diff --git a/src/main/java/clap/server/adapter/inbound/security/SecurityConfig.java b/src/main/java/clap/server/adapter/inbound/security/SecurityConfig.java index ceb613c8..56d75f42 100644 --- a/src/main/java/clap/server/adapter/inbound/security/SecurityConfig.java +++ b/src/main/java/clap/server/adapter/inbound/security/SecurityConfig.java @@ -57,8 +57,6 @@ public SecurityFilterChain defaultFilterChain(HttpSecurity http) throws Exceptio .authorizeHttpRequests( auth -> defaultAuthorizeHttpRequest(auth) - .requestMatchers(SWAGGER_ENDPOINTS).permitAll() - .requestMatchers(LOGIN_ENDPOINT).permitAll() .anyRequest().authenticated() ).build(); } @@ -83,8 +81,10 @@ private AbstractRequestMatcherRegistry new AntPathMatcher().match(endpoint, request.getRequestURI())); + boolean isAnonymous = request.getHeader(HttpHeaders.AUTHORIZATION) == null; + return isAnonymousURI && isAnonymous; } + @Override + protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException { + return Arrays.stream(PUBLIC_ENDPOINTS) + .anyMatch(endpoint -> new AntPathMatcher().match(endpoint, request.getRequestURI())); + } + + private String resolveAccessToken( HttpServletRequest request ) throws ServletException { @@ -106,6 +125,8 @@ private String resolveAccessToken( } + + private boolean isTemporaryTokenAllowed(String requestUrl) { return requestUrl.equals(TEMPORARY_TOKEN_ALLOWED_ENDPOINT); } diff --git a/src/main/java/clap/server/adapter/inbound/web/dto/member/request/VerifyPasswordRequest.java b/src/main/java/clap/server/adapter/inbound/web/dto/member/request/VerifyPasswordRequest.java new file mode 100644 index 00000000..4b7cbd85 --- /dev/null +++ b/src/main/java/clap/server/adapter/inbound/web/dto/member/request/VerifyPasswordRequest.java @@ -0,0 +1,9 @@ +package clap.server.adapter.inbound.web.dto.member.request; + +import jakarta.validation.constraints.NotBlank; + +public record VerifyPasswordRequest( + @NotBlank + String password +) { +} diff --git a/src/main/java/clap/server/adapter/inbound/web/member/ResetPasswordController.java b/src/main/java/clap/server/adapter/inbound/web/member/ResetPasswordController.java index 580f61c6..9d6f986d 100644 --- a/src/main/java/clap/server/adapter/inbound/web/member/ResetPasswordController.java +++ b/src/main/java/clap/server/adapter/inbound/web/member/ResetPasswordController.java @@ -3,19 +3,17 @@ import clap.server.adapter.inbound.security.service.SecurityUserDetails; import clap.server.adapter.inbound.web.dto.member.request.UpdateInitialPasswordRequest; import clap.server.adapter.inbound.web.dto.member.request.UpdatePasswordRequest; +import clap.server.adapter.inbound.web.dto.member.request.VerifyPasswordRequest; import clap.server.application.port.inbound.member.ResetInitialPasswordUsecase; import clap.server.application.port.inbound.member.ResetPasswordUsecase; import clap.server.application.port.inbound.member.VerifyPasswordUseCase; import clap.server.common.annotation.architecture.WebAdapter; import io.swagger.v3.oas.annotations.Operation; import io.swagger.v3.oas.annotations.tags.Tag; -import jakarta.validation.constraints.NotBlank; +import jakarta.validation.Valid; import lombok.RequiredArgsConstructor; import org.springframework.security.core.annotation.AuthenticationPrincipal; -import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.PatchMapping; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.*; @Tag(name = "01. Member [비밀번호 관련]") @WebAdapter @@ -29,22 +27,22 @@ public class ResetPasswordController { @Operation(summary = "초기 로그인 후 비밀번호 재설정 API") @PatchMapping("/members/initial-password") public void resetPasswordAndActivateMember(@AuthenticationPrincipal SecurityUserDetails userInfo, - @RequestBody UpdateInitialPasswordRequest request) { + @RequestBody @Valid UpdateInitialPasswordRequest request) { resetInitialPasswordUsecase.resetPasswordAndActivateMember(userInfo.getUserId(),request.password()); } @Operation(summary = "비밀번호 재설정 API") @PatchMapping("/members/password") public void resetPassword(@AuthenticationPrincipal SecurityUserDetails userInfo, - @RequestBody UpdatePasswordRequest request) { + @RequestBody @Valid UpdatePasswordRequest request) { resetPasswordUsecase.resetPassword(userInfo.getUserId(), request.password()); } @Operation(summary = "비밀번호 검증 API") - @GetMapping("/members/password") + @PostMapping("/members/password") public void verifyPassword(@AuthenticationPrincipal SecurityUserDetails userInfo, - @RequestBody @NotBlank String password) { - verifyPasswordUseCase.verifyPassword(userInfo.getUserId(), password); + @RequestBody @Valid VerifyPasswordRequest request) { + verifyPasswordUseCase.verifyPassword(userInfo.getUserId(), request.password()); } } diff --git a/src/main/java/clap/server/exception/code/AuthErrorCode.java b/src/main/java/clap/server/exception/code/AuthErrorCode.java index acb9b5a3..6ca63b69 100644 --- a/src/main/java/clap/server/exception/code/AuthErrorCode.java +++ b/src/main/java/clap/server/exception/code/AuthErrorCode.java @@ -10,7 +10,7 @@ public enum AuthErrorCode implements BaseErrorCode { UNAUTHORIZED(HttpStatus.UNAUTHORIZED, "AUTH_001", "인증 과정에서 오류가 발생하였습니다."), FORBIDDEN(HttpStatus.FORBIDDEN, "AUTH_002", "접근이 거부되었습니다"), EMPTY_ACCESS_KEY(HttpStatus.FORBIDDEN, "AUTH_003", "AccessToken 이 비어있습니다."), - LOGOUT_ERROR(HttpStatus.FORBIDDEN, "AUTH_004", "로그 아웃된 사용자입니다."), +// LOGOUT_ERROR(HttpStatus.FORBIDDEN, "AUTH_004", "로그 아웃된 사용자입니다."), EXPIRED_TOKEN(HttpStatus.FORBIDDEN, "AUTH_005", "사용기간이 만료된 토큰입니다."), TAKEN_AWAY_TOKEN(HttpStatus.FORBIDDEN, "AUTH_006", "탈취당한 토큰입니다. 다시 로그인 해주세요."), WITHOUT_OWNER_REFRESH_TOKEN(HttpStatus.FORBIDDEN, "AUTH_007", "소유자가 아닌 RefreshToken 입니다."),