[BE] issue229: Refresh Token 적용하기

backend/src/docs/asciidoc/index.adoc

@@ -12,6 +12,12 @@
 === Github 로그인
 operation::auth/login[snippets='http-request,request-parameters,http-response,response-fields']
 
+=== 리프래시 토큰
+operation::auth/refresh[snippets='http-request,http-response']
+
+=== 로그아웃
+operation::auth/logout[snippets='http-request,http-response']
+
 [[Member]]
 == 회원
 

backend/src/docs/asciidoc/index.html

@@ -475,7 +475,7 @@ <h3 id="_github_로그인"><a class="link" href="#_github_로그인">Github 로
 <h4 id="_github_로그인_http_request"><a class="link" href="#_github_로그인_http_request">HTTP request</a></h4>
 <div class="listingblock">
 <div class="content">
-<pre class="highlightjs highlight nowrap"><code class="language-http hljs" data-lang="http">POST /api/login/token?code=authorization-code HTTP/1.1
+<pre class="highlightjs highlight nowrap"><code class="language-http hljs" data-lang="http">POST /api/auth/login?code=authorization-code HTTP/1.1
 Content-Type: application/json
 Accept: application/json
 Host: localhost:8080</code></pre>
@@ -890,4 +890,4 @@ <h4 id="My-Role_response_fields"><a class="link" href="#My-Role_response_fields"
 }
 </script>
 </body>
-</html>
+</html>

backend/src/main/java/com/woowacourse/moamoa/auth/config/AuthRequestMatchConfig.java

@@ -1,11 +1,15 @@
 package com.woowacourse.moamoa.auth.config;
 
+import static org.springframework.http.HttpMethod.DELETE;
+import static org.springframework.http.HttpMethod.GET;
+import static org.springframework.http.HttpMethod.POST;
+import static org.springframework.http.HttpMethod.PUT;
+
 import com.woowacourse.moamoa.auth.controller.matcher.AuthenticationRequestMatcher;
 import com.woowacourse.moamoa.auth.controller.matcher.AuthenticationRequestMatcherBuilder;
 import lombok.AllArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
 
 @Configuration
 @AllArgsConstructor
@@ -14,10 +18,10 @@ public class AuthRequestMatchConfig {
     @Bean
     public AuthenticationRequestMatcher authenticationRequestMatcher() {
         return new AuthenticationRequestMatcherBuilder()
-                .addUpAuthenticationPath(HttpMethod.POST, "/api/studies", "/api/studies/\\d+/reviews", "/api/studies/\\d+/reviews/\\d+")
-                .addUpAuthenticationPath(HttpMethod.GET, "/api/my/studies", "/api/members/me", "/api/members/me/role")
-                .addUpAuthenticationPath(HttpMethod.PUT, "/api/studies/\\d+/reviews/\\d+")
-                .addUpAuthenticationPath(HttpMethod.DELETE, "/api/studies/\\d+/reviews/\\d+")
+                .addUpAuthenticationPath(POST, "/api/studies", "/api/studies/\\d+/reviews", "/api/studies/\\d+/reviews/\\d+")
+                .addUpAuthenticationPath(GET, "/api/my/studies", "/api/members/me", "/api/members/me/role")
+                .addUpAuthenticationPath(PUT, "/api/studies/\\d+/reviews/\\d+")
+                .addUpAuthenticationPath(DELETE, "/api/studies/\\d+/reviews/\\d+")
                 .build();
     }
 }

backend/src/main/java/com/woowacourse/moamoa/auth/config/AuthenticationExtractor.java

@@ -7,8 +7,8 @@
 
 public class AuthenticationExtractor {
 
-    private static String BEARER_TYPE = "Bearer";
-    private static String ACCESS_TOKEN_TYPE = AuthenticationExtractor.class.getSimpleName() + ".ACCESS_TOKEN_TYPE";
+    private static final String BEARER_TYPE = "Bearer";
+    private static final String ACCESS_TOKEN_TYPE = AuthenticationExtractor.class.getSimpleName() + ".ACCESS_TOKEN_TYPE";
 
     public static String extract(HttpServletRequest request) {
         Enumeration<String> headers = request.getHeaders(AUTHORIZATION);

backend/src/main/java/com/woowacourse/moamoa/auth/controller/AuthController.java

@@ -1,9 +1,15 @@
 package com.woowacourse.moamoa.auth.controller;
 
+import com.woowacourse.moamoa.auth.config.AuthenticationPrincipal;
 import com.woowacourse.moamoa.auth.service.AuthService;
-import com.woowacourse.moamoa.auth.service.response.TokenResponse;
+import com.woowacourse.moamoa.auth.service.response.AccessTokenResponse;
+import com.woowacourse.moamoa.auth.service.response.TokensResponse;
 import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseCookie;
 import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
@@ -12,10 +18,48 @@
 @RequiredArgsConstructor
 public class AuthController {
 
+    private static final String REFRESH_TOKEN = "refreshToken";
+    private static final int REFRESH_TOKEN_EXPIRATION = 7 * 24 * 60 * 60;
+
     private final AuthService authService;
 
-    @PostMapping("/api/login/token")
-    public ResponseEntity<TokenResponse> login(@RequestParam final String code) {
-        return ResponseEntity.ok().body(authService.createToken(code));
+    @PostMapping("/api/auth/login")
+    public ResponseEntity<AccessTokenResponse> login(@RequestParam final String code) {
+        final TokensResponse tokenResponse = authService.createToken(code);
+
+        final AccessTokenResponse response = new AccessTokenResponse(tokenResponse.getAccessToken(), authService.getExpireTime());
+        final ResponseCookie cookie = putTokenInCookie(tokenResponse);
+
+        return ResponseEntity.ok().header("Set-Cookie", cookie.toString()).body(response);
+    }
+
+    @GetMapping("/api/auth/refresh")
+    public ResponseEntity<AccessTokenResponse> refreshToken(@AuthenticationPrincipal Long githubId, @CookieValue String refreshToken) {
+        return ResponseEntity.ok().body(authService.refreshToken(githubId, refreshToken));
+    }
+
+    @DeleteMapping("/api/auth/logout")
+    public ResponseEntity<Void> logout(@AuthenticationPrincipal Long githubId) {
+        authService.logout(githubId);
+
+        return ResponseEntity.noContent().header("Set-Cookie", removeCookie().toString()).build();
+    }
+
+    private ResponseCookie putTokenInCookie(final TokensResponse tokenResponse) {
+        return ResponseCookie.from(REFRESH_TOKEN, tokenResponse.getRefreshToken())
+                .maxAge(REFRESH_TOKEN_EXPIRATION)
+                .path("/")
+                .secure(true)
+                .httpOnly(true)
+                .build();
+    }
+
+    private ResponseCookie removeCookie() {
+        return ResponseCookie.from(REFRESH_TOKEN, null)
+                .maxAge(0)
+                .path("/")
+                .secure(true)
+                .httpOnly(true)
+                .build();
     }
 }

backend/src/main/java/com/woowacourse/moamoa/auth/controller/AuthenticationArgumentResolver.java

@@ -28,8 +28,8 @@ public boolean supportsParameter(final MethodParameter parameter) {
     public Object resolveArgument(final MethodParameter parameter, final ModelAndViewContainer mavContainer,
                                   final NativeWebRequest webRequest, final WebDataBinderFactory binderFactory) {
         final HttpServletRequest request = webRequest.getNativeRequest(HttpServletRequest.class);
-
         final String token = AuthenticationExtractor.extract(request);
+
         if (token == null) {
             throw new UnauthorizedException("인증 타입이 올바르지 않습니다.");
         }

backend/src/main/java/com/woowacourse/moamoa/auth/domain/Token.java

@@ -0,0 +1,36 @@
+package com.woowacourse.moamoa.auth.domain;
+
+import static javax.persistence.GenerationType.IDENTITY;
+import static lombok.AccessLevel.PROTECTED;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.Id;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+
+@Entity
+@Getter
+@NoArgsConstructor(access = PROTECTED)
+@AllArgsConstructor
+public class Token {
+
+    @Id
+    @GeneratedValue(strategy = IDENTITY)
+    private Long id;
+
+    @Column(nullable = false)
+    private Long githubId;
+
+    private String refreshToken;
+
+    public Token(final Long githubId, final String refreshToken) {
+        this(null, githubId, refreshToken);
+    }
+
+    public void updateRefreshToken(final String refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+}

backend/src/main/java/com/woowacourse/moamoa/auth/domain/repository/TokenRepository.java

@@ -0,0 +1,10 @@
+package com.woowacourse.moamoa.auth.domain.repository;
+
+import com.woowacourse.moamoa.auth.domain.Token;
+import java.util.Optional;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+public interface TokenRepository extends JpaRepository<Token, Long> {
+
+    Optional<Token> findByGithubId(Long githubId);
+}

backend/src/main/java/com/woowacourse/moamoa/auth/exception/RefreshTokenExpirationException.java

@@ -0,0 +1,9 @@
+package com.woowacourse.moamoa.auth.exception;
+
+import com.woowacourse.moamoa.common.exception.UnauthorizedException;
+
+public class RefreshTokenExpirationException extends UnauthorizedException {
+    public RefreshTokenExpirationException() {
+        super("만료된 리프래시 토큰입니다.");
+    }
+}

backend/src/main/java/com/woowacourse/moamoa/auth/exception/TokenExpirationException.java

@@ -0,0 +1,10 @@
+package com.woowacourse.moamoa.auth.exception;
+
+import com.woowacourse.moamoa.common.exception.UnauthorizedException;
+
+public class TokenExpirationException extends UnauthorizedException {
+
+    public TokenExpirationException() {
+        super("만료된 토큰입니다.");
+    }
+}

backend/src/main/java/com/woowacourse/moamoa/auth/exception/TokenNotFoundException.java

@@ -0,0 +1,10 @@
+package com.woowacourse.moamoa.auth.exception;
+
+import com.woowacourse.moamoa.common.exception.UnauthorizedException;
+
+public class TokenNotFoundException extends UnauthorizedException {
+
+    public TokenNotFoundException() {
+        super("토큰이 존재하지 않습니다.");
+    }
+}

backend/src/main/java/com/woowacourse/moamoa/auth/infrastructure/JwtTokenProvider.java

@@ -1,5 +1,7 @@
 package com.woowacourse.moamoa.auth.infrastructure;
 
+import com.woowacourse.moamoa.auth.exception.RefreshTokenExpirationException;
+import com.woowacourse.moamoa.auth.service.response.TokensResponse;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwtException;
@@ -15,6 +17,8 @@
 @Component
 public class JwtTokenProvider implements TokenProvider {
 
+    private static final long REFRESH_TOKEN_EXPIRATION = 7 * 24 * 60 * 60 * 1000; // 7일
+
     private final SecretKey key;
     private final long validityInMilliseconds;
 
@@ -27,16 +31,23 @@ public JwtTokenProvider(
     }
 
     @Override
-    public String createToken(final Long payload) {
+    public TokensResponse createToken(final Long payload) {
         final Date now = new Date();
-        final Date validity = new Date(now.getTime() + validityInMilliseconds);
 
-        return Jwts.builder()
+        String accessToken = Jwts.builder()
                 .setSubject(payload.toString())
                 .setIssuedAt(now)
-                .setExpiration(validity)
+                .setExpiration(new Date(now.getTime() + validityInMilliseconds))
+                .signWith(key, SignatureAlgorithm.HS256)
+                .compact();
+
+        String refreshToken =  Jwts.builder()
+                .setIssuedAt(now)
+                .setExpiration(new Date(now.getTime() + REFRESH_TOKEN_EXPIRATION))
                 .signWith(key, SignatureAlgorithm.HS256)
                 .compact();
+
+        return new TokensResponse(accessToken, refreshToken);
     }
 
     @Override
@@ -57,11 +68,47 @@ public boolean validateToken(final String token) {
                     .build()
                     .parseClaimsJws(token);
 
-            return !claims.getBody()
-                    .getExpiration()
-                    .before(new Date());
+            Date tokenExpirationDate = claims.getBody().getExpiration();
+            validateTokenExpiration(tokenExpirationDate);
+
+            return true;
         } catch (JwtException | IllegalArgumentException e) {
             return false;
         }
     }
+
+    @Override
+    public String recreationAccessToken(final Long githubId, final String refreshToken) {
+        Jws<Claims> claims = Jwts.parserBuilder()
+                .setSigningKey(key)
+                .build()
+                .parseClaimsJws(refreshToken);
+
+        Date tokenExpirationDate = claims.getBody().getExpiration();
+        validateTokenExpiration(tokenExpirationDate);
+
+        return createAccessToken(githubId);
+    }
+
+    private void validateTokenExpiration(Date tokenExpirationDate) {
+        if (tokenExpirationDate.before(new Date())) {
+            throw new RefreshTokenExpirationException();
+        }
+    }
+
+    private String createAccessToken(final Long githubId) {
+        final Date now = new Date();
+
+        return Jwts.builder()
+                .setSubject(Long.toString(githubId))
+                .setIssuedAt(now)
+                .setExpiration(new Date(now.getTime() + validityInMilliseconds))
+                .signWith(key, SignatureAlgorithm.HS256)
+                .compact();
+    }
+
+    @Override
+    public long getValidityInMilliseconds() {
+        return validityInMilliseconds;
+    }
 }

backend/src/main/java/com/woowacourse/moamoa/auth/infrastructure/TokenProvider.java

@@ -1,10 +1,16 @@
 package com.woowacourse.moamoa.auth.infrastructure;
 
+import com.woowacourse.moamoa.auth.service.response.TokensResponse;
+
 public interface TokenProvider {
 
-    String createToken(final Long payload);
+    TokensResponse createToken(final Long payload);
 
     String getPayload(final String token);
 
     boolean validateToken(final String token);
+
+    String recreationAccessToken(final Long githubId, final String refreshToken);
+
+    long getValidityInMilliseconds();
 }