin -> allowedOrigin.equalsIgnoreCase(origin.trim()));
+                .anyMatch(allowedOrigin -> isMatchedOrigin(allowedOrigin, origin));
+    }
+
+    private boolean isMatchedOrigin(String allowedOrigin, String origin) {
+        return origin.trim().equals(allowedOrigin)
+                || origin.trim().equals(allowedOrigin + "/");
     }
 }

src/main/java/timeeat/controller/auth/AuthController.java

@@ -22,7 +22,7 @@ public class AuthController {
     private final AuthService authService;
 
     @GetMapping("/api/auth/login/oauth")
-    public ResponseEntity<Void> redirectOauthLoginPage(@RequestHeader(HttpHeaders.ORIGIN) String origin) {
+    public ResponseEntity<Void> redirectOauthLoginPage(@RequestHeader(HttpHeaders.REFERER) String origin) {
         URI oauthLoginUrl = authService.getOauthLoginUrl(origin);
 
         return ResponseEntity
@@ -32,9 +32,8 @@ public ResponseEntity<Void> redirectOauthLoginPage(@RequestHeader(HttpHeaders.OR
     }
 
     @PostMapping("/api/auth/login")
-    public ResponseEntity<LoginResponse> login(@RequestHeader(HttpHeaders.ORIGIN) String origin,
-                                               @RequestBody LoginRequest request) {
-        MemberResponse member = authService.login(request, origin);
+    public ResponseEntity<LoginResponse> login(@RequestBody LoginRequest request) {
+        MemberResponse member = authService.login(request);
         TokenResponse token = new TokenResponse(
                 jwtManager.issueAccessToken(member.id()),
                 jwtManager.issueRefreshToken(member.id()));

src/main/java/timeeat/controller/auth/LoginRequest.java

@@ -1,4 +1,4 @@
 package timeeat.controller.auth;
 
-public record LoginRequest(String code) {
+public record LoginRequest(String code, String origin) {
 }

src/main/java/timeeat/exception/InitializeException.java

@@ -5,4 +5,8 @@ public class InitializeException extends RuntimeException {
     public InitializeException(String message) {
         super(message);
     }
+
+    public InitializeException(String message, Throwable cause) {
+        super(message, cause);
+    }
 }

src/main/java/timeeat/service/auth/AuthService.java

@@ -27,8 +27,8 @@ public URI getOauthLoginUrl(String origin) {
     }
 
     @Transactional
-    public MemberResponse login(LoginRequest request, String origin) {
-        OauthToken oauthToken = oauthClient.requestOauthToken(request.code(), origin);
+    public MemberResponse login(LoginRequest request) {
+        OauthToken oauthToken = oauthClient.requestOauthToken(request.code(), request.origin());
         OauthMemberInformation oauthInformation = oauthClient.requestMemberInformation(oauthToken);
 
         Optional<Member> optionalMember = memberRepository.findBySocialId(Long.toString(oauthInformation.socialId()));

src/test/java/timeeat/client/oauth/OauthClientTest.java

@@ -49,8 +49,8 @@ class GetOauthLoginUrl {
             assertAll(
                     () -> assertThat(uri.getHost()).isEqualTo("kauth.kakao.com"),
                     () -> assertThat(uri.getPath()).isEqualTo("/oauth/authorize"),
-                    () -> assertThat(uri.getQuery()).contains("client_id=%s".formatted(properties.getClientId())),
-                    () -> assertThat(uri.getQuery()).contains("redirect_uri=%s".formatted(redirectUri)),
+                    () -> assertThat(uri.getQuery()).contains("client_id=%s&".formatted(properties.getClientId())),
+                    () -> assertThat(uri.getQuery()).contains("redirect_uri=%s&".formatted(redirectUri)),
                     () -> assertThat(uri.getQuery()).contains("response_type=code")
             );
         }
@@ -64,6 +64,16 @@ class GetOauthLoginUrl {
 
             assertThat(exception.getErrorCode()).isEqualTo(BusinessErrorCode.UNAUTHORIZED_ORIGIN);
         }
+
+        @Test
+        void origin_뒤에_슬래시가_붙어도_정상적으로_처리된다() {
+            String origin = properties.getAllowedOrigins().getFirst();
+            String redirectUri = origin + properties.getRedirectPath();
+
+            URI uri = oauthClient.getOauthLoginUrl(origin + "/");
+
+            assertThat(uri.getQuery()).contains("redirect_uri=%s&".formatted(redirectUri));
+        }
     }
 
     @Nested

src/test/java/timeeat/client/oauth/OauthPropertiesTest.java

@@ -5,10 +5,10 @@
 
 import java.util.List;
 import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.NullAndEmptySource;
 import org.junit.jupiter.params.provider.ValueSource;
+import timeeat.exception.InitializeException;
 
 class OauthPropertiesTest {
 
@@ -19,23 +19,23 @@ class Validate {
         @NullAndEmptySource
         void 클라이언트_아이디가_비어있는_경우_예외를_던진다(String clientId) {
             assertThatThrownBy(() -> new OauthProperties(clientId, "/path", List.of("http://localhost:8080")))
-                    .isInstanceOf(RuntimeException.class)
+                    .isInstanceOf(InitializeException.class)
                     .hasMessage("Client ID must not be null or empty");
         }
 
         @ParameterizedTest
         @ValueSource(strings = {"path", ".path", "path/", ""})
         void 리다이렉트_경로가_경로_형식이_아닌_경우_예외를_던진다(String redirectPath) {
             assertThatThrownBy(() -> new OauthProperties("client-id", redirectPath, List.of("http://localhost:8080")))
-                    .isInstanceOf(RuntimeException.class)
+                    .isInstanceOf(InitializeException.class)
                     .hasMessage("Redirect path must not be null or start with '/'");
         }
 
         @ParameterizedTest
         @ValueSource(strings = {"invalid-url", "http://", "http://:8080", "http://localhost:8080/path", " "})
         void 허용된_오리진이_유효하지_않은_URL인_경우_예외를_던진다(String origin) {
             assertThatThrownBy(() -> new OauthProperties("client-id", "/path", List.of(origin)))
-                    .isInstanceOf(RuntimeException.class)
+                    .isInstanceOf(InitializeException.class)
                     .hasMessageContaining("Allowed origin must be a valid origin form");
         }
     }
@@ -44,7 +44,8 @@ class Validate {
     class IsAllowedOrigin {
 
         @ParameterizedTest
-        @ValueSource(strings = {"http://localhost:8080", " http://localhost:8080 ", "https://example.com"})
+        @ValueSource(strings = {"http://localhost:8080", " http://localhost:8080 ",
+                "https://example.com", "https://example.com/"})
         void 허용된_오리진인_경우_true를_반환한다(String allowedOrigin) {
             List<String> origins = List.of("http://localhost:8080", "https://example.com");
             OauthProperties oauthProperties = new OauthProperties("client-id", "/path", origins);
@@ -54,7 +55,8 @@ class IsAllowedOrigin {
             assertThat(isAllowed).isTrue();
         }
 
-        @Test
+        @ParameterizedTest
+        @ValueSource(strings = {"https://not-allowed.com", "http://localhost:8080/path", "http://localhost:8080nono"})
         void 허용되지_않은_오리진인_경우_false를_반환한다() {
             OauthProperties oauthProperties = new OauthProperties("client-id", "/path",
                     List.of("http://localhost:8080"));

src/test/java/timeeat/controller/auth/AuthControllerTest.java

@@ -12,12 +12,6 @@
 
 class AuthControllerTest extends BaseControllerTest {
 
-    @Value("${oauth.client-id}")
-    private String clientId;
-
-    @Value("${oauth.redirect-path}")
-    private String redirectPath;
-
     @Value("${oauth.allowed-origins[0]}")
     private String allowedOrigin;
 
@@ -26,11 +20,8 @@ class RedirectOauthLoginPage {
 
         @Test
         void Oauth_로그인_페이지로_리다이렉트_할_수_있다() {
-            String origin = allowedOrigin;
-            String expectedRedirectPath = origin + redirectPath;
-
             String location = given()
-                    .header(HttpHeaders.ORIGIN, origin)
+                    .header(HttpHeaders.REFERER, allowedOrigin)
                     .redirects().follow(false)
                     .when()
                     .get("/api/auth/login/oauth")
@@ -47,10 +38,9 @@ class Login {
 
         @Test
         void 인가코드를_통해_회원가입할_수_있다() {
-            LoginRequest request = new LoginRequest("auth-code");
+            LoginRequest request = new LoginRequest("auth-code", allowedOrigin);
 
             LoginResponse response = given().body(request)
-                    .header(HttpHeaders.ORIGIN, allowedOrigin)
                     .contentType(ContentType.JSON)
                     .when().post("/api/auth/login")
                     .then()
@@ -67,10 +57,9 @@ class Login {
         @Test
         void 인가코드를_통해_로그인할_수_있다() {
             memberGenerator.generate(oauthLoginSocialId());
-            LoginRequest request = new LoginRequest("auth-code");
+            LoginRequest request = new LoginRequest("auth-code", allowedOrigin);
 
             LoginResponse response = given().body(request)
-                    .header(HttpHeaders.ORIGIN, allowedOrigin)
                     .contentType(ContentType.JSON)
                     .when().post("/api/auth/login")
                     .then()

src/test/java/timeeat/document/auth/AuthDocumentTest.java

@@ -1,7 +1,6 @@
 package timeeat.document.auth;
 
 import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doReturn;
 import static org.springframework.restdocs.headers.HeaderDocumentation.headerWithName;
 import static org.springframework.restdocs.payload.JsonFieldType.BOOLEAN;
@@ -37,7 +36,7 @@ class RedirectOauthLoginPage {
                 .tag(Tag.AUTH_API)
                 .summary("OAuth 로그인 페이지 리다이렉트")
                 .requestHeader(
-                        headerWithName(HttpHeaders.ORIGIN).description("요청 Origin")
+                        headerWithName(HttpHeaders.REFERER).description("요청 Origin")
                 );
 
         RestDocsResponse responseDocument = response()
@@ -56,7 +55,7 @@ class RedirectOauthLoginPage {
 
             given(document)
                     .redirects().follow(false)
-                    .header(HttpHeaders.ORIGIN, origin)
+                    .header(HttpHeaders.REFERER, origin)
                     .when()
                     .get("/api/auth/login/oauth")
                     .then()
@@ -70,11 +69,9 @@ class Login {
         RestDocsRequest requestDocument = request()
                 .tag(Tag.AUTH_API)
                 .summary("로그인")
-                .requestHeader(
-                        headerWithName(HttpHeaders.ORIGIN).description("요청 Origin")
-                )
                 .requestBodyField(
-                        fieldWithPath("code").type(STRING).description("Oauth 인가 코드")
+                        fieldWithPath("code").type(STRING).description("Oauth 인가 코드"),
+                        fieldWithPath("origin").type(STRING).description("요청 Origin")
                 );
 
         RestDocsResponse responseDocument = response()
@@ -93,9 +90,9 @@ class Login {
 
         @Test
         void 로그인_성공() {
-            LoginRequest request = new LoginRequest("code");
+            LoginRequest request = new LoginRequest("code", "http://localhost:3000");
             MemberResponse response = new MemberResponse(1L, true, "닉네임", null, null, null);
-            doReturn(response).when(authService).login(eq(request), anyString());
+            doReturn(response).when(authService).login(request);
 
             var document = document("auth/login", 201)
                     .request(requestDocument)
@@ -104,7 +101,6 @@ class Login {
 
             given(document)
                     .contentType(ContentType.JSON)
-                    .header(HttpHeaders.ORIGIN, origin)
                     .body(request)
                     .when().post("/api/auth/login")
                     .then().statusCode(201);