Feature/issue#61 #62
Open
Feature/issue#61 #62
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Youhoseong
requested changes
Apr 2, 2022
Comment on lines
+54
to
+60
| @GetMapping("/gen-tokens") | ||
| public ResponseEntity<?> sendTokens(Authentication authentication){ | ||
| Optional<User> user = userRepository.findByPhone(authentication.getName()); | ||
| TokenDto tokenDto = authenticateService.getNewTokens(user.get().getPhone()); | ||
| ApiResponse message = new ApiResponse(ResultCode.OK,"Generating token success.", tokenDto); | ||
| return new ResponseEntity<>(message, HttpHeaderSetting(), HttpStatus.OK); | ||
| } |
Contributor
There was a problem hiding this comment.
authentication.getName()이 user.get().getPhone()과 같은 데이터인데 불필요한 유저 조회가 한번 더 들어가는 것 같습니다~
Contributor
There was a problem hiding this comment.
또, 귀찮겠지만 ResponseEntity는 더이상 사용하지 않고 ApiReponse만 반환하도록 했습니다 ㅎ ProductController 참고하시고
이유는 데이터 -> (감싸기) -> ApiReponse -> (또 감싸기) -> ResponseEntity 이렇게 두번씩 감쌀 필요가 없다는 생각때문입니다
Comment on lines
44
to
58
| try { | ||
| String jwt = parseJwt(request); | ||
| if (jwtUtils.validateJwtToken(jwt)) { | ||
| HashMap<String, String> map = parseJwt(request); | ||
| if(map.containsKey("access")){ | ||
| String jwt = map.get("access"); | ||
| jwtUtils.validateJwtToken(jwt); | ||
| String username = jwtUtils.getUserNameFromJwtToken(jwt); | ||
| jwtUtils.createAuthentication(username); | ||
| } | ||
|
|
||
| else if(map.containsKey("refresh")){ | ||
| String jwt = map.get("refresh"); | ||
| jwtUtils.validateJwtRefresh(jwt); | ||
| String username = jwtUtils.getUserNameFromJwtRefreshToken(jwt); | ||
| jwtUtils.createAuthentication(username); | ||
| } | ||
| filterChain.doFilter(request, response); |
Contributor
There was a problem hiding this comment.
로직이 access token 검사 후 혹시 refresh token이 있다면 refresh 토큰으로도 인증이 성공하도록 되어있는데요,
프론트쪽에서 access token과 refresh token을 동시에 사용해야할 일이 있을까요? refresh token은 최대한 사용을 자제하면서 노출을 피하고, access token을 재발급하기 위한 용도로만 사용하는 것이 맞지 않나 싶은데 의견부탁해요~~~
- 프론트쪽에서 access token 기반 요청 => 만료
- 프론트쪽에서 refresh token으로 access token 재발급 요청
- 프론트쪽에서 access token 기반 재요청
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
refresh 토큰으로 access 토큰이랑 refresh 토큰을 새로 발급받는다
header 입력 방식 :
key값:
Authorization
value값:
Refresh
access 토큰 쓰던거랑 비슷한데 Bearer 대신 Refresh 쓰고 토큰 입력 하면 된다.
토큰을 해독할때 무슨 토큰이였는지 구분하기 위해서다.
주의사항 :
헤더에 토큰 입력할때 access 토큰 또는 refresh 토큰 둘 중 하나만 입력해야한다. 둘다 입력하면 access 토큰만 가지고 처리된다.
access 토큰 먼저 확인하고 그걸로 예외처리한다.
access 토큰 없으면 refresh 토큰 확인하고 그걸로 예외처리한다.