♻️refactor: 소셜 로그인 성공 시 리다이렉트 URI를 프론트쪽으로 변경

[chaechaen]

🚀 변경사항

프론트쪽으로 리다이렉트하도록 변경

• 회원가입 (프로필 미완료) 시 /profile(프로필 추가 정보 입력 페이지)로 이동
• 로그인 (프로필 완료) 시 /home(홈화면 페이지)로 이동

🔗 관련 이슈

• Closes [REFACTOR] 소셜 로그인 성공 시 리다이렉트 수정 #73

✅ 체크리스트

• 로컬에서 테스트 완료
• 코드 리뷰 준비 완료

Summary by CodeRabbit

• New Features

  • OAuth2 login now redirects users dynamically based on their profile completion status, sending them to either the home page or profile setup page.
  • The redirect base URI is now configurable via application settings.

• Bug Fixes

  • Updated cookie settings to improve cross-site compatibility by setting the SameSite attribute to "None".

• Chores

  • Removed deprecated social login redirect endpoint and its related API documentation.

[coderabbitai]

Walkthrough

The changes update the OAuth2 authentication success handler to redirect users to a configurable frontend base URI, directing them either to the home page or profile completion page based on their profile status. Additionally, cookie SameSite attributes are set to "None," and a new configuration property for the frontend base URI is introduced. The previously used OAuth2 redirect endpoint in the controller is removed.

Changes

Cohort / File(s)	Change Summary
OAuth2 Redirect Logic Refactor src/main/java/checkmo/domain/member/service/security/oauth2/OAuth2AuthenticationSuccessHandler.java	Refactored to inject a configurable base URI from application properties. Redirect path is now conditional: users with completed profiles go to "/home", others to "/profile". Redirect URL is dynamically constructed and used for redirection. Authentication attributes are cleared before redirecting.
JWT Cookie SameSite Attribute src/main/java/checkmo/domain/member/service/security/jwt/JwtCookieUtil.java	Changed SameSite attribute for cookies from "Lax" to "None" in both token addition and deletion methods.
OAuth2 Redirect Configuration src/main/resources/application-oauth2.yml	Added new property app.oauth2.redirect.base-uri, set to ${FRONTEND_BASE_URI} for frontend redirect configuration.
Removal of OAuth2 Redirect Endpoint src/main/java/checkmo/domain/member/web/controller/AuthController.java	Removed the handleSocialLoginRedirect method and its associated Swagger/OpenAPI annotations that previously handled the OAuth2 redirect endpoint /redirect/oauth2.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant OAuth2Provider
    participant Server (OAuth2AuthenticationSuccessHandler)
    participant Frontend

    User->>OAuth2Provider: Initiate OAuth2 login
    OAuth2Provider->>Server (OAuth2AuthenticationSuccessHandler): Callback with authentication
    Server (OAuth2AuthenticationSuccessHandler)->>Server (OAuth2AuthenticationSuccessHandler): Retrieve Member and check profile status
    alt Profile completed
        Server (OAuth2AuthenticationSuccessHandler)->>User: Redirect to {baseUri}/home
    else Profile incomplete
        Server (OAuth2AuthenticationSuccessHandler)->>User: Redirect to {baseUri}/profile
    end
    User->>Frontend: Land on redirected page

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Assessment against linked issues

Objective	Addressed	Explanation
회원가입 후 프로필 추가 정보 입력 페이지로 리다이렉트, 로그인 후 홈으로 리다이렉트 (#73)	✅

Assessment against linked issues: Out-of-scope changes

No out-of-scope changes found.

Possibly related PRs

• Feat/52/google login #55: Implements initial OAuth2 login setup including OAuth2AuthenticationSuccessHandler with fixed redirect and secure cookie settings; closely related due to modifications in the OAuth2AuthenticationSuccessHandler class and login flow handling.

Suggested labels

✨ feature

Suggested reviewers

• MODUGGAGI

Poem

A hop to the home, or a skip to profile new,
With cookies set for travels true.
Now redirects are smart, and base URIs shine,
OAuth2's journey is simply divine!
🥕🐇

— A rabbit, delighted with every line

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52657aa and 96129b6.

📒 Files selected for processing (1)

• src/main/java/checkmo/domain/member/web/controller/AuthController.java (0 hunks)

💤 Files with no reviewable changes (1)

• src/main/java/checkmo/domain/member/web/controller/AuthController.java

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/73/SocialLogin

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (1)

src/main/java/checkmo/domain/member/service/security/jwt/JwtCookieUtil.java (1)

33-41: Deletion cookie missing Secure; align attributes for reliable removal

When deleting, mirror the security attributes used when setting the cookie. Add cookie.setSecure(true) to ensure consistent handling across browsers.

Apply this diff:

     Cookie cookie = new Cookie(cookieName, null);
     cookie.setMaxAge(0);
     cookie.setPath("/");
     cookie.setHttpOnly(true);
+    cookie.setSecure(true);
     cookie.setAttribute("SameSite", "None");
     response.addCookie(cookie);

🧹 Nitpick comments (2)

src/main/resources/application-oauth2.yml (1)

1-5: Make base URI robust: provide a sensible default and document format

• Provide a local default to reduce misconfig risk.
• Document whether trailing slash is allowed; current code appends a path and could produce double slashes depending on the value.

Suggested change:

-      base-uri: ${FRONTEND_BASE_URI}
+      base-uri: ${FRONTEND_BASE_URI:http://localhost:3000}

Also verify CORS is configured to allow credentials (no wildcard origin) for the frontend origin.

src/main/java/checkmo/domain/member/service/security/oauth2/OAuth2AuthenticationSuccessHandler.java (1)

29-31: Validate configuration at startup

Fail fast if app.oauth2.redirect.base-uri is missing/blank to avoid runtime surprises.

Example:

if (baseUri == null || baseUri.isBlank()) {
    throw new IllegalStateException("app.oauth2.redirect.base-uri must be configured");
}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c6b8179 and 96d6946.

📒 Files selected for processing (3)

• src/main/java/checkmo/domain/member/service/security/jwt/JwtCookieUtil.java (2 hunks)
• src/main/java/checkmo/domain/member/service/security/oauth2/OAuth2AuthenticationSuccessHandler.java (2 hunks)
• src/main/resources/application-oauth2.yml (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

src/main/java/checkmo/domain/member/service/security/oauth2/OAuth2AuthenticationSuccessHandler.java (1)

src/main/java/checkmo/domain/member/service/security/jwt/JwtCookieUtil.java (1)

• Component (8-42)

🪛 ast-grep (0.38.6)

src/main/java/checkmo/domain/member/service/security/jwt/JwtCookieUtil.java

[warning] 39-39: A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '.setSecure(true);'.
Context: response.addCookie(cookie);
Note: [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. [REFERENCES]
- https://owasp.org/www-community/controls/SecureCookieAttribute

(cookie-missing-secure-flag-java)

---

[warning] 39-39: The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The Synchronizer Token or Double Submit Cookie patterns with defense-in-depth mechanisms such as the sameSite cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Req\ uest_Forgery_Prevention_Cheat_Sheet.html).
Context: response.addCookie(cookie);
Note: [CWE-352] Cross-Site Request Forgery (CSRF). [REFERENCES]
- https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application

(cookie-missing-samesite-java)

🔇 Additional comments (2)

src/main/java/checkmo/domain/member/service/security/jwt/JwtCookieUtil.java (1)

14-14: Confirm SameSite=None support and enforce CSRF protections

The cookie.setAttribute("SameSite", "None") call depends on your servlet container and Jakarta Servlet API version supporting arbitrary cookie attributes. If you’re on an older container (e.g. Servlet 5.x in Spring Boot 3.0), this may be ignored. Please:

• Verify your container and servlet API version support Cookie#setAttribute("SameSite", "None").
• If not supported, fall back to manually emitting the header:

response.addHeader("Set-Cookie",
  String.format("%s=%s; Path=/; Max-Age=%d; HttpOnly; Secure; SameSite=None",
    cookieName, token, maxAge));

• Because SameSite=None permits cross-site cookie delivery, ensure you have a CSRF protection strategy in place (e.g. Spring Security CSRF tokens or a double-submit cookie pattern).

Locations to review:

• src/main/java/checkmo/domain/member/service/security/jwt/JwtCookieUtil.java – addTokenToCookie(...) at lines 13–17 and 36–39.

src/main/java/checkmo/domain/member/service/security/oauth2/OAuth2AuthenticationSuccessHandler.java (1)

38-41: Guard the principal cast

If this handler is ever reused with another auth flow, a direct cast can throw. Add an instanceof guard or constrain the handler mapping to only the OAuth2 flow.

Minimal guard example:

if (!(authentication.getPrincipal() instanceof PrincipalDetails principalDetails)) {
    getRedirectStrategy().sendRedirect(request, response, baseUri);
    return;
}
Member member = principalDetails.getMember();

[zjhj0814]

고생하셨습니다~! 저한테는 좋네요