Merge remote-tracking branch 'origin/CLAP-84' into CLAP-84

Author: joowojr

src/main/java/clap/server/adapter/inbound/security/filter/JwtAuthenticationFilter.java

@@ -1,10 +1,11 @@
 package clap.server.adapter.inbound.security.filter;
 
 import clap.server.adapter.outbound.jwt.JwtClaims;
-import clap.server.application.port.outbound.auth.JwtProvider;
 import clap.server.adapter.outbound.jwt.access.AccessTokenClaimKeys;
+import clap.server.application.port.outbound.auth.JwtProvider;
 import clap.server.exception.JwtException;
 import clap.server.exception.code.AuthErrorCode;
+import io.jsonwebtoken.Claims;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -31,8 +32,10 @@
 @Component
 @RequiredArgsConstructor
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
+    private static final String TEMPORARY_TOKEN_ALLOWED_ENDPOINT = "/api/members/initial-password";
     private final UserDetailsService securityUserDetailsService;
     private final JwtProvider accessTokenProvider;
+    private final JwtProvider temporaryTokenProvider;
     private final AccessDeniedHandler accessDeniedHandler;
 
     @Override
@@ -48,6 +51,7 @@ protected void doFilterInternal(
             }
 
             String accessToken = resolveAccessToken(request);
+
             UserDetails userDetails = getUserDetails(accessToken);
             authenticateUser(userDetails, request);
         } catch (AccessDeniedException e) {
@@ -73,9 +77,20 @@ private String resolveAccessToken(
             handleAuthException(AuthErrorCode.EMPTY_ACCESS_KEY);
         }
 
+        String requestUrl = request.getRequestURI();
+        boolean isTemporaryToken = isTemporaryToken(token);
+        JwtProvider tokenProvider = isTemporaryToken ? temporaryTokenProvider : accessTokenProvider;
+
+        log.info("Token is Temporary {}", isTemporaryToken);
+
+        if (isTemporaryTokenAllowed(requestUrl) != isTemporaryToken) {
+            log.error("FORBIDDEN_TEMPORARY_TOKEN_ACCESS");
+            handleAuthException(AuthErrorCode.FORBIDDEN_ACCESS_TOKEN);
+        }
+
         // TODO: 블랙리스트 토큰 처리 로직 추가 필요
 
-        if (accessTokenProvider.isTokenExpired(token)) {
+        if (tokenProvider.isTokenExpired(token)) {
             log.error("EXPIRED_TOKEN");
             handleAuthException(AuthErrorCode.EXPIRED_TOKEN);
         }
@@ -84,9 +99,23 @@ private String resolveAccessToken(
     }
 
 
+    private boolean isTemporaryTokenAllowed(String requestUrl) {
+        return requestUrl.equals(TEMPORARY_TOKEN_ALLOWED_ENDPOINT);
+    }
+
+    private boolean isTemporaryToken(String token) {
+        try {
+            Claims claims = temporaryTokenProvider.getClaimsFromToken(token);
+            return claims.get("isTemporary", Boolean.class) != null && claims.get("isTemporary", Boolean.class);
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
     private UserDetails getUserDetails(String accessToken) {
-        JwtClaims claims = accessTokenProvider.parseJwtClaimsFromToken(accessToken);
-        String memberId = (String)claims.getClaims().get(AccessTokenClaimKeys.USER_ID.getValue());
+        JwtProvider tokenProvider = isTemporaryToken(accessToken) ? temporaryTokenProvider : accessTokenProvider;
+        JwtClaims claims = tokenProvider.parseJwtClaimsFromToken(accessToken);
+        String memberId = (String) claims.getClaims().get(AccessTokenClaimKeys.USER_ID.getValue());
         return securityUserDetailsService.loadUserByUsername(memberId);
     }
 

src/main/java/clap/server/adapter/inbound/web/admin/RegisterMemberController.java

@@ -1,22 +1,27 @@
 package clap.server.adapter.inbound.web.admin;
 
+import clap.server.adapter.inbound.security.SecurityUserDetails;
 import clap.server.adapter.inbound.web.dto.admin.RegisterMemberRequest;
 import clap.server.application.port.inbound.management.RegisterMemberUsecase;
 import clap.server.common.annotation.architecture.WebAdapter;
-import clap.server.adapter.inbound.security.SecurityUserDetails;
-import com.fasterxml.jackson.core.JsonProcessingException;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
 
+@Tag(name = "회원 관리 - 등록")
 @WebAdapter
 @RequiredArgsConstructor
 @RequestMapping("/api/managements")
 public class RegisterMemberController {
     private final RegisterMemberUsecase registerMemberUsecase;
 
+    @Operation(summary = "단일 회원 등록 API")
     @PostMapping("/members")
     @Secured("ROLE_ADMIN")
     public void registerMember(@AuthenticationPrincipal SecurityUserDetails userInfo,

src/main/java/clap/server/adapter/inbound/web/auth/AuthController.java

@@ -5,21 +5,21 @@
 import clap.server.application.port.inbound.auth.AuthUsecase;
 import clap.server.common.annotation.architecture.WebAdapter;
 import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 
+@Tag(name = "로그인 / 로그아웃 / 토큰 재발급")
 @WebAdapter
 @RequiredArgsConstructor
 @RequestMapping("/api/auths")
-@Slf4j
 public class AuthController {
     private final AuthUsecase authUsecase;
 
-    @Operation(description = "로그인 API")
+    @Operation(summary = "로그인 API")
     @PostMapping("/login")
     public ResponseEntity<LoginResponse> login(@RequestBody LoginRequest request) {
         return ResponseEntity.ok(authUsecase.login(request.nickname(), request.password()));

src/main/java/clap/server/adapter/inbound/web/dto/admin/RegisterMemberRequest.java

@@ -1,23 +1,30 @@
 package clap.server.adapter.inbound.web.dto.admin;
 
 import clap.server.adapter.outbound.persistense.entity.member.constant.MemberRole;
+import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
 
 public record RegisterMemberRequest(
-        @NotBlank
+        @NotBlank @Schema(description = "회원 이름")
         String name,
         @NotBlank
+        @Pattern(regexp = "^[a-zA-Z0-9_+&*-]+(?:\\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,7}$",
+                message = "올바른 이메일 형식이 아닙니다.")
+        @Schema(description = "회원 이메일")
         String email,
-        @NotBlank
+        @NotBlank @Schema(description = "회원 닉네임, 로그인할 때 쓰입니다.")
+        @Pattern(regexp = "^[a-z]{3,10}\\.[a-z]{1,5}$",
+                message = "올바른 닉네임 형식이 아닙니다.")
         String nickname,
-        @NotNull
+        @NotNull @Schema(description = "승인 권한 여부")
         Boolean isReviewer,
-        @NotNull
+        @NotNull @Schema(description = "부서 ID")
         Long departmentId,
-        @NotNull
+        @NotNull @Schema(description = "회원 역할")
         MemberRole role,
-        @NotBlank
+        @NotBlank @Schema(description = "회원 직책")
         String departmentRole
 ) {
 }

src/main/java/clap/server/adapter/inbound/web/member/ResetPasswordController.java

@@ -0,0 +1,37 @@
+package clap.server.adapter.inbound.web.member;
+
+import clap.server.adapter.inbound.security.SecurityUserDetails;
+import clap.server.application.port.inbound.auth.ResetPasswordUsecase;
+import clap.server.common.annotation.architecture.WebAdapter;
+import clap.server.common.annotation.validation.password.ValidPassword;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.validation.constraints.NotBlank;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Tag(name = "비밀번호 재설정")
+@WebAdapter
+@RequiredArgsConstructor
+@RequestMapping("/api")
+public class ResetPasswordController {
+    private final ResetPasswordUsecase resetPasswordUsecase;
+
+    @Operation(summary = "초기 로그인 후 비밀번호 재설정 API", description = "swagger에서 따옴표를 포함하지 않고 요청합니다.")
+    @PatchMapping("/members/initial-password")
+    public void resetPasswordAndActivateMember(@AuthenticationPrincipal SecurityUserDetails userInfo,
+                                               @RequestBody @NotBlank @ValidPassword String password) {
+        resetPasswordUsecase.resetPasswordAndActivateMember(userInfo.getUserId(), password);
+    }
+
+    @Operation(summary = "비밀번호 재설정 API", description = "swagger에서 따옴표를 포함하지 않고 요청합니다.")
+    @PatchMapping("/members/password")
+    public void resetPassword(@AuthenticationPrincipal SecurityUserDetails userInfo,
+                                               @RequestBody @NotBlank @ValidPassword String password) {
+        resetPasswordUsecase.resetPassword(userInfo.getUserId(), password);
+    }
+
+}

src/main/java/clap/server/adapter/outbound/jwt/access/AccessTokenProvider.java

@@ -2,16 +2,15 @@
 
 import clap.server.adapter.outbound.jwt.JwtClaims;
 import clap.server.application.port.outbound.auth.JwtProvider;
-import clap.server.exception.JwtException;
 import clap.server.common.annotation.jwt.AccessTokenStrategy;
 import clap.server.common.utils.DateUtil;
+import clap.server.exception.JwtException;
 import clap.server.exception.code.AuthErrorCode;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.security.Keys;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Primary;
 import org.springframework.stereotype.Component;
 
 import javax.crypto.SecretKey;
@@ -24,7 +23,6 @@
 import static clap.server.adapter.outbound.jwt.access.AccessTokenClaimKeys.USER_ID;
 
 @Slf4j
-@Primary
 @Component
 @AccessTokenStrategy
 public class AccessTokenProvider implements JwtProvider {

src/main/java/clap/server/adapter/outbound/jwt/access/temporary/TemporaryTokenClaim.java

@@ -0,0 +1,34 @@
+package clap.server.adapter.outbound.jwt.access.temporary;
+
+import clap.server.adapter.outbound.jwt.JwtClaims;
+import clap.server.adapter.outbound.jwt.access.AccessTokenClaimKeys;
+import lombok.AccessLevel;
+import lombok.RequiredArgsConstructor;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@RequiredArgsConstructor(access = AccessLevel.PRIVATE)
+public class TemporaryTokenClaim implements JwtClaims {
+    private final Map<String, Object> claims;
+
+    public static TemporaryTokenClaim of(Long memberId) {
+        Map<String, Object> claims = new HashMap<>();
+        claims.put(AccessTokenClaimKeys.USER_ID.getValue(), memberId.toString());
+        claims.put(TemporaryTokenClaimKeys.IS_TEMPORARY.getValue(), true);
+        return new TemporaryTokenClaim(claims);
+    }
+
+    @Override
+    public Map<String, Object> getClaims() {
+        return claims;
+    }
+
+    public Long getMemberId() {
+        return Long.parseLong((String) claims.get(AccessTokenClaimKeys.USER_ID.getValue()));
+    }
+
+    public boolean isTemporary() {
+        return (boolean) claims.get(TemporaryTokenClaimKeys.IS_TEMPORARY.getValue());
+    }
+}

src/main/java/clap/server/adapter/outbound/jwt/access/temporary/TemporaryTokenClaimKeys.java

@@ -0,0 +1,14 @@
+package clap.server.adapter.outbound.jwt.access.temporary;
+
+import lombok.Getter;
+
+@Getter
+public enum TemporaryTokenClaimKeys {
+    IS_TEMPORARY("isTemporary");
+
+    private final String value;
+
+    TemporaryTokenClaimKeys(String value) {
+        this.value = value;
+    }
+}

src/main/java/clap/server/adapter/outbound/jwt/access/temporary/TemporaryTokenProvider.java

@@ -0,0 +1,103 @@
+package clap.server.adapter.outbound.jwt.access.temporary;
+
+import clap.server.adapter.outbound.jwt.JwtClaims;
+import clap.server.application.port.outbound.auth.JwtProvider;
+import clap.server.common.annotation.jwt.TemporaryTokenStrategy;
+import clap.server.common.utils.DateUtil;
+import clap.server.exception.JwtException;
+import clap.server.exception.code.AuthErrorCode;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import javax.crypto.SecretKey;
+import java.time.Duration;
+import java.time.LocalDateTime;
+import java.util.Base64;
+import java.util.Date;
+import java.util.Map;
+
+import static clap.server.adapter.outbound.jwt.access.AccessTokenClaimKeys.USER_ID;
+
+@Slf4j
+@Component
+@TemporaryTokenStrategy
+public class TemporaryTokenProvider implements JwtProvider {
+    private final SecretKey secretKey;
+    private final Duration tokenExpiration;
+
+    public TemporaryTokenProvider(
+            @Value("${jwt.secret-key.temporary-token}") String jwtSecretKey,
+            @Value("${jwt.expiration-time.temporary-token}") Duration tokenExpiration
+    ) {
+        byte[] keyBytes = Base64.getDecoder().decode(jwtSecretKey);
+        this.secretKey = Keys.hmacShaKeyFor(keyBytes);
+        this.tokenExpiration = tokenExpiration;
+    }
+
+    @Override
+    public String createToken(JwtClaims claims) {
+        Date now = new Date();
+
+        return Jwts.builder()
+                .setHeader(createHeader())
+                .setClaims(claims.getClaims())
+                .signWith(secretKey)
+                .setExpiration(createExpirationDate(now, tokenExpiration.toMillis()))
+                .compact();
+    }
+
+    @Override
+    public JwtClaims parseJwtClaimsFromToken(String token) {
+        Claims claims = getClaimsFromToken(token);
+        return TemporaryTokenClaim.of(
+                Long.parseLong(claims.get(USER_ID.getValue(), String.class))
+        );
+    }
+
+    @Override
+    public LocalDateTime getExpiredDate(String token) {
+        Claims claims = getClaimsFromToken(token);
+        return DateUtil.toLocalDateTime(claims.getExpiration());
+    }
+
+    @Override
+    public boolean isTokenExpired(String token) {
+        try {
+            Claims claims = getClaimsFromToken(token);
+            return claims.getExpiration().before(new Date());
+        } catch (Exception e) {
+            log.error("Token is expired: {}", e.getMessage());
+            throw new JwtException(AuthErrorCode.EMPTY_ACCESS_KEY);
+        }
+    }
+
+    @Override
+    public Claims getClaimsFromToken(String token) {
+        try {
+            return Jwts.parserBuilder()
+                    .setSigningKey(secretKey)
+                    .build()
+                    .parseClaimsJws(token)
+                    .getBody();
+        } catch (Exception e) {
+            log.warn("Token is invalid: {}", e.getMessage());
+            throw new JwtException(AuthErrorCode.INVALID_TOKEN);
+        }
+    }
+
+    private Map<String, Object> createHeader() {
+        return Map.of(
+                "typ", "JWT",
+                "alg", "HS256",
+                "regDate", System.currentTimeMillis()
+        );
+    }
+
+    private Date createExpirationDate(Date now, long expirationTime) {
+        return new Date(now.getTime() + expirationTime);
+    }
+}