Merge branch 'feature' into dev

Author: Cupcakes33

.github/workflows/backend-deploy.yml

@@ -0,0 +1,116 @@
+name: Backend Deploy
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'backend/**'
+
+concurrency:
+  group: maru-backend-prod
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: MARU_PROD_ENV
+    defaults:
+      run:
+        working-directory: backend
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Java 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: 'gradle'
+
+      - name: Build with Gradle
+        run: ./gradlew clean build
+
+      - name: Prepare JAR artifact
+        run: cp build/libs/maru-backend.jar ../maru-backend.jar
+
+      - name: Create env file
+        working-directory: .
+        run: |
+          {
+            printf 'SPRING_DATASOURCE_URL=%s\n' "${{ secrets.SPRING_DATASOURCE_URL }}"
+            printf 'SPRING_DATASOURCE_USERNAME=%s\n' "${{ secrets.SPRING_DATASOURCE_USERNAME }}"
+            printf 'SPRING_DATASOURCE_PASSWORD=%s\n' "${{ secrets.SPRING_DATASOURCE_PASSWORD }}"
+            printf 'JWT_SECRET=%s\n' "${{ secrets.JWT_SECRET }}"
+            printf 'OAUTH_GOOGLE_CLIENT_ID=%s\n' "${{ secrets.OAUTH_GOOGLE_CLIENT_ID }}"
+            printf 'OAUTH_GOOGLE_CLIENT_SECRET=%s\n' "${{ secrets.OAUTH_GOOGLE_CLIENT_SECRET }}"
+            printf 'OAUTH_KAKAO_CLIENT_ID=%s\n' "${{ secrets.OAUTH_KAKAO_CLIENT_ID }}"
+            printf 'OAUTH_KAKAO_CLIENT_SECRET=%s\n' "${{ secrets.OAUTH_KAKAO_CLIENT_SECRET }}"
+            printf 'SMS_SOLAPI_API_KEY=%s\n' "${{ secrets.SMS_SOLAPI_API_KEY }}"
+            printf 'SMS_SOLAPI_API_SECRET=%s\n' "${{ secrets.SMS_SOLAPI_API_SECRET }}"
+            printf 'SMS_SOLAPI_SENDER_NUMBER=%s\n' "${{ secrets.SMS_SOLAPI_SENDER_NUMBER }}"
+          } > maru-backend.env
+
+      - name: Verify artifacts
+        working-directory: .
+        run: ls -al maru-backend.jar maru-backend.env
+
+      - name: Upload JAR to EC2
+        uses: appleboy/scp-action@v0.1.7
+        with:
+          host: ${{ secrets.EC2_HOST }}
+          username: ec2-user
+          key: ${{ secrets.EC2_SSH_KEY }}
+          source: maru-backend.jar
+          target: /tmp/
+
+      - name: Upload env file to EC2
+        uses: appleboy/scp-action@v0.1.7
+        with:
+          host: ${{ secrets.EC2_HOST }}
+          username: ec2-user
+          key: ${{ secrets.EC2_SSH_KEY }}
+          source: maru-backend.env
+          target: /tmp/
+
+      - name: Deploy and restart service
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.EC2_HOST }}
+          username: ec2-user
+          key: ${{ secrets.EC2_SSH_KEY }}
+          script: |
+            set -euo pipefail
+
+            # env 디렉토리 설정
+            sudo mkdir -p /etc/maru
+            sudo chown root:root /etc/maru
+            sudo chmod 700 /etc/maru
+
+            # env 파일 원자적 교체
+            sudo mv -f /tmp/maru-backend.env /etc/maru/maru-backend.env.new
+            sudo mv -f /etc/maru/maru-backend.env.new /etc/maru/maru-backend.env
+            sudo chown root:root /etc/maru/maru-backend.env
+            sudo chmod 600 /etc/maru/maru-backend.env
+
+            # JAR 백업 (롤백용)
+            cp -f /home/ec2-user/maru-backend.jar /home/ec2-user/maru-backend.jar.bak || true
+
+            # JAR 원자적 교체
+            mv -f /tmp/maru-backend.jar /home/ec2-user/maru-backend.jar.new
+            mv -f /home/ec2-user/maru-backend.jar.new /home/ec2-user/maru-backend.jar
+
+            # 서비스 재시작
+            sudo systemctl restart maru-backend
+
+            # 스모크 테스트
+            sleep 5
+            curl -f http://localhost:8080/actuator/health || {
+              echo "Health check failed. Rolling back..."
+              mv -f /home/ec2-user/maru-backend.jar.bak /home/ec2-user/maru-backend.jar || true
+              sudo systemctl restart maru-backend
+              echo "Rollback complete. Service status:"
+              sudo systemctl status maru-backend --no-pager
+              exit 1
+            }

.github/workflows/frontend-deploy.yml

@@ -0,0 +1,57 @@
+name: Frontend Deploy
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'frontend/**'
+
+concurrency:
+  group: maru-frontend-prod
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: MARU_PROD_ENV
+    defaults:
+      run:
+        working-directory: frontend
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Type check
+        run: npm run type-check
+
+      - name: Build
+        run: npm run build
+        env:
+          VITE_API_BASE_URL: ${{ secrets.VITE_API_BASE_URL }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Deploy to S3
+        run: aws s3 sync build/ s3://${{ secrets.S3_BUCKET_NAME }} --delete
+
+      - name: Invalidate CloudFront cache
+        run: |
+          aws cloudfront create-invalidation \
+            --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} \
+            --paths "/*"

.gitignore

@@ -83,4 +83,5 @@ db/init/
 # ----------------------------
 # Docs
 # ----------------------------
-README-Docs/
+README-Docs/
+dojang_list.xlsx

backend/build.gradle

@@ -21,6 +21,7 @@ ext {
     lombokVersion = '1.18.30'
     jjwtVersion = '0.12.3'
     springdocVersion = '2.2.0'
+    hypersistenceTsidVersion = '2.1.4'
 }
 
 configurations {
@@ -55,6 +56,9 @@ dependencies {
     implementation 'org.flywaydb:flyway-core'
     implementation 'org.flywaydb:flyway-mysql'
 
+    // TSID (Time-Sorted Unique Identifier)
+    implementation "io.hypersistence:hypersistence-tsid:${hypersistenceTsidVersion}"
+
     // ============== Security & Authentication==============
     // Spring Security
     implementation 'org.springframework.boot:spring-boot-starter-security'
@@ -76,6 +80,10 @@ dependencies {
     // SpringDoc OpenAPI (Swagger UI)
     implementation "org.springdoc:springdoc-openapi-starter-webmvc-ui:${springdocVersion}"
 
+    // ============== Caching ==============
+    implementation 'org.springframework.boot:spring-boot-starter-cache'
+    implementation 'com.github.ben-manes.caffeine:caffeine'
+
     // ============== External Services ==============
     // Solapi SMS SDK
     implementation 'com.solapi:sdk:1.0.3'

backend/src/main/java/com/maru/common/aop/AopOrder.java

@@ -0,0 +1,11 @@
+package com.maru.common.aop;
+
+import org.springframework.core.Ordered;
+
+public final class AopOrder {
+
+    private AopOrder() {}
+
+    public static final int SECURITY_VALIDATION = Ordered.HIGHEST_PRECEDENCE + 100;
+    public static final int PERMISSION_CHECK = Ordered.HIGHEST_PRECEDENCE + 200;
+}

backend/src/main/java/com/maru/common/aop/DojangAccessAspect.java

@@ -0,0 +1,69 @@
+package com.maru.common.aop;
+
+import com.maru.security.DojangAccessValidator;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.annotation.Pointcut;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+/**
+ * 도장 접근 검증 AOP
+ *
+ * @see AopOrder
+ */
+@Slf4j
+@Aspect
+@Component
+@Order(AopOrder.SECURITY_VALIDATION)
+@RequiredArgsConstructor
+public class DojangAccessAspect {
+
+    private final DojangAccessValidator validator;
+
+    // 1. 클래스에 @ValidateDojangAccess가 붙어있는지 확인
+    @Pointcut("@within(validateDojangAccess)")
+    public void hasValidateDojangAccess(ValidateDojangAccess validateDojangAccess) {}
+
+    // 2. public 메서드인지 확인
+    @Pointcut("execution(public * *(..))")
+    public void isPublicMethod() {}
+
+    // 3. @SkipDojangValidation이 붙어있지 않은지 확인
+    @Pointcut("!@annotation(com.maru.common.aop.SkipDojangValidation)")
+    public void isNotSkipped() {}
+
+    @Before("hasValidateDojangAccess(validateDojangAccess) && isPublicMethod() && isNotSkipped()")
+    public void validateAccess(JoinPoint joinPoint, ValidateDojangAccess validateDojangAccess) {
+        String paramName = validateDojangAccess.paramName();
+        String dojangId = extractDojangId(joinPoint, paramName);
+
+        if (dojangId == null) {
+            log.debug("dojangId 파라미터 없음, 검증 스킵: {}", joinPoint.getSignature().toShortString());
+            return;
+        }
+
+        validator.validate(dojangId);
+    }
+
+    private String extractDojangId(JoinPoint joinPoint, String paramName) {
+        MethodSignature signature = (MethodSignature) joinPoint.getSignature();
+        Object[] args = joinPoint.getArgs();
+        String[] parameterNames = signature.getParameterNames();
+
+        if (parameterNames == null) {
+            return null;
+        }
+
+        for (int i = 0; i < parameterNames.length; i++) {
+            if (paramName.equals(parameterNames[i])) {
+                return (String) args[i];
+            }
+        }
+        return null;
+    }
+}

backend/src/main/java/com/maru/common/aop/PermissionCheckAspect.java

@@ -0,0 +1,77 @@
+package com.maru.common.aop;
+
+import com.maru.domain.permission.PermissionType;
+import com.maru.security.PermissionCache;
+import com.maru.security.RequirePermission;
+import com.maru.security.TenantContextHolder;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.stereotype.Component;
+
+import java.util.Arrays;
+import java.util.stream.Collectors;
+
+/**
+ * 권한 검증 AOP
+ *
+ * @see RequirePermission
+ * @see AopOrder
+ */
+@Slf4j
+@Aspect
+@Component
+@Order(AopOrder.PERMISSION_CHECK)
+@RequiredArgsConstructor
+public class PermissionCheckAspect {
+
+    private final PermissionCache permissionCache;
+
+    @Before("@annotation(requirePermission)")
+    public void checkPermission(RequirePermission requirePermission) {
+        if (TenantContextHolder.isOwner() || TenantContextHolder.isSystemUser()) {
+            log.debug("OWNER 또는 SYSTEM 사용자 - 권한 검증 스킵");
+            return;
+        }
+
+        String userId = TenantContextHolder.getUserId();
+        String tenantId = TenantContextHolder.getTenantId();
+        String dojangId = TenantContextHolder.getDojangId();
+
+        if (userId == null || tenantId == null || dojangId == null) {
+            log.warn("권한 검증 실패 - 컨텍스트 정보 누락: userId={}, tenantId={}, dojangId={}",
+                    userId, tenantId, dojangId);
+            throw new AccessDeniedException("인증 정보가 없습니다");
+        }
+
+        PermissionType[] requiredPermissions = requirePermission.value();
+        RequirePermission.LogicalOperator operator = requirePermission.operator();
+
+        boolean hasPermission = checkPermissions(userId, tenantId, dojangId, requiredPermissions, operator);
+
+        if (!hasPermission) {
+            String permissionCodes = Arrays.stream(requiredPermissions)
+                    .map(PermissionType::getCode)
+                    .collect(Collectors.joining(", "));
+            log.warn("권한 검증 실패: userId={}, dojangId={}, required=[{}], operator={}",
+                    userId, dojangId, permissionCodes, operator);
+            throw new AccessDeniedException("권한이 없습니다");
+        }
+
+        log.debug("권한 검증 성공: userId={}, dojangId={}", userId, dojangId);
+    }
+
+    private boolean checkPermissions(String userId, String tenantId, String dojangId,
+            PermissionType[] permissions, RequirePermission.LogicalOperator operator) {
+        if (operator == RequirePermission.LogicalOperator.AND) {
+            return Arrays.stream(permissions).allMatch(p ->
+                    permissionCache.hasPermission(userId, tenantId, dojangId, p.getResource(), p.getAction()));
+        } else {
+            return Arrays.stream(permissions).anyMatch(p ->
+                    permissionCache.hasPermission(userId, tenantId, dojangId, p.getResource(), p.getAction()));
+        }
+    }
+}

backend/src/main/java/com/maru/common/aop/SkipDojangValidation.java

@@ -0,0 +1,16 @@
+package com.maru.common.aop;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * 도장 접근 검증 스킵
+ */
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface SkipDojangValidation {
+}