API요청시 JWT 검증

Author: LimByeongSu

backend/src/main/java/com/backend/domain/user/entity/User.java

@@ -1,12 +1,9 @@
 package com.backend.domain.user.entity;
 
 import jakarta.persistence.*;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.NotNull;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import org.hibernate.annotations.Where;
-import org.springframework.cglib.core.Local;
 import org.springframework.data.annotation.CreatedDate;
 import org.springframework.data.annotation.LastModifiedDate;
 import org.springframework.data.jpa.domain.support.AuditingEntityListener;

backend/src/main/java/com/backend/domain/user/service/EmailService.java

@@ -46,7 +46,7 @@ public void sendEmail(String email) throws MessagingException {
         helper.setSubject("[임시 서비스 이름] 회원가입 인증 코드입니다.");
 
         // 이메일 본문 (HTML 형식으로 보냄)
-        String content = "<h2>안녕하세요. [임시 서비스 이름]입니다.</h2>"
+        String content = "<h2>안녕하세요. [PortfolioIQ]입니다.</h2>"
                 + "<p>아래 6자리 인증 코드를 인증 창에 입력해 주세요.</p>"
                 + "<div style='font-size: 24px; font-weight: bold; color: #1e88e5;'>"
                 + authCode

backend/src/main/java/com/backend/domain/user/service/UserService.java

@@ -48,7 +48,7 @@ public User join(@NotBlank String email, @NotBlank String password, @NotBlank St
 
         //검증이 완료되었다면 해당 email을 redis에서 삭제
         if(redisUtil.deleteData("VERIFIED_EMAIL:" + email)) {
-            System.out.println("VERIFIED_EMAIL:" + email + "은 삭제가 됐습니다.");
+            System.out.println("VERIFIED_EMAIL:" + email + "은 email검증이 완료되어서 redis에서 삭제가 됐습니다.");
         }else{
             System.out.println("redis 삭제 실패입니다.");
         }

backend/src/main/java/com/backend/domain/user/util/JwtUtil.java

@@ -8,8 +8,8 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
+import javax.crypto.SecretKey;
 import java.nio.charset.StandardCharsets;
-import java.security.Key;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
@@ -22,8 +22,8 @@ public class JwtUtil {
     @Value("${jwt.access-token-expiration-in-milliseconds}")
     private int tokenValidityMilliSeconds;
 
-    //SecretKey를 Base64로 인코딩하여 Key객체로 변환
-    private Key key;
+    //SecretKey를 Base64로 인코딩하여 SecretKey객체로 변환
+    private SecretKey key;
 
     //key값 초기화
     @PostConstruct  //의존성 주입이 될때 딱 1번만 실행되기 때문에 key값은 이후로 변하지 않음
@@ -39,9 +39,7 @@ public String createToken(String email, String name) {
         claims.put("name", name);
 
         Date now = new Date();
-        System.out.println("now : "+now.getTime());
         Date expiration = new Date(now.getTime() + tokenValidityMilliSeconds);
-        System.out.println("expiration : "+expiration.getTime());
         return Jwts.builder()
                 .claims(claims)
                 .issuedAt(now)
@@ -50,4 +48,13 @@ public String createToken(String email, String name) {
                 .compact();
     }
 
+    //JWT 검증 및 Claims 추출
+    public Claims parseClaims(String token) {
+        return Jwts.parser()
+                .verifyWith(key)
+                .build()
+                .parseSignedClaims(token)
+                .getPayload();
+
+    }
 }

backend/src/main/java/com/backend/global/security/JwtAuthenticationFilter.java

@@ -0,0 +1,87 @@
+package com.backend.global.security;
+
+import com.backend.domain.user.util.JwtUtil;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ExpiredJwtException;
+import io.jsonwebtoken.JwtException;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.time.LocalDateTime;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+@RequiredArgsConstructor
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+    private final JwtUtil jwtUtil;
+
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        String authorizationHeader = request.getHeader("Authorization");
+        String token = null;
+
+        //"Bearer " 제거
+        if(authorizationHeader != null && authorizationHeader.startsWith("Bearer ")){
+            token = authorizationHeader.substring(7);
+        }
+
+        //토큰이 있다면 검증 및 인증
+        if(token != null) {
+            try {
+                Claims claims = jwtUtil.parseClaims(token);
+
+                String email = claims.getSubject(); //"sub"값 가져오기
+
+                //추출된 정보로 Spring Security 인증 객체 생성 (파싱)
+                Authentication authentication = null;
+                if (email != null) {
+                    //나중에 권한을 추가하면 Collections.emptyList()대신 넣을것
+                    authentication = new UsernamePasswordAuthenticationToken(
+                            email,
+                            null,
+                            Collections.emptyList());
+                }
+
+                // SecurityContextHolder에 인증 정보 저장
+                SecurityContextHolder.getContext().setAuthentication(authentication);
+            }catch (ExpiredJwtException e) {
+                // 토큰 만료 시
+                sendErrorResponse(response, HttpServletResponse.SC_UNAUTHORIZED, "Token Expired : 토큰의 유효기간이 지났습니다.");
+                return;
+            } catch (JwtException e) {
+                // 서명 불일치, 토큰 형식 오류 등
+                sendErrorResponse(response, HttpServletResponse.SC_FORBIDDEN, "Invalid Token : 올바른 토큰 값이 아닙니다.");
+                return;
+            }
+
+        }
+        // 다음 필터로 요청 전달
+        filterChain.doFilter(request, response);
+    }
+
+    private void sendErrorResponse(HttpServletResponse response, int status, String message) throws IOException {
+        response.setContentType("application/json;charset=UTF-8");
+        response.setStatus(status);
+
+        Map<String, Object> errorDetails = new HashMap<>();
+        errorDetails.put("status", status);
+        errorDetails.put("error", "Authentication Failed");
+        errorDetails.put("message", message);
+        errorDetails.put("timestamp", LocalDateTime.now().toString());
+
+        //Map을 JSON 문자열로 변환하여 응답 본문에 작성
+        ObjectMapper objectMapper = new ObjectMapper();
+        response.getWriter().write(objectMapper.writeValueAsString(errorDetails));
+    }
+}

backend/src/main/java/com/backend/global/security/SecurityConfig.java

@@ -1,30 +1,45 @@
 package com.backend.global.security;
 
+import com.backend.domain.user.util.JwtUtil;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
+@RequiredArgsConstructor
 public class SecurityConfig {
 
+    private final JwtUtil jwtUtil;
+
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
-                .csrf(csrf -> csrf.disable())
+                // JWT 인증을 사용하므로 세션을 사용하지 않음 (Stateless)
+                .sessionManagement(session -> session
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                )
 
                 // H2 콘솔은 frameOptions 해제 필요 (iframe으로 동작)
                 .headers(headers -> headers
                         .frameOptions(frame -> frame.disable())
                 )
+
+                // CSRF 공격 방지 비활성화 (Stateless API에서 주로 사용)
                 // H2 콘솔은 CSRF 예외로 설정
                 .csrf(csrf -> csrf.disable())
 
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(
-                                "/api/**",
+                                "/api/login", //로그인
+                                "/api/auth",  //이메인 인증코드 전송
+                                "/api/verify",//이메일 인증코드 검증
+                                "/api/user",  //회원가입
                                 "/v3/api-docs/**",
                                 "/swagger-ui/**",
                                 "/swagger-resources/**",
@@ -40,7 +55,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         .anyRequest().authenticated()
                 )
                 .formLogin(login -> login.disable())
-                .httpBasic(basic -> basic.disable());
+                .httpBasic(basic -> basic.disable())
+                //커스텀 JWT 필터를 등록
+                .addFilterBefore(new JwtAuthenticationFilter(jwtUtil),
+                        UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }

backend/src/main/resources/application.yml

@@ -43,4 +43,4 @@ github:
 
 jwt:
   secret: ${SECRET_KEY}
-  access-token-expiration-in-milliseconds: 600000
+  access-token-expiration-in-milliseconds: 600000 # 600 * 1000