refactor: Apple JWT 인증 시스템 리팩토링 및 키 파싱 안정화

.coderabbit.yaml

@@ -6,7 +6,7 @@ reviews:
   high_level_summary: true
   poem: false
   review_status: true
-  collapse_walkthrough: true
+  collapse_walkthrough: false
   auto_review:
     enabled: true
     drafts: false

.github/workflows/ci-pr.yml

@@ -31,6 +31,7 @@ jobs:
           echo "${{ secrets.DEV_SECRET_PROPERTIES }}" > ./secret/application-dev-secret.properties
           echo "${{ secrets.PROD_SECRET_PROPERTIES }}" > ./secret/application-prod-secret.properties
           echo "${{ secrets.TEST_SECRET_PROPERTIES }}" > ./secret/application-test-secret.properties
+          echo "${{ secrets.APPLE_AUTH_KEY }}" > ./secret/AuthKey.p8
           chmod 600 ./secret/*
 
       - name: Set up JDK 21

.github/workflows/dev-ci-cd.yml

@@ -29,6 +29,7 @@ jobs:
           mkdir ./secret
           echo "${{ secrets.DEV_SECRET_PROPERTIES }}" > ./secret/application-dev-secret.properties
           echo "${{ secrets.TEST_SECRET_PROPERTIES }}" > ./secret/application-test-secret.properties
+          echo "${{ secrets.APPLE_AUTH_KEY }}" > ./secret/AuthKey.p8
           chmod 600 ./secret/*
 
       - name: Set up Docker Buildx

.github/workflows/prod-ci-cd.yml

@@ -29,6 +29,7 @@ jobs:
           mkdir ./secret
           echo "${{ secrets.PROD_SECRET_PROPERTIES }}" > ./secret/application-prod-secret.properties
           echo "${{ secrets.TEST_SECRET_PROPERTIES }}" > ./secret/application-test-secret.properties
+          echo "${{ secrets.APPLE_AUTH_KEY }}" > ./secret/AuthKey.p8
           chmod 600 ./secret/*
 
       - name: Set up Docker Buildx

apis/build.gradle.kts

@@ -11,13 +11,19 @@ dependencies {
     implementation(Dependencies.Spring.BOOT_STARTER_SECURITY)
     implementation(Dependencies.Spring.BOOT_STARTER_VALIDATION)
     implementation(Dependencies.Spring.BOOT_STARTER_ACTUATOR)
+    implementation(Dependencies.Spring.BOOT_STARTER_OAUTH2_CLIENT)
 
     implementation(Dependencies.Database.MYSQL_CONNECTOR)
 
     implementation(Dependencies.Swagger.SPRINGDOC_OPENAPI_STARTER_WEBMVC_UI)
 
     implementation(Dependencies.Logging.KOTLIN_LOGGING)
 
+    implementation(Dependencies.BouncyCastle.BC_PROV)
+    implementation(Dependencies.BouncyCastle.BC_PKIX)
+
+    annotationProcessor(Dependencies.Spring.CONFIGURATION_PROCESSOR)
+
     testImplementation(Dependencies.Spring.BOOT_STARTER_TEST)
     testImplementation(Dependencies.TestContainers.MYSQL)
     testImplementation(Dependencies.TestContainers.JUNIT_JUPITER)

apis/src/main/kotlin/org/yapp/apis/auth/controller/AuthController.kt

@@ -12,9 +12,6 @@ import org.yapp.apis.auth.dto.response.UserProfileResponse
 import org.yapp.apis.auth.usecase.AuthUseCase
 import java.util.*
 
-/**
- * Implementation of the authentication controller API.
- */
 @RestController
 @RequestMapping("/api/v1/auth")
 class AuthController(

apis/src/main/kotlin/org/yapp/apis/auth/controller/AuthControllerApi.kt

@@ -21,28 +21,28 @@ import org.yapp.apis.auth.dto.response.UserProfileResponse
 import org.yapp.globalutils.exception.ErrorResponse
 import java.util.*
 
-@Tag(name = "Authentication", description = "Authentication API")
+@Tag(name = "Authentication", description = "인증 관련 API")
 interface AuthControllerApi {
 
     @Operation(
-        summary = "Sign in or sign up with social login",
-        description = "Sign in a user with social login credentials (Kakao or Apple). If the user doesn't exist, they will be automatically registered."
+        summary = "소셜 로그인",
+        description = "카카오 또는 애플 계정으로 로그인합니다. 사용자가 존재하지 않으면 자동으로 회원가입됩니다."
     )
     @ApiResponses(
         value = [
             ApiResponse(
                 responseCode = "200",
-                description = "Successful sign in or sign up",
+                description = "로그인/회원가입 성공",
                 content = [Content(schema = Schema(implementation = AuthResponse::class))]
             ),
             ApiResponse(
                 responseCode = "400",
-                description = "Invalid request or credentials",
+                description = "잘못된 요청 또는 인증 정보",
                 content = [Content(schema = Schema(implementation = ErrorResponse::class))]
             ),
             ApiResponse(
                 responseCode = "409",
-                description = "Email already in use with a different account",
+                description = "이미 다른 계정으로 사용 중인 이메일",
                 content = [Content(schema = Schema(implementation = ErrorResponse::class))]
             )
         ]
@@ -51,74 +51,74 @@ interface AuthControllerApi {
     fun signIn(@RequestBody @Valid request: SocialLoginRequest): ResponseEntity<AuthResponse>
 
     @Operation(
-        summary = "Refresh token",
-        description = "Refresh an access token using a refresh token. Returns both a new access token and a new refresh token."
+        summary = "토큰 갱신",
+        description = "리프레시 토큰을 사용하여 액세스 토큰을 갱신합니다. 새로운 액세스 토큰과 리프레시 토큰을 반환합니다."
     )
     @ApiResponses(
         value = [
             ApiResponse(
                 responseCode = "200",
-                description = "Successful token refresh",
+                description = "토큰 갱신 성공",
                 content = [Content(schema = Schema(implementation = AuthResponse::class))]
             ),
             ApiResponse(
                 responseCode = "400",
-                description = "Invalid refresh token",
+                description = "유효하지 않은 리프레시 토큰",
                 content = [Content(schema = Schema(implementation = ErrorResponse::class))]
             ),
             ApiResponse(
                 responseCode = "404",
-                description = "Refresh token not found",
+                description = "리프레시 토큰을 찾을 수 없음",
                 content = [Content(schema = Schema(implementation = ErrorResponse::class))]
             )
         ]
     )
     @PostMapping("/refresh")
     fun refreshToken(@RequestBody @Valid request: TokenRefreshRequest): ResponseEntity<AuthResponse>
 
-    @Operation(summary = "Sign out", description = "Sign out a user by invalidating their refresh token")
+    @Operation(summary = "로그아웃", description = "리프레시 토큰을 무효화하여 사용자를 로그아웃합니다")
     @ApiResponses(
         value = [
-            ApiResponse(responseCode = "204", description = "Successful sign out"),
+            ApiResponse(responseCode = "204", description = "로그아웃 성공"),
             ApiResponse(
                 responseCode = "400",
-                description = "Invalid user ID",
+                description = "유효하지 않은 사용자 ID",
                 content = [Content(schema = Schema(implementation = ErrorResponse::class))]
             )
         ]
     )
     @PostMapping("/signout")
     fun signOut(@AuthenticationPrincipal userId: UUID): ResponseEntity<Unit>
 
-    @Operation(summary = "Get user profile", description = "Retrieves profile information for the given user ID.")
+    @Operation(summary = "사용자 프로필 조회", description = "현재 로그인한 사용자의 프로필 정보를 조회합니다.")
     @ApiResponses(
         value = [
             ApiResponse(
                 responseCode = "200",
-                description = "User profile retrieved successfully",
+                description = "사용자 프로필 조회 성공",
                 content = [Content(schema = Schema(implementation = UserProfileResponse::class))]
             ),
             ApiResponse(
                 responseCode = "404",
-                description = "User not found",
+                description = "사용자를 찾을 수 없음",
                 content = [Content(schema = Schema(implementation = ErrorResponse::class))]
             )
         ]
     )
     @GetMapping("/me")
     fun getUserProfile(@AuthenticationPrincipal userId: UUID): ResponseEntity<UserProfileResponse>
 
-    @Operation(summary = "Update terms agreement", description = "Updates the user's terms agreement status")
+    @Operation(summary = "약관 동의 상태 수정", description = "사용자의 약관 동의 상태를 업데이트합니다")
     @ApiResponses(
         value = [
             ApiResponse(
                 responseCode = "200",
-                description = "Terms agreement status updated successfully",
+                description = "약관 동의 상태 업데이트 성공",
                 content = [Content(schema = Schema(implementation = UserProfileResponse::class))]
             ),
             ApiResponse(
                 responseCode = "404",
-                description = "User not found",
+                description = "사용자를 찾을 수 없음",
                 content = [Content(schema = Schema(implementation = ErrorResponse::class))]
             )
         ]

apis/src/main/kotlin/org/yapp/apis/auth/dto/request/FindOrCreateUserRequest.kt

@@ -4,7 +4,7 @@ import io.swagger.v3.oas.annotations.media.Schema
 import jakarta.validation.constraints.NotBlank
 import jakarta.validation.constraints.NotNull
 import org.yapp.apis.auth.dto.response.UserCreateInfoResponse
-import org.yapp.apis.util.NicknameGenerator
+import org.yapp.apis.auth.util.NicknameGenerator
 import org.yapp.domain.user.ProviderType
 
 @Schema(

apis/src/main/kotlin/org/yapp/apis/auth/dto/request/SaveAppleRefreshTokenRequest.kt

@@ -0,0 +1,50 @@
+package org.yapp.apis.auth.dto.request
+
+import io.swagger.v3.oas.annotations.media.Schema
+import jakarta.validation.constraints.NotBlank
+import jakarta.validation.constraints.NotNull
+import org.yapp.apis.auth.dto.response.CreateUserResponse
+import org.yapp.apis.auth.strategy.AppleAuthCredentials
+import java.util.UUID
+
+@Schema(
+    name = "SaveAppleRefreshTokenRequest",
+    description = "Request DTO for saving Apple refresh token with user ID and authorization code"
+)
+data class SaveAppleRefreshTokenRequest private constructor(
+    @Schema(
+        description = "Unique identifier of the user",
+        example = "a1b2c3d4-e5f6-7890-1234-56789abcdef0"
+    )
+    @field:NotNull(message = "userId must not be null")
+    val userId: UUID? = null,
+
+    @Schema(
+        description = "Authorization code from Apple OAuth process",
+        example = "cdef1234-abcd-5678-efgh-9012ijklmnop"
+    )
+    @field:NotBlank(message = "authorizationCode must not be blank")
+    val authorizationCode: String? = null,
+
+    @Schema(
+        description = "Apple refresh token, nullable if not issued yet",
+        example = "apple-refresh-token-example"
+    )
+    val appleRefreshToken: String? = null
+) {
+    fun validUserId(): UUID = userId!!
+    fun validAuthorizationCode(): String = authorizationCode!!
+
+    companion object {
+        fun of(
+            userResponse: CreateUserResponse,
+            credentials: AppleAuthCredentials
+        ): SaveAppleRefreshTokenRequest {
+            return SaveAppleRefreshTokenRequest(
+                userId = userResponse.id,
+                authorizationCode = credentials.authorizationCode,
+                appleRefreshToken = userResponse.appleRefreshToken
+            )
+        }
+    }
+}

apis/src/main/kotlin/org/yapp/apis/auth/dto/request/SocialLoginRequest.kt

@@ -28,7 +28,14 @@ data class SocialLoginRequest private constructor(
         required = true
     )
     @field:NotBlank(message = "OAuth token is required")
-    val oauthToken: String? = null
+    val oauthToken: String? = null,
+
+    @Schema(
+        description = "Authorization code used to issue Apple access/refresh tokens (required only for Apple login)",
+        example = "c322a426...",
+        required = false
+    )
+    val authorizationCode: String? = null
 ) {
     fun validProviderType(): String = providerType!!
     fun validOauthToken(): String = oauthToken!!
@@ -46,7 +53,11 @@ data class SocialLoginRequest private constructor(
 
             return when (provider) {
                 ProviderType.KAKAO -> KakaoAuthCredentials(request.validOauthToken())
-                ProviderType.APPLE -> AppleAuthCredentials(request.validOauthToken())
+                ProviderType.APPLE -> {
+                    val authCode = request.authorizationCode
+                        ?: throw AuthException(AuthErrorCode.INVALID_REQUEST, "Apple login requires an authorization code.")
+                    AppleAuthCredentials(request.validOauthToken(), authCode)
+                }
             }
         }
     }

apis/src/main/kotlin/org/yapp/apis/auth/dto/request/TermsAgreementRequest.kt

@@ -6,9 +6,8 @@ import jakarta.validation.constraints.NotNull
 @Schema(description = "Request to update terms agreement status")
 data class TermsAgreementRequest private constructor(
     @Schema(description = "Whether the user agrees to the terms of service", example = "true", required = true)
+    @field:NotNull(message = "termsAgreed must not be null")
     val termsAgreed: Boolean? = null
-
-
 ) {
     fun validTermsAgreed(): Boolean = termsAgreed!!
 }

apis/src/main/kotlin/org/yapp/apis/auth/dto/response/CreateUserResponse.kt

@@ -1,9 +1,9 @@
 package org.yapp.apis.auth.dto.response
 
 import io.swagger.v3.oas.annotations.media.Schema
-import org.yapp.domain.user.vo.UserIdentityVO
+import org.yapp.domain.user.vo.UserAuthVO
 import org.yapp.globalutils.auth.Role
-import java.util.UUID
+import java.util.*
 
 @Schema(
     name = "CreateUserResponse",
@@ -20,13 +20,20 @@ data class CreateUserResponse private constructor(
         description = "사용자 역할",
         example = "USER"
     )
-    val role: Role
+    val role: Role,
+
+    @Schema(
+        description = "Apple Refresh Token (Apple 유저인 경우에만 존재)",
+        nullable = true
+    )
+    val appleRefreshToken: String?
 ) {
     companion object {
-        fun from(identity: UserIdentityVO): CreateUserResponse {
+        fun from(auth: UserAuthVO): CreateUserResponse {
             return CreateUserResponse(
-                id = identity.id.value,
-                role = identity.role
+                id = auth.id.value,
+                role = auth.role,
+                appleRefreshToken = auth.appleRefreshToken
             )
         }
     }

apis/src/main/kotlin/org/yapp/apis/auth/exception/AuthErrorCode.kt

@@ -3,33 +3,51 @@ package org.yapp.apis.auth.exception
 import org.springframework.http.HttpStatus
 import org.yapp.globalutils.exception.BaseErrorCode
 
-/**
- * Error codes for authentication-related errors.
- */
 enum class AuthErrorCode(
     private val httpStatus: HttpStatus,
     private val code: String,
     private val message: String
 ) : BaseErrorCode {
 
     /* 400 BAD_REQUEST  */
-    UNSUPPORTED_PROVIDER_TYPE(HttpStatus.BAD_REQUEST, "AUTH_005", "Unsupported provider type."),
-    INVALID_CREDENTIALS(HttpStatus.BAD_REQUEST, "AUTH_006", "Invalid credentials."),
-    EMAIL_NOT_FOUND(HttpStatus.BAD_REQUEST, "AUTH_007", "Email not found."),
-    INVALID_ID_TOKEN_FORMAT(HttpStatus.BAD_REQUEST, "AUTH_008", "Invalid ID token format."),
-    SUBJECT_NOT_FOUND(HttpStatus.BAD_REQUEST, "AUTH_009", "Subject not found in ID token."),
-    FAILED_TO_PARSE_ID_TOKEN(HttpStatus.BAD_REQUEST, "AUTH_010", "Failed to parse ID token."),
-    FAILED_TO_GET_USER_INFO(HttpStatus.BAD_REQUEST, "AUTH_011", "Failed to get user info from provider."),
-    USER_NOT_FOUND(HttpStatus.BAD_REQUEST, "AUTH_012", "User not found."),
+    UNSUPPORTED_PROVIDER_TYPE(HttpStatus.BAD_REQUEST, "AUTH_400_01", "지원되지 않는 공급자 타입입니다."),
+    INVALID_CREDENTIALS(HttpStatus.BAD_REQUEST, "AUTH_400_02", "잘못된 인증 정보입니다."),
+    INVALID_REQUEST(HttpStatus.BAD_REQUEST, "AUTH_400_03", "잘못된 요청입니다."),
+    INVALID_ID_TOKEN_FORMAT(HttpStatus.BAD_REQUEST, "AUTH_400_04", "잘못된 ID 토큰 형식입니다."),
+    SUBJECT_NOT_FOUND(HttpStatus.BAD_REQUEST, "AUTH_400_05", "ID 토큰에서 주체를 찾을 수 없습니다."),
+    FAILED_TO_PARSE_ID_TOKEN(HttpStatus.BAD_REQUEST, "AUTH_400_06", "ID 토큰 파싱에 실패했습니다."),
+    FAILED_TO_GET_USER_INFO(HttpStatus.BAD_REQUEST, "AUTH_400_07", "공급자로부터 사용자 정보를 가져오는데 실패했습니다."),
+    USER_NOT_FOUND(HttpStatus.BAD_REQUEST, "AUTH_400_08", "사용자를 찾을 수 없습니다."),
+    EMAIL_NOT_FOUND(HttpStatus.BAD_REQUEST, "AUTH_400_09", "이메일을 찾을 수 없습니다."),
+    INVALID_APPLE_ID_TOKEN(HttpStatus.BAD_REQUEST, "AUTH_400_10", "유효하지 않은 Apple ID 토큰입니다."),
 
     /* 401 UNAUTHORIZED */
-    INVALID_REFRESH_TOKEN(HttpStatus.UNAUTHORIZED, "AUTH_002", "Invalid refresh token."),
-    REFRESH_TOKEN_NOT_FOUND(HttpStatus.UNAUTHORIZED, "AUTH_003", "Refresh token not found."),
-    INVALID_ACCESS_TOKEN(HttpStatus.UNAUTHORIZED, "AUTH_004", "Invalid access token."),
+    INVALID_OAUTH_TOKEN(HttpStatus.UNAUTHORIZED, "AUTH_401_01", "잘못된 소셜 OAuth 토큰입니다."),
+    INVALID_REFRESH_TOKEN(HttpStatus.UNAUTHORIZED, "AUTH_401_02", "잘못된 리프레시 토큰입니다."),
+    REFRESH_TOKEN_NOT_FOUND(HttpStatus.UNAUTHORIZED, "AUTH_401_03", "리프레시 토큰을 찾을 수 없습니다."),
+    INVALID_ACCESS_TOKEN(HttpStatus.UNAUTHORIZED, "AUTH_401_04", "잘못된 액세스 토큰입니다."),
+
+    /* 403 FORBIDDEN */
+    INSUFFICIENT_PERMISSIONS(HttpStatus.FORBIDDEN, "AUTH_403_01", "요청된 리소스에 대한 권한이 부족합니다."),
 
     /* 409 CONFLICT */
-    EMAIL_ALREADY_IN_USE(HttpStatus.CONFLICT, "AUTH_001", "Email already in use with a different account.");
+    EMAIL_ALREADY_IN_USE(HttpStatus.CONFLICT, "AUTH_409_01", "이미 다른 계정에서 사용 중인 이메일입니다."),
 
+    /* 500 INTERNAL_SERVER_ERROR */
+    INTERNAL_SERVER_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, "AUTH_500_01", "내부 서버 오류입니다."),
+    FAILED_TO_LOAD_PRIVATE_KEY(HttpStatus.INTERNAL_SERVER_ERROR, "AUTH_500_02", "Apple 개인키 로드에 실패했습니다."),
+    INVALID_PRIVATE_KEY_FORMAT(HttpStatus.INTERNAL_SERVER_ERROR, "AUTH_500_03", "잘못된 개인키 형식입니다."),
+    FAILED_TO_COMMUNICATE_WITH_PROVIDER(
+        HttpStatus.INTERNAL_SERVER_ERROR,
+        "AUTH_500_04",
+        "외부 공급자와의 통신에 실패했습니다."
+    ),
+    OAUTH_SERVER_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, "AUTH_500_05", "소셜 OAuth 서버 오류입니다."),
+    MISSING_APPLE_REFRESH_TOKEN(
+        HttpStatus.INTERNAL_SERVER_ERROR,
+        "AUTH_500_06",
+        "Apple에서 초기 로그인 시 리프레시 토큰을 제공하지 않았습니다."
+    );
 
     override fun getHttpStatus(): HttpStatus = httpStatus
     override fun getCode(): String = code