Merge pull request #197 from prgrms-web-devcourse-final-project/fix#185

[Feat]: Toss 빌링(카드 등록) 연동 + 쿠키 기반 인증 + 멱등키 발급

Author: dlawhd

src/main/java/com/backend/domain/member/controller/ApiV1MemberController.java

@@ -5,14 +5,18 @@
 import com.backend.global.response.RsData;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseCookie;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
+import java.time.Duration;
 import java.time.LocalDateTime;
 
 @Controller
@@ -32,9 +36,10 @@ public ResponseEntity<RsData<MemberSignUpResponseDto>> memberSignUp(@Valid @Requ
 
     @Operation(summary = "로그인 API", description = "이메일과 비밀번호를 받아 로그인 처리 후 토큰 발급")
     @PostMapping("/auth/login")
-    public ResponseEntity<RsData<LoginResponseDto>> login(@Valid @RequestBody LoginRequestDto loginRequestDto) {
+    public ResponseEntity<RsData<LoginResponseDto>> login(@Valid @RequestBody LoginRequestDto loginRequestDto,
+                                                          HttpServletResponse response) {
         RsData<LoginResponseDto> loginResponse = memberService.login(loginRequestDto);
-
+        writeAuthCookies(response, loginResponse.data());
         return ResponseEntity.status(loginResponse.statusCode()).body(loginResponse);
     }
 
@@ -105,4 +110,22 @@ public ResponseEntity<RsData<Void>> memberWithdraw(Authentication authentication
         RsData<Void> withdrawResult = memberService.withdraw(authentication.getName());
         return ResponseEntity.status(withdrawResult.statusCode()).body(withdrawResult);
     }
+
+    // 로그인 성공 후 토큰을 안전한 쿠키로 내려줌..
+    private void writeAuthCookies(HttpServletResponse res, LoginResponseDto dto) {
+        // access 60분, refresh 7일
+        ResponseCookie access = ResponseCookie.from("ACCESS_TOKEN", dto.accessToken())
+                .httpOnly(true).secure(false)
+                .sameSite("Lax").path("/")
+                .maxAge(Duration.ofMinutes(60))
+                .build();
+        ResponseCookie refresh = ResponseCookie.from("REFRESH_TOKEN", dto.refreshToken())
+                .httpOnly(true).secure(false)
+                .sameSite("Lax").path("/")
+                .maxAge(Duration.ofDays(7))
+                .build();
+
+        res.addHeader(HttpHeaders.SET_COOKIE, access.toString());
+        res.addHeader(HttpHeaders.SET_COOKIE, refresh.toString());
+    }
 }

src/main/java/com/backend/domain/payment/controller/ApiV1PaymentController.java

@@ -4,10 +4,7 @@
 import com.backend.domain.member.service.MemberService;
 import com.backend.domain.payment.dto.request.PaymentRequest;
 import com.backend.domain.payment.dto.request.TossIssueBillingKeyRequest;
-import com.backend.domain.payment.dto.response.MyPaymentResponse;
-import com.backend.domain.payment.dto.response.MyPaymentsResponse;
-import com.backend.domain.payment.dto.response.PaymentResponse;
-import com.backend.domain.payment.dto.response.TossIssueBillingKeyResponse;
+import com.backend.domain.payment.dto.response.*;
 import com.backend.domain.payment.service.PaymentService;
 import com.backend.domain.payment.service.TossBillingClientService;
 import com.backend.global.response.RsData;
@@ -18,21 +15,30 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.server.ResponseStatusException;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import java.util.Map;
+import java.util.UUID;
 
 @RestController
 @RequiredArgsConstructor
 @RequestMapping("/api/v1/payments")
 @Tag(name = "Payments", description = "지갑 충전 API")
 public class ApiV1PaymentController {
 
+    @Value("${pg.toss.clientKey}")
+    private String tossClientKey;
+
     private final MemberService memberService;
     private final PaymentService paymentService;
     private final TossBillingClientService tossBillingClientService;
@@ -44,7 +50,7 @@ private Member getActor(User user) {
     }
 
     @PostMapping
-    @Operation(summary="지갑 충전 요청", description="idempotencyKey로 중복 충전 방지, 일단은 idempotencyKey 아무키로 등록해주세요!")
+    @Operation(summary="지갑 충전 요청", description="idempotencyKey로 중복 충전 방지")
     @ApiResponses({
             @ApiResponse(responseCode = "201", description = "충전 완료",
                     content = @Content(schema = @Schema(implementation = RsData.class))),
@@ -86,6 +92,41 @@ public RsData<TossIssueBillingKeyResponse> issueBillingKey(
 
         return RsData.ok("빌링키가 발급되었습니다.", data);
     }
+    @GetMapping("/toss/billing-auth-params")
+    @Operation(
+            summary = "토스 카드등록(빌링) 팝업 파라미터 조회",
+            description = """
+            토스 카드 등록 창을 띄우기 위해 FE가 먼저 호출하는 엔드포인트입니다.
+            - 로그인(인증) 필요: 서버가 로그인 사용자의 customerKey(`user-{id}`)를 만들어 줍니다.
+            - 응답 값:
+              * clientKey   : Toss Payments 공개 키 (FE에서 Toss SDK 초기화에 사용)
+              * customerKey : 사용자 고유키 (카드 등록/결제 시 동일 값 사용)
+              * successUrl  : 카드 등록 성공 후 리다이렉트될 페이지
+              * failUrl     : 카드 등록 실패 시 리다이렉트될 페이지
+            """
+    )
+    @ApiResponses({
+            @ApiResponse(responseCode = "200", description = "조회 성공",
+                    content = @Content(schema = @Schema(implementation = RsData.class)))
+    })
+    public RsData<TossBillingAuthParamsResponse> getBillingAuthParams(
+            @AuthenticationPrincipal User user, HttpServletRequest req) {
+
+        Member me = memberService.findMemberByEmail(user.getUsername());
+        String customerKey = "user-" + me.getId();
+
+        // origin 계산(예: http://localhost:8080)
+        String origin = req.getScheme() + "://" + req.getServerName()
+                + ((req.getServerPort()==80 || req.getServerPort()==443) ? "" : ":" + req.getServerPort());
+
+        TossBillingAuthParamsResponse data = new TossBillingAuthParamsResponse(
+                tossClientKey,
+                customerKey,
+                origin + "/payments/toss/billing-success.html",
+                origin + "/payments/toss/billing-fail.html"
+        );
+        return RsData.ok("ok", data);
+    }
 
     @GetMapping("/me")
     @Operation(summary="내 결제 내역")
@@ -132,4 +173,18 @@ public RsData<MyPaymentResponse> getMyPaymentDetail(
         return RsData.ok("결제 상세가 조회되었습니다.", data);
     }
 
+    @GetMapping("/idempotency-key")
+    @Operation(
+            summary = "멱등키(결제 재시도 식별 키) 발급",
+            description = "결제 요청 전에 1회 호출해서 받은 키를 재시도 시에도 동일하게 사용하세요."
+    )
+    @ApiResponses({
+            @ApiResponse(responseCode = "200", description = "발급 성공",
+                    content = @Content(schema = @Schema(implementation = RsData.class)))
+    })
+    public RsData<IdempotencyKeyResponse> newIdempotencyKey() {
+        String key = UUID.randomUUID().toString();
+        return RsData.ok("멱등키가 발급되었습니다.", new IdempotencyKeyResponse(key));
+    }
+
 }

src/main/java/com/backend/domain/payment/dto/request/PaymentRequest.java

@@ -1,5 +1,6 @@
 package com.backend.domain.payment.dto.request;
 
+import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.validation.constraints.Min;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
@@ -18,6 +19,10 @@ public class PaymentRequest {
     @Min(100)
     private Long amount;           // 충전 금액(원)..
 
-    @NotBlank
+    @Schema(
+            description = "멱등키(재시도 시 동일하게 사용)",
+            example = "d6a6f3ad-5d9a-4a3a-b0a5-7e0a2b77c2b1",
+            requiredMode = Schema.RequiredMode.REQUIRED
+    )
     private String idempotencyKey; // 멱등키(재시도 동일키)..
 }

src/main/java/com/backend/domain/payment/dto/request/TossIssueBillingKeyRequest.java

@@ -1,11 +1,12 @@
 package com.backend.domain.payment.dto.request;
 
+import io.swagger.v3.oas.annotations.media.Schema;
 import lombok.Getter;
 import lombok.Setter;
 
 @Getter
 @Setter
 public class TossIssueBillingKeyRequest {
-    private String customerKey;
+    @Schema(description = "Toss가 successUrl로 전달한 키", example = "bln_xxx")
     private String authKey;
 }

src/main/java/com/backend/domain/payment/dto/response/IdempotencyKeyResponse.java

@@ -0,0 +1,5 @@
+package com.backend.domain.payment.dto.response;
+
+public record IdempotencyKeyResponse(
+        String idempotencyKey
+) {}

src/main/java/com/backend/domain/payment/dto/response/TossBillingAuthParamsResponse.java

@@ -0,0 +1,8 @@
+package com.backend.domain.payment.dto.response;
+
+public record TossBillingAuthParamsResponse(
+        String clientKey,
+        String customerKey,
+        String successUrl,
+        String failUrl
+) {}

src/main/java/com/backend/domain/payment/dto/response/TossIssueBillingKeyResponse.java

@@ -1,15 +1,26 @@
 package com.backend.domain.payment.dto.response;
 
+import io.swagger.v3.oas.annotations.media.Schema;
 import lombok.Builder;
 import lombok.Getter;
 
 @Getter
 @Builder
 public class TossIssueBillingKeyResponse {
+    @Schema(description = "Toss 토큰(우리 쪽 저장용)", example = "PAhFKE3...")
     private String billingKey;
+
     private String provider;   // "toss"
+
+    @Schema(description = "카드 브랜드/발급사", example = "SHINHAN")
     private String cardBrand;  // 선택: 스냅샷에 쓰려면
-    private String cardNumber; // 선택
+
+    @Schema(description = "카드 끝 4자리", example = "1234")
+    private String last4; // 선택
+
+    @Schema(description = "만료월", example = "12")
     private Integer expMonth;  // 선택
+
+    @Schema(description = "만료년", example = "2028")
     private Integer expYear;   // 선택
 }

src/main/java/com/backend/domain/payment/service/PaymentService.java

@@ -25,6 +25,7 @@
 import org.springframework.web.server.ResponseStatusException;
 
 import java.time.*;
+import java.util.UUID;
 
 @Slf4j
 @Service
@@ -50,8 +51,10 @@ public PaymentResponse charge(Member actor, PaymentRequest req) {
         if (req.getAmount() > MAX_AMOUNT_PER_TX)
             throw new ResponseStatusException(HttpStatus.BAD_REQUEST,"1회 최대 충전 한도를 초과했습니다.");
 
-        if (req.getIdempotencyKey() == null || req.getIdempotencyKey().isBlank())
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "idempotencyKey가 필요합니다.");
+        if (req.getIdempotencyKey() == null || req.getIdempotencyKey().isBlank()){
+            req.setIdempotencyKey(UUID.randomUUID().toString());
+            log.info("[IDEMP] generated new idempotencyKey={}", req.getIdempotencyKey());
+        }
 
         // 멱등 선조회(같은 회원+키면 기존 결과 그대로 반환)..
         var existingOpt = paymentRepository.findByMemberAndIdempotencyKey(actor, req.getIdempotencyKey());

src/main/java/com/backend/domain/payment/service/TossBillingClientService.java

@@ -90,7 +90,7 @@ public TossIssueBillingKeyResponse issueBillingKey(String customerKey, String au
             return TossIssueBillingKeyResponse.builder()
                     .billingKey(billingKey)
                     .cardBrand(cardBrand)
-                    .cardNumber(cardNumber)
+                    .last4(cardNumber)
                     .expMonth(expMonth)
                     .expYear(expYear)
                     .build();

src/main/java/com/backend/global/security/JwtAuthenticationFilter.java

@@ -5,6 +5,7 @@
 import com.backend.global.redis.RedisUtil;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
@@ -25,27 +26,37 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
     private final MemberRepository memberRepository;
     private final RedisUtil redisUtil;
 
+
     @Override
-    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-        
-        String header = request.getHeader("Authorization");
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+            throws ServletException, IOException {
 
-        if (header != null && header.startsWith("Bearer ")) {
-            String token = header.substring(7);
+        String token = resolveToken(request); // 헤더/쿠키 둘 다 지원(아래 메소드)
 
-            if (redisUtil.getData(token) == null && jwtUtil.validateToken(token)) {
-                String email = jwtUtil.getEmailFromToken(token);
-                Member member = memberRepository.findByEmail(email).orElseThrow(); // 토큰이 유효하면 유저는 반드시 존재
+        if (token != null && redisUtil.getData(token) == null && jwtUtil.validateToken(token)) {
+            String email = jwtUtil.getEmailFromToken(token);
 
+            memberRepository.findByEmail(email).ifPresent(member -> {
                 User user = new User(member.getEmail(), member.getPassword(), List.of());
-
                 UsernamePasswordAuthenticationToken authentication =
                         new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
-
                 SecurityContextHolder.getContext().setAuthentication(authentication);
-            }
+            });
+
         }
 
-        filterChain.doFilter(request, response);
+        chain.doFilter(request, response);
     }
+
+    private String resolveToken(HttpServletRequest request) {
+        String h = request.getHeader("Authorization");
+        if (h != null && h.startsWith("Bearer ")) return h.substring(7);
+        if (request.getCookies() != null) {
+            for (Cookie c : request.getCookies()) {
+                if ("ACCESS_TOKEN".equals(c.getName())) return c.getValue();
+            }
+        }
+        return null;
+    }
+
 }