feat : 서명 검증 로직 구현

EpicFn · EpicFn · commit cc354e09cd44 · 2025-09-29T12:56:14.000+09:00
diff --git a/build.gradle b/build.gradle
@@ -98,6 +98,8 @@ dependencies {
     // Playwright for Java
     implementation 'com.microsoft.playwright:playwright:1.54.0'
 
+    // Apache Commons Codec
+    implementation"commons-codec:commons-codec:1.19.0"
 }
 
 dependencyManagement {
diff --git a/src/main/java/org/tuna/zoopzoop/backend/domain/dashboard/controller/ApiV1DashboardController.java b/src/main/java/org/tuna/zoopzoop/backend/domain/dashboard/controller/ApiV1DashboardController.java
@@ -25,18 +25,20 @@ public class ApiV1DashboardController {
     private final DashboardService dashboardService;
 
     /**
-     * LiveBlocks를 위한 React-flow 데이터 저장 API (LiveBlocks Webhook 타겟)
-     * @param bodyForReactFlow React-flow 데이터를 가지고 있는 Dto
+     * React-flow 데이터 저장(갱신) API
+     * @param dashboardId React-flow 데이터의 dashboard 식별 id
+     * @param requestBody React-flow 에서 보내주는 body 전체
+     * @param signature Liveblocks-Signature 헤더 값
+     * @return ResponseEntity<RsData<Void>>
      */
     @PutMapping("/{dashboardId}/graph")
     @Operation(summary = "React-flow 데이터 저장(갱신)")
     public ResponseEntity<RsData<Void>> updateGraph(
             @PathVariable Integer dashboardId,
-            @RequestBody BodyForReactFlow bodyForReactFlow
+            @RequestBody String requestBody,
+            @RequestHeader("Liveblocks-Signature") String signature
     ) {
-        // TODO : signature 검증 로직 추가
-
-        dashboardService.updateGraph(dashboardId, bodyForReactFlow);
+        dashboardService.verifyAndUpdateGraph(dashboardId, requestBody, signature);
 
         return ResponseEntity
                 .status(HttpStatus.OK)
diff --git a/src/main/java/org/tuna/zoopzoop/backend/domain/dashboard/service/DashboardService.java b/src/main/java/org/tuna/zoopzoop/backend/domain/dashboard/service/DashboardService.java
@@ -1,7 +1,10 @@
 package org.tuna.zoopzoop.backend.domain.dashboard.service;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.persistence.NoResultException;
 import lombok.RequiredArgsConstructor;
+import org.apache.commons.codec.binary.Hex;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import org.tuna.zoopzoop.backend.domain.dashboard.dto.BodyForReactFlow;
@@ -13,7 +16,11 @@
 import org.tuna.zoopzoop.backend.domain.member.entity.Member;
 import org.tuna.zoopzoop.backend.domain.space.membership.service.MembershipService;
 
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.AccessDeniedException;
+import java.security.MessageDigest;
 import java.util.List;
 
 @Service
@@ -22,6 +29,17 @@
 public class DashboardService {
     private final DashboardRepository dashboardRepository;
     private final MembershipService membershipService;
+    private final ObjectMapper objectMapper;
+
+    @Value("${liveblocks.secret-key}")
+    private String liveblocksSecretKey;
+
+    // 5분 (밀리초 단위)
+    private static final long TOLERANCE_IN_MILLIS = 5 * 60 * 1000;
+
+
+    // =========================== Graph 관련 메서드 ===========================
+
     /**
      * 대시보드 ID를 통해 Graph 데이터를 조회하는 메서드
      */
@@ -53,6 +71,32 @@ public void updateGraph(Integer dashboardId, BodyForReactFlow dto) {
 
     }
 
+    /**
+     * 서명 검증 후 Graph 업데이트를 수행하는 메서드
+     * @param dashboardId 대시보드 ID
+     * @param requestBody 요청 바디
+     * @param signatureHeader 서명 헤더
+     */
+    public void verifyAndUpdateGraph(Integer dashboardId, String requestBody, String signatureHeader) {
+        // 1. 서명 검증
+        if (!isValidSignature(requestBody, signatureHeader)) {
+            throw new SecurityException("Invalid webhook signature.");
+        }
+
+        // 2. 검증 통과 후, 기존 업데이트 로직 실행
+        try {
+            BodyForReactFlow dto = objectMapper.readValue(requestBody, BodyForReactFlow.class);
+            updateGraph(dashboardId, dto);
+        } catch (NoResultException e) {
+            throw new NoResultException(dashboardId + " ID를 가진 대시보드를 찾을 수 없습니다.");
+        }
+        catch (Exception e) {
+            throw new RuntimeException("Failed to process request body.", e);
+        }
+    }
+
+    // =========================== 권한 관련 메서드 ===========================
+
     /**
      * 대시보드 접근 권한을 검증하는 메서드
      * @param member 접근을 시도하는 멤버
@@ -68,4 +112,58 @@ public void verifyAccessPermission(Member member, Integer dashboardId) throws Ac
             throw new AccessDeniedException("대시보드의 접근 권한이 없습니다.");
         }
     }
+
+
+    /**
+     * LiveBlocks Webhook 요청의 유효성을 검증하는 메서드
+     * @param requestBody 요청 바디
+     * @param signatureHeader LiveBlocks가 제공하는 서명 헤더
+     * @return 서명이 유효하면 true, 그렇지 않으면 false
+     */
+    private boolean isValidSignature(String requestBody, String signatureHeader) {
+        try {
+            // 1. 헤더 파싱
+            String[] parts = signatureHeader.split(",");
+            long timestamp = -1;
+            String signatureHashFromHeader = null;
+
+            for (String part : parts) {
+                String[] pair = part.split("=", 2);
+                if (pair.length == 2) {
+                    if ("t".equals(pair[0])) {
+                        timestamp = Long.parseLong(pair[1]);
+                    } else if ("v1".equals(pair[0])) {
+                        signatureHashFromHeader = pair[1];
+                    }
+                }
+            }
+
+            if (timestamp == -1 || signatureHashFromHeader == null) {
+                return false; // 헤더 형식이 잘못됨
+            }
+
+            // 2. 리플레이 공격 방지를 위한 타임스탬프 검증 (선택사항)
+            long now = System.currentTimeMillis();
+            if (now - timestamp > TOLERANCE_IN_MILLIS) {
+                return false; // 너무 오래된 요청
+            }
+
+            // 3. 서명 재생성
+            String payload = timestamp + "." + requestBody;
+            Mac mac = Mac.getInstance("HmacSHA256");
+            SecretKeySpec secretKeySpec = new SecretKeySpec(liveblocksSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
+            mac.init(secretKeySpec);
+            byte[] expectedHashBytes = mac.doFinal(payload.getBytes(StandardCharsets.UTF_8));
+
+            // 4. 서명 비교 (타이밍 공격 방지를 위해 MessageDigest.isEqual 사용)
+            byte[] signatureHashBytesFromHeader = Hex.decodeHex(signatureHashFromHeader);
+            return MessageDigest.isEqual(expectedHashBytes, signatureHashBytesFromHeader);
+
+        } catch (Exception e) {
+            // 파싱 실패, 디코딩 실패 등 모든 예외는 검증 실패로 간주
+            return false;
+        }
+    }
+
+
 }
diff --git a/src/main/java/org/tuna/zoopzoop/backend/global/exception/GlobalExceptionHandler.java b/src/main/java/org/tuna/zoopzoop/backend/global/exception/GlobalExceptionHandler.java
@@ -178,6 +178,17 @@ public ResponseEntity<RsData<Void>> handle(MissingServletRequestPartException e)
         );
     }
 
+    @ExceptionHandler(SecurityException.class)
+    public ResponseEntity<RsData<Void>> handleSecurityException(SecurityException e) {
+        return new ResponseEntity<>(
+                new RsData<>(
+                        "403", // 또는 "401"
+                        e.getMessage()
+                ),
+                FORBIDDEN // 또는 UNAUTHORIZED
+        );
+    }
+
     @ExceptionHandler(Exception.class) // 내부 서버 에러(= 따로 Exception을 지정하지 않은 경우.)
     public ResponseEntity<RsData<Void>> handleException(Exception e) {
         return new ResponseEntity<>(
diff --git a/src/main/resources/application-secrets.yml.template b/src/main/resources/application-secrets.yml.template
@@ -49,4 +49,7 @@ jwt:
   access-token-validity: {ACCESSTOKEN_VALIDITY}
   refresh-token-validity: {REFRESHTOKEN_VALIDITY}
 
-OPENAI_API_KEY: {OPENAI_API_KEY}
+OPENAI_API_KEY: {OPENAI_API_KEY}
+
+liveblocks:
+  secret-key: {LIVEBLOCKS_SECRET_KEY}
diff --git a/src/main/resources/application-test.yml b/src/main/resources/application-test.yml
@@ -16,3 +16,6 @@ spring:
   sql:
     init:
       mode: never
+
+liveblocks:
+  secret-key: test_dummy_liveblocks_secret_key
diff --git a/src/test/java/org/tuna/zoopzoop/backend/domain/dashboard/controller/DashboardControllerTest.java b/src/test/java/org/tuna/zoopzoop/backend/domain/dashboard/controller/DashboardControllerTest.java
@@ -1,7 +1,9 @@
 package org.tuna.zoopzoop.backend.domain.dashboard.controller;
 
+import org.apache.commons.codec.binary.Hex;
 import org.junit.jupiter.api.*;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -22,10 +24,15 @@
 import org.tuna.zoopzoop.backend.domain.space.space.service.SpaceService;
 import org.tuna.zoopzoop.backend.testSupport.ControllerTestSupport;
 
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+
 import static org.hamcrest.Matchers.hasSize;
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -48,7 +55,9 @@ class DashboardControllerTest extends ControllerTestSupport {
     private Integer authorizedDashboardId;
     private Integer unauthorizedDashboardId;
 
-    // 테스트에 필요한 유저, 스페이스, 멤버십 데이터를 미리 설정합니다.
+    @Value("${liveblocks.secret-key}")
+    private String testSecretKey;
+
     @BeforeAll
     void setUp() {
         // 1. 유저 생성
@@ -145,11 +154,15 @@ void updateGraph_Success() throws Exception {
         // Given
         String url = String.format("/api/v1/dashboard/%d/graph", authorizedDashboardId);
         String requestBody = createReactFlowJsonBody();
+        String validSignature = generateLiveblocksSignature(requestBody);
 
-        // When: 데이터 수정
-        ResultActions updateResult = performPut(url, requestBody);
+        // When: 데이터 저장
+        ResultActions updateResult = mvc.perform(put(url)
+                .contentType(MediaType.APPLICATION_JSON)
+                .header("Liveblocks-Signature", validSignature) // ★ 서명 헤더 추가
+                .content(requestBody));
 
-        // Then: 수정 성공 응답 확인
+        // Then: 저장 성공 응답 확인
         expectOk(
                 updateResult,
                 "React-flow 데이터를 저장했습니다."
@@ -174,9 +187,13 @@ void updateGraph_Fail_NotFound() throws Exception {
         Integer nonExistentDashboardId = 9999;
         String url = String.format("/api/v1/dashboard/%d/graph", nonExistentDashboardId);
         String requestBody = createReactFlowJsonBody();
+        String validSignature = generateLiveblocksSignature(requestBody);
 
-        // When
-        ResultActions resultActions = performPut(url, requestBody);
+        // When: 데이터 저장
+        ResultActions resultActions = mvc.perform(put(url)
+                .contentType(MediaType.APPLICATION_JSON)
+                .header("Liveblocks-Signature", validSignature) // ★ 서명 헤더 추가
+                .content(requestBody));;
 
         // Then
         expectNotFound(
@@ -185,20 +202,23 @@ void updateGraph_Fail_NotFound() throws Exception {
         );
     }
 
-//    @Test
-//    @DisplayName("대시보드 그래프 데이터 저장 - 실패: 서명 검증 실패")
-//    void updateGraph_Fail_Forbidden() throws Exception {
-//        // Given
-//        String url = String.format("/api/v1/dashboard/%d/graph", authorizedDashboardId);
-//        String requestBody = createReactFlowJsonBody();
-//
-//        // When
-//        ResultActions resultActions = performPut(url, requestBody);
-//
-//        // Then
-//        // TODO: 실제 구현된 권한 체크 로직의 예외 메시지에 따라 "권한이 없습니다." 부분을 수정해야 합니다.
-//        expectForbidden(resultActions, "액세스가 거부되었습니다.");
-//    }
+    @Test
+    @DisplayName("대시보드 그래프 데이터 저장 - 실패: 서명 검증 실패")
+    void updateGraph_Fail_Forbidden() throws Exception {
+        // Given
+        String url = String.format("/api/v1/dashboard/%d/graph", authorizedDashboardId);
+        String requestBody = createReactFlowJsonBody();
+        String invalidSignature = "t=123,v1=invalid_signature"; // 유효하지 않은 서명
+
+        // When
+        ResultActions resultActions = mvc.perform(put(url)
+                .contentType(MediaType.APPLICATION_JSON)
+                .header("Liveblocks-Signature", invalidSignature) // ★ 잘못된 서명 헤더 추가
+                .content(requestBody));
+
+        // Then
+        expectForbidden(resultActions, "Invalid webhook signature.");
+    }
 
     // ======================= TEST DATA FACTORIES ======================== //
 
@@ -233,4 +253,20 @@ private String createReactFlowJsonBody() {
             """;
     }
 
+    // ======================= HELPER METHODS ======================== //
+    private String generateLiveblocksSignature(String requestBody) throws NoSuchAlgorithmException, InvalidKeyException, InvalidKeyException {
+        long timestamp = System.currentTimeMillis();
+        String payload = timestamp + "." + requestBody;
+
+        Mac mac = Mac.getInstance("HmacSHA256");
+        SecretKeySpec secretKeySpec = new SecretKeySpec(testSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
+        mac.init(secretKeySpec);
+        byte[] hash = mac.doFinal(payload.getBytes(StandardCharsets.UTF_8));
+
+        // v1 서명은 해시값의 Hex 인코딩 문자열입니다.
+        String signatureHash = Hex.encodeHexString(hash);
+
+        return String.format("t=%d,v1=%s", timestamp, signatureHash);
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,8 @@ dependencies {`
`98`	`98`	`// Playwright for Java`
`99`	`99`	`implementation 'com.microsoft.playwright:playwright:1.54.0'`
`100`	`100`
	`101`	`+ // Apache Commons Codec`
	`102`	`+ implementation"commons-codec:commons-codec:1.19.0"`
`101`	`103`	`}`
`102`	`104`
`103`	`105`	`dependencyManagement {`