feat(user) : 비밀번호 암호화 적용 / fix(jwt) : 쿠키에서 jwt를 추출하는 방식 변경

feat(user) : 비밀번호 암호화 적용 / fix(jwt) : 쿠키에서 jwt를 추출하는 방식 변경

Author: Hyeseung-OH

backend/src/main/java/com/backend/domain/user/controller/AuthController.java

@@ -4,16 +4,15 @@
 import com.backend.domain.user.dto.UserDto;
 import com.backend.domain.user.service.EmailService;
 import com.backend.domain.user.service.JwtService;
-import com.backend.domain.user.util.JwtUtil;
 import com.backend.domain.user.service.UserService;
+import com.backend.domain.user.util.JwtUtil;
 import com.backend.global.exception.ErrorCode;
 import com.backend.global.response.ApiResponse;
 import com.backend.global.response.ResponseCode;
 import jakarta.mail.MessagingException;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import jakarta.validation.Valid;
 import jakarta.validation.constraints.Email;
 import jakarta.validation.constraints.NotBlank;
 import lombok.RequiredArgsConstructor;

backend/src/main/java/com/backend/domain/user/dto/LoginResponse.java

@@ -1,5 +1,3 @@
 package com.backend.domain.user.dto;
 
-import com.backend.domain.user.dto.UserDto;
-
-public record LoginResponse(UserDto user) {}
+public record LoginResponse(UserDto user) { }

backend/src/main/java/com/backend/domain/user/entity/User.java

@@ -69,7 +69,7 @@ public void changeName(String name){
 
     public void changePassword(String password){
         if(this.password==null || password.trim().isEmpty()){
-            throw new BusinessException(ErrorCode.NAME_NOT_FOUND);
+            throw new BusinessException(ErrorCode.PASSWORD_NOT_FOUND);
         }
         this.password = password;
     }

backend/src/main/java/com/backend/domain/user/service/JwtService.java

@@ -4,9 +4,12 @@
 import com.backend.domain.user.repository.UserRepository;
 import com.backend.domain.user.util.JwtUtil;
 import com.backend.domain.user.util.RedisUtil;
+import com.backend.global.exception.BusinessException;
+import com.backend.global.exception.ErrorCode;
 import jakarta.validation.constraints.Email;
 import jakarta.validation.constraints.NotBlank;
 import lombok.RequiredArgsConstructor;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 @Service
@@ -15,14 +18,18 @@ public class JwtService {
     private final UserRepository userRepository;
     private final JwtUtil jwtUtil;
     private final RedisUtil redisUtil;
+    private final PasswordEncoder passwordEncoder;
 
     public String login(@NotBlank(message = "이메일은 필수 입력값 입니다.") @Email(message = "이메일 형식이 아닙니다.") String email, @NotBlank(message = "비밀번호는 필수 입력값 입니다.") String password) {
-        User user = userRepository.findByEmail(email).orElse(null);
-        if(user.getPassword().equals(password)) {
+        User user = userRepository.findByEmail(email).orElseThrow(()->new BusinessException(ErrorCode.EMAIL_NOT_FOUND));
+        //비밀번호 체크
+        checkPassword(email, password);
+
+        if(checkPassword(email, password)) {
             //email에 대응하는 비밀번호가 맞다면 jwt토큰 발급
             return jwtUtil.createToken(user.getEmail(), user.getName());
         }else{
-            return  null;
+            throw new BusinessException(ErrorCode.Login_Failed);
         }
     }
 
@@ -43,4 +50,12 @@ public boolean isBlacklisted(String token){
         String key = "jwt:blacklist:"+token;
         return redisUtil.hasKey(key);
     }
+
+    //암호화된 비밀번호를 체크
+    public boolean checkPassword(String email, String password){
+        User user = userRepository.findByEmail(email).orElseThrow(()->new BusinessException(ErrorCode.EMAIL_NOT_FOUND));
+        String hashedPassword = user.getPassword();
+
+        return passwordEncoder.matches(password, hashedPassword);
+    }
 }

backend/src/main/java/com/backend/domain/user/service/UserService.java

@@ -8,6 +8,7 @@
 import jakarta.mail.MessagingException;
 import jakarta.validation.constraints.NotBlank;
 import lombok.RequiredArgsConstructor;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -20,6 +21,7 @@
 public class UserService {
     private final UserRepository userRepository;
     private final RedisUtil redisUtil;
+    private final PasswordEncoder passwordEncoder;
 
 
     public User join(@NotBlank String email, @NotBlank String password, @NotBlank String passwordCheck, @NotBlank String name) throws MessagingException {
@@ -54,7 +56,10 @@ public User join(@NotBlank String email, @NotBlank String password, @NotBlank St
         }
 
 
-        User user = new User(email, password, name);
+        //암호화 된 비밀번호를 저장
+        String encodedPassword = passwordEncoder.encode(password);
+
+        User user = new User(email, encodedPassword, name);
         return userRepository.save(user);
 
 
@@ -114,17 +119,12 @@ public User modifyName(String email, @NotBlank(message = "이름은 필수 입
 
     }
 
-    public User modifyPassword(String email, @NotBlank(message = "비밀번호는 필수 입력값 입니다.") String password) {
-        User user = userRepository.findByEmail(email).orElseThrow(() -> new BusinessException(ErrorCode.VALIDATION_FAILED));
-        user.changePassword(password);
-        return user;
-    }
-
     public User modifyPassword(String email, @NotBlank(message = "비밀번호는 필수 입력값 입니다.") String password, String passwordCheck) {
         User user = userRepository.findByEmail(email).orElseThrow(() -> new BusinessException(ErrorCode.VALIDATION_FAILED));
 
         if(password.equals(passwordCheck)){
-            user.changePassword(password);
+
+            user.changePassword(passwordEncoder.encode(password));
         }else{
             throw new BusinessException(ErrorCode.PASSWORD_NOT_EQUAL);
         }

backend/src/main/java/com/backend/global/exception/ErrorCode.java

@@ -17,8 +17,9 @@ public enum ErrorCode {
     Login_Failed("U001", HttpStatus.BAD_REQUEST, "로그인에 실패했습니다."),
     Email_verify_Failed("U002", HttpStatus.BAD_REQUEST, "이메일 인증코드가 일치하지 않습니다"),
     NAME_NOT_FOUND("U003", HttpStatus.NOT_FOUND, "이름이 입력되지 않았습니다."),
-    PASSWORD_NOT_FOUND("U004", HttpStatus.NOT_FOUND, "이름이 입력되지 않았습니다."),
+    PASSWORD_NOT_FOUND("U004", HttpStatus.NOT_FOUND, "비밀번호가 입력되지 않았습니다."),
     PASSWORD_NOT_EQUAL("U005", HttpStatus.BAD_REQUEST, "비밀번호 확인이 일치하지 않습니다."),
+    EMAIL_NOT_FOUND("U006", HttpStatus.NOT_FOUND, "해당 이메일은 없는 계정입니다.") ,
 
     // ========== analysis 도메인 에러 ==========
     INVALID_GITHUB_URL("A001", HttpStatus.BAD_REQUEST, "올바른 GitHub 저장소 URL이 아닙니다."),

backend/src/main/java/com/backend/global/security/JwtAuthenticationFilter.java

@@ -8,12 +8,14 @@
 import io.jsonwebtoken.JwtException;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 
@@ -24,6 +26,7 @@
 import java.util.List;
 import java.util.Map;
 
+@Component
 @RequiredArgsConstructor
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
     private final JwtUtil jwtUtil;
@@ -79,16 +82,16 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
         }
 
         //
-        String authorizationHeader = request.getHeader("Authorization");
-        System.out.println("AuthorizationHeader: " + authorizationHeader);
 
 
-        String token = null;
-        
-        //"Bearer " 제거
+        String token = extractTokenFromCookie(request);
+
+/*        //"Bearer " 제거
         if(authorizationHeader != null && authorizationHeader.startsWith("Bearer ")){
             token = authorizationHeader.substring(7);
         }
+        */
+
         //token이 null이거나 비어있다면 JWT가 입력되지 않은것으로 판단
         if(token==null||token.isEmpty()){
             sendErrorResponse(response, HttpServletResponse.SC_UNAUTHORIZED, "Token error : JWT가 입력되지 않았습니다.");
@@ -134,6 +137,24 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
         filterChain.doFilter(request, response);
     }
 
+    private String extractTokenFromCookie(HttpServletRequest request) {
+        if(request.getCookies()==null){
+            return null;
+        }
+        for(Cookie cookie : request.getCookies()){
+            if(cookie.getName().equals("token")){
+                String value = cookie.getValue();
+                if (value != null && value.startsWith("Bearer%20")) {
+                    return value.substring(9);
+                } else if (value != null && value.startsWith("Bearer ")) {
+                    return value.substring(7);
+                }
+                return value;
+            }
+        }
+        return null;
+    }
+
     //에러 발생시 메세지 처리
     private void sendErrorResponse(HttpServletResponse response, int status, String message) throws IOException {
         response.setContentType("application/json;charset=UTF-8");

backend/src/main/java/com/backend/global/security/SecurityConfig.java

@@ -1,25 +1,26 @@
 package com.backend.global.security;
 
-import com.backend.domain.user.service.JwtService;
-import com.backend.domain.user.util.JwtUtil;
-import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 @Configuration
 @EnableWebSecurity
-@RequiredArgsConstructor
+//@RequiredArgsConstructor
 public class SecurityConfig {
-    private final JwtUtil jwtUtil;
-    private final JwtService jwtService;
+/*    private final JwtUtil jwtUtil;
+    private final JwtService jwtService;*/
+
+    //private final JwtAuthenticationFilter jwtAuthenticationFilter;
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, JwtAuthenticationFilter jwtAuthenticationFilter) throws Exception {
         http
                 // JWT 인증을 사용하므로 세션을 사용하지 않음 (Stateless)
                 .sessionManagement(session -> session
@@ -58,9 +59,15 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .formLogin(login -> login.disable())
                 .httpBasic(basic -> basic.disable())
                 //커스텀 JWT 필터를 등록
-                .addFilterBefore(new JwtAuthenticationFilter(jwtUtil, jwtService),
+                .addFilterBefore(jwtAuthenticationFilter,
                         UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }
+
+    // BcryptEncoder를 Bean으로 등록합니다.
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
 }