CLAP-60&84 Spring security & jwt 관련 로직 구현 및 로그인 API 구현

build.gradle

@@ -55,9 +55,14 @@ dependencies {
     // Redis
     implementation 'org.springframework.boot:spring-boot-starter-data-redis'
 
-    // Spring Security
-    //implementation 'org.springframework.boot:spring-boot-starter-security'
-    // testImplementation 'org.springframework.security:spring-security-test'
+    //Spring Security
+    implementation 'org.springframework.boot:spring-boot-starter-security'
+    testImplementation 'org.springframework.security:spring-security-test'
+
+    // jwt
+    implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.5'
+    runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.11.5'
 
     // Mapstruct
     implementation "org.projectlombok:lombok"

src/main/java/clap/server/adapter/inbound/security/CustomGrantedAuthority.java

@@ -0,0 +1,52 @@
+package clap.server.adapter.inbound.security;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import jakarta.validation.constraints.NotNull;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.io.Serial;
+import java.io.Serializable;
+
+public class CustomGrantedAuthority implements GrantedAuthority, Serializable {
+    @Serial
+    private static final long serialVersionUID = 1L;
+
+    private final String role;
+
+    @JsonCreator
+    public CustomGrantedAuthority(
+            @JsonProperty("authority") @NotNull
+            String role
+    ) {
+        this.role = role;
+    }
+
+    @Override
+    public String getAuthority() {
+        return role;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+
+        if (obj instanceof CustomGrantedAuthority cga) {
+            return this.role.equals(cga.getAuthority());
+        }
+
+        return false;
+    }
+
+    @Override
+    public int hashCode() {
+        return this.role.hashCode();
+    }
+
+    @Override
+    public String toString() {
+        return this.role;
+    }
+}

src/main/java/clap/server/adapter/inbound/security/SecurityUserDetails.java

@@ -0,0 +1,93 @@
+package clap.server.adapter.inbound.security;
+
+import clap.server.adapter.outbound.persistense.entity.member.MemberEntity;
+import clap.server.adapter.outbound.persistense.entity.member.constant.MemberStatus;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import lombok.AccessLevel;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.io.Serial;
+import java.util.Collection;
+import java.util.List;
+
+@Getter
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class SecurityUserDetails implements UserDetails {
+    @Serial
+    private static final long serialVersionUID = 1L;
+
+    private Long userId;
+    private String username;
+    private Collection<? extends GrantedAuthority> authorities;
+    private boolean accountNonLocked;
+
+    @JsonIgnore
+    private boolean enabled;
+    @JsonIgnore
+    private String password;
+    @JsonIgnore
+    private boolean credentialsNonExpired;
+    @JsonIgnore
+    private boolean accountNonExpired;
+
+    @Builder
+    public SecurityUserDetails(
+            Long userId,
+            String username,
+            Collection<? extends GrantedAuthority> authorities,
+            boolean accountNonLocked
+    ) {
+        this.userId = userId;
+        this.username = username;
+        this.authorities = authorities;
+        this.accountNonLocked = accountNonLocked;
+    }
+
+    public static UserDetails from(MemberEntity member) {
+        return SecurityUserDetails.builder()
+                .userId(member.getMemberId())
+                .username(member.getName())
+                .authorities(List.of(new CustomGrantedAuthority(member.getRole().name())))
+                .accountNonLocked(member.getStatus().equals(MemberStatus.INACTIVE))
+                .build();
+    }
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return authorities;
+    }
+
+    @Override
+    public String getPassword() {
+        return null;
+    }
+
+    @Override
+    public String getUsername() {
+        return username;
+    }
+
+    @Override
+    public boolean isAccountNonExpired() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public boolean isAccountNonLocked() {
+        return accountNonLocked;
+    }
+
+    @Override
+    public boolean isCredentialsNonExpired() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public boolean isEnabled() {
+        throw new UnsupportedOperationException();
+    }
+}

src/main/java/clap/server/adapter/inbound/security/SecurityUserDetailsService.java

@@ -0,0 +1,23 @@
+package clap.server.adapter.inbound.security;
+
+import clap.server.adapter.outbound.persistense.repository.member.MemberRepository;
+import clap.server.exception.AuthException;
+import clap.server.exception.code.MemberErrorCode;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+@Service
+@RequiredArgsConstructor
+public class SecurityUserDetailsService implements UserDetailsService {
+    private final MemberRepository loadMemberPort;
+
+    @Override
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+        return loadMemberPort.findById(Long.parseLong(username))
+                .map(SecurityUserDetails::from)
+                .orElseThrow(() -> new AuthException(MemberErrorCode.MEMBER_NOT_FOUND));
+    }
+}

src/main/java/clap/server/adapter/inbound/security/filter/JwtAuthenticationFilter.java

@@ -0,0 +1,135 @@
+package clap.server.adapter.inbound.security.filter;
+
+import clap.server.adapter.outbound.jwt.JwtClaims;
+import clap.server.adapter.outbound.jwt.access.AccessTokenClaimKeys;
+import clap.server.application.port.outbound.auth.JwtProvider;
+import clap.server.exception.JwtException;
+import clap.server.exception.code.AuthErrorCode;
+import io.jsonwebtoken.Claims;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.validation.constraints.NotNull;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+// 요청에서 JWT 토큰을 추출하고 유효성을 검사합니다.
+@Slf4j
+@Component
+@RequiredArgsConstructor
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+    private static final String TEMPORARY_TOKEN_ALLOWED_ENDPOINT = "/api/members/initial-password";
+    private final UserDetailsService securityUserDetailsService;
+    private final JwtProvider accessTokenProvider;
+    private final JwtProvider temporaryTokenProvider;
+    private final AccessDeniedHandler accessDeniedHandler;
+
+    @Override
+    protected void doFilterInternal(
+            @NotNull HttpServletRequest request,
+            @NotNull HttpServletResponse response,
+            @NotNull FilterChain filterChain
+    ) throws ServletException, IOException {
+        try {
+            if (isAnonymousRequest(request)) {
+                filterChain.doFilter(request, response);
+                return;
+            }
+
+            String accessToken = resolveAccessToken(request);
+
+            UserDetails userDetails = getUserDetails(accessToken);
+            authenticateUser(userDetails, request);
+        } catch (AccessDeniedException e) {
+            accessDeniedHandler.handle(request, response, e);
+            return;
+        }
+        filterChain.doFilter(request, response);
+    }
+
+    private boolean isAnonymousRequest(HttpServletRequest request) {
+        String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION);
+        return accessToken == null;
+    }
+
+    private String resolveAccessToken(
+            HttpServletRequest request
+    ) throws ServletException {
+        String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
+        String token = accessTokenProvider.resolveToken(authHeader);
+
+        if (!StringUtils.hasText(token)) {
+            log.error("EMPTY_ACCESS_TOKEN");
+            handleAuthException(AuthErrorCode.EMPTY_ACCESS_KEY);
+        }
+
+        String requestUrl = request.getRequestURI();
+        boolean isTemporaryToken = isTemporaryToken(token);
+        JwtProvider tokenProvider = isTemporaryToken ? temporaryTokenProvider : accessTokenProvider;
+
+        log.info("Token is Temporary {}", isTemporaryToken);
+
+        if (isTemporaryTokenAllowed(requestUrl) != isTemporaryToken) {
+            log.error("FORBIDDEN_TEMPORARY_TOKEN_ACCESS");
+            handleAuthException(AuthErrorCode.FORBIDDEN_ACCESS_TOKEN);
+        }
+
+        // TODO: 블랙리스트 토큰 처리 로직 추가 필요
+
+        if (tokenProvider.isTokenExpired(token)) {
+            log.error("EXPIRED_TOKEN");
+            handleAuthException(AuthErrorCode.EXPIRED_TOKEN);
+        }
+
+        return token;
+    }
+
+
+    private boolean isTemporaryTokenAllowed(String requestUrl) {
+        return requestUrl.equals(TEMPORARY_TOKEN_ALLOWED_ENDPOINT);
+    }
+
+    private boolean isTemporaryToken(String token) {
+        try {
+            Claims claims = temporaryTokenProvider.getClaimsFromToken(token);
+            return claims.get("isTemporary", Boolean.class) != null && claims.get("isTemporary", Boolean.class);
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
+    private UserDetails getUserDetails(String accessToken) {
+        JwtProvider tokenProvider = isTemporaryToken(accessToken) ? temporaryTokenProvider : accessTokenProvider;
+        JwtClaims claims = tokenProvider.parseJwtClaimsFromToken(accessToken);
+        String memberId = (String) claims.getClaims().get(AccessTokenClaimKeys.USER_ID.getValue());
+        return securityUserDetailsService.loadUserByUsername(memberId);
+    }
+
+    private void authenticateUser(UserDetails userDetails, HttpServletRequest request) {
+        UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
+                userDetails, null, userDetails.getAuthorities()
+        );
+
+        authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+        SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+    }
+
+    private void handleAuthException(AuthErrorCode authErrorCode) throws ServletException {
+        JwtException exception = new JwtException(authErrorCode);
+        throw new ServletException(exception);
+    }
+}

src/main/java/clap/server/adapter/inbound/security/filter/JwtErrorCodeUtil.java

@@ -0,0 +1,54 @@
+package clap.server.adapter.inbound.security.filter;
+import clap.server.exception.JwtException;
+import clap.server.exception.code.AuthErrorCode;
+import clap.server.exception.code.BaseErrorCode;
+import clap.server.exception.code.CommonErrorCode;
+import io.jsonwebtoken.ExpiredJwtException;
+import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.UnsupportedJwtException;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+import java.security.SignatureException;
+import java.util.Map;
+import java.util.Optional;
+
+@Slf4j
+@NoArgsConstructor(access = AccessLevel.PROTECTED)
+public class JwtErrorCodeUtil {
+    private static final Map<Class<? extends Exception>, BaseErrorCode> ERROR_CODE_MAP = Map.of(
+            ExpiredJwtException.class, AuthErrorCode.EXPIRED_TOKEN,
+            MalformedJwtException.class, AuthErrorCode.MALFORMED_TOKEN,
+            SignatureException.class, AuthErrorCode.TAMPERED_TOKEN,
+            UnsupportedJwtException.class, AuthErrorCode.UNSUPPORTED_JWT_TOKEN
+    );
+
+    public static BaseErrorCode determineErrorCode(Exception exception, BaseErrorCode defaultErrorCode) {
+        if (exception instanceof JwtException jwtException)
+            return jwtException.getErrorCode();
+
+        Class<? extends Exception> exceptionClass = exception.getClass();
+        return ERROR_CODE_MAP.getOrDefault(exceptionClass, defaultErrorCode);
+    }
+
+
+    public static JwtException determineAuthErrorException(Exception exception) {
+        return findAuthErrorException(exception).orElseGet(
+                () -> {
+                    BaseErrorCode errorCode = determineErrorCode(exception, CommonErrorCode.INTERNAL_SERVER_ERROR);
+                    log.debug(exception.getMessage(), exception);
+                    return new JwtException(errorCode);
+                }
+        );
+    }
+
+    private static Optional<JwtException> findAuthErrorException(Exception exception) {
+        if (exception instanceof JwtException) {
+            return Optional.of((JwtException)exception);
+        } else if (exception.getCause() instanceof JwtException) {
+            return Optional.of((JwtException)exception.getCause());
+        }
+        return Optional.empty();
+    }
+}