[refactor] refresh token을 Redis에 저장하고 토큰값 비교

Author: LeeMinwoo115

backend/src/main/java/com/back/api/auth/dto/cache/RefreshTokenCache.java

@@ -0,0 +1,20 @@
+package com.back.api.auth.dto.cache;
+
+import java.io.Serializable;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+
+@Getter
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class RefreshTokenCache implements Serializable {
+	private String refreshTokenHash;
+	private String sessionId;
+	private long tokenVersion;
+	private String jti; // JWT id
+	private long issuedAtEpochMs;
+}

backend/src/main/java/com/back/api/auth/service/AuthService.java

@@ -16,6 +16,7 @@
 import com.back.domain.auth.entity.ActiveSession;
 import com.back.domain.auth.entity.RefreshToken;
 import com.back.domain.auth.repository.ActiveSessionRepository;
+import com.back.domain.auth.repository.RefreshTokenRedisRepository;
 import com.back.domain.auth.repository.RefreshTokenRepository;
 import com.back.domain.user.entity.User;
 import com.back.domain.user.entity.UserActiveStatus;
@@ -24,6 +25,7 @@
 import com.back.global.error.code.AuthErrorCode;
 import com.back.global.error.exception.ErrorException;
 import com.back.global.http.HttpRequestContext;
+import com.back.global.utils.TokenHash;
 
 import lombok.RequiredArgsConstructor;
 
@@ -37,6 +39,7 @@ public class AuthService {
 	private final HttpRequestContext requestContext;
 	private final RefreshTokenRepository refreshTokenRepository;
 	private final ActiveSessionRepository activeSessionRepository;
+	private final RefreshTokenRedisRepository refreshTokenRedisRepository;
 
 	@Transactional
 	public AuthResponse signup(SignupRequest request) {
@@ -63,7 +66,7 @@ public AuthResponse signup(SignupRequest request) {
 
 		User savedUser = userRepository.save(user);
 
-		JwtDto tokens = setSessionAndCookie(savedUser);
+		JwtDto tokens = loginAsSingleDevice(savedUser);
 
 		return buildAuthResponse(savedUser, tokens);
 	}
@@ -77,7 +80,7 @@ public AuthResponse login(LoginRequest request) {
 			throw new ErrorException(AuthErrorCode.LOGIN_FAILED);
 		}
 
-		JwtDto tokens = setSessionAndCookie(user);
+		JwtDto tokens = loginAsSingleDevice(user);
 
 		return buildAuthResponse(user, tokens);
 	}
@@ -89,12 +92,18 @@ public void logout() {
 			throw new ErrorException(AuthErrorCode.REFRESH_TOKEN_REQUIRED);
 		}
 
+		long userId = requestContext.getUserId();
+
+		String refreshHash = TokenHash.sha256(refreshTokenStr);
+
 		RefreshToken refreshToken = refreshTokenRepository
-			.findByTokenAndUserIdAndRevokedFalse(refreshTokenStr, requestContext.getUserId())
-			.orElseThrow(() -> new ErrorException(AuthErrorCode.REFRESH_TOKEN_NOT_FOUND));
+			.findByTokenAndUserIdAndRevokedFalse(refreshHash, requestContext.getUserId())
+			.orElseThrow(() -> new ErrorException(AuthErrorCode.ACCESS_OTHER_DEVICE));
 
 		refreshToken.revoke();
 
+		refreshTokenRedisRepository.delete(userId);
+
 		requestContext.deleteAuthCookies();
 	}
 
@@ -107,15 +116,18 @@ public void verifyPassword(String rawPassword) {
 		}
 	}
 
-	private JwtDto setSessionAndCookie(User user) {
+	private JwtDto loginAsSingleDevice(User user) {
 		ActiveSession session = activeSessionRepository.findByUserIdForUpdate(user.getId())
 			.orElseGet(() -> activeSessionRepository.save(ActiveSession.create(user)));
 
 		session.rotate();
 
+		ActiveSession saved = activeSessionRepository.saveAndFlush(session);
+
 		refreshTokenRepository.revokeAllActiveByUserId(user.getId());
+		refreshTokenRedisRepository.delete(user.getId());
 
-		JwtDto tokens = authTokenService.issueTokens(user, session.getSessionId(), session.getTokenVersion());
+		JwtDto tokens = authTokenService.issueTokens(user, saved.getSessionId(), saved.getTokenVersion());
 
 		requestContext.setAccessTokenCookie(tokens.accessToken());
 		requestContext.setRefreshTokenCookie(tokens.refreshToken());

backend/src/main/java/com/back/api/auth/service/AuthTokenService.java

@@ -1,15 +1,17 @@
 package com.back.api.auth.service;
 
+import java.time.Duration;
 import java.time.LocalDateTime;
 
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
 import com.back.api.auth.dto.JwtDto;
+import com.back.api.auth.dto.cache.RefreshTokenCache;
 import com.back.domain.auth.entity.ActiveSession;
 import com.back.domain.auth.entity.RefreshToken;
-import com.back.domain.auth.repository.ActiveSessionRepository;
+import com.back.domain.auth.repository.RefreshTokenRedisRepository;
 import com.back.domain.auth.repository.RefreshTokenRepository;
 import com.back.domain.user.entity.User;
 import com.back.domain.user.repository.UserRepository;
@@ -18,6 +20,7 @@
 import com.back.global.http.HttpRequestContext;
 import com.back.global.security.JwtClaims;
 import com.back.global.security.JwtProvider;
+import com.back.global.utils.TokenHash;
 
 import lombok.RequiredArgsConstructor;
 
@@ -27,53 +30,20 @@ public class AuthTokenService {
 
 	private final JwtProvider jwtProvider;
 	private final RefreshTokenRepository tokenRepository;
-	private final ActiveSessionRepository activeSessionRepository;
 	private final UserRepository userRepository;
 	private final HttpRequestContext requestContext;
+	private final RefreshTokenRedisRepository refreshTokenRedisRepository;
+	private final SessionGuard sessionGuard;
 
 	@Transactional
 	public JwtDto issueTokens(User user, String sessionId, long tokenVersion) {
-		String accessToken = jwtProvider.generateAccessToken(user, sessionId, tokenVersion);
-		String refreshTokenStr = jwtProvider.generateRefreshToken(user, sessionId, tokenVersion);
+		JwtDto dto = createJwtDto(user, sessionId, tokenVersion);
 
-		// === seconds 기준 ===
-		long accessValiditySeconds = jwtProvider.getAccessTokenValiditySeconds();
-		long refreshValiditySeconds = jwtProvider.getRefreshTokenValiditySeconds();
+		saveRefreshToRedis(user.getId(), dto.refreshToken(), sessionId, tokenVersion);
 
-		// === 현재 시각 ===
-		long nowEpochMillis = System.currentTimeMillis();
-		LocalDateTime issuedAt = LocalDateTime.now();
-
-		// === DB 저장용 만료 시각 (LocalDateTime) ===
-		LocalDateTime expiresAt = issuedAt.plusSeconds(refreshValiditySeconds);
+		saveRefreshMetaToDB(user, dto.refreshToken(), sessionId, tokenVersion);
 
-		RefreshToken refreshToken = RefreshToken.builder()
-			.user(user)
-			.token(refreshTokenStr)
-			.issuedAt(issuedAt)
-			.expiresAt(expiresAt)
-			.revoked(false)
-			.userAgent(requestContext.getUserAgent())
-			.ipAddress(requestContext.getClientIp())
-			.sessionId(sessionId)
-			.tokenVersion(tokenVersion)
-			.build();
-
-		tokenRepository.save(refreshToken);
-
-		// === API 응답용 epoch millis ===
-		long accessExpiresAtMillis = nowEpochMillis + (accessValiditySeconds * 1000);
-		long refreshExpiresAtMillis = nowEpochMillis + (refreshValiditySeconds * 1000);
-
-		return new JwtDto(
-			JwtDto.BEARER,
-			accessToken,
-			accessExpiresAtMillis,
-			accessValiditySeconds * 1000,
-			refreshTokenStr,
-			refreshExpiresAtMillis,
-			refreshValiditySeconds * 1000
-		);
+		return dto;
 	}
 
 	@Transactional
@@ -96,21 +66,98 @@ public JwtDto rotateTokenByRefreshToken(String refreshTokenStr) {
 		String sid = claims.sessionId();
 		long tokenVersion = claims.tokenVersion();
 
-		ActiveSession active = activeSessionRepository.findByUserIdForUpdate(userId)
-			.orElseThrow(() -> new ErrorException(AuthErrorCode.UNAUTHORIZED));
+		// 1. 세션을 읽고 현재 세션과 비교
+		ActiveSession active = sessionGuard.requireActiveSessionForUpdate(userId);
 
-		if (!active.getSessionId().equals(sid) || active.getTokenVersion() != tokenVersion) {
+		sessionGuard.assertMatches(active, sid, tokenVersion);
+
+		// 2. Redis 검증: 현재 유효 refresh 인지 확인 (해시 비교)
+		RefreshTokenCache cached = refreshTokenRedisRepository.find(userId)
+			.orElseThrow(() -> new ErrorException(AuthErrorCode.ACCESS_OTHER_DEVICE));
+
+		String hash = TokenHash.sha256(refreshTokenStr);
+		if (!hash.equals(cached.getRefreshTokenHash())
+			|| !sid.equals(cached.getSessionId())
+			|| tokenVersion != cached.getTokenVersion()) {
 			throw new ErrorException(AuthErrorCode.ACCESS_OTHER_DEVICE);
 		}
 
-		int revoked = tokenRepository.revokeIfActive(refreshTokenStr);
-		if (revoked != 1) {
-			throw new ErrorException(AuthErrorCode.REFRESH_TOKEN_NOT_FOUND);
+		int updated = tokenRepository.revokeIfActive(hash);
+		if (updated != 1) {
+			throw new ErrorException(AuthErrorCode.ACCESS_OTHER_DEVICE);
 		}
 
 		User user = userRepository.findById(userId)
 			.orElseThrow(() -> new ErrorException(AuthErrorCode.UNAUTHORIZED));
 
 		return issueTokens(user, active.getSessionId(), active.getTokenVersion());
 	}
+
+	private JwtDto createJwtDto(User user, String sessionId, long tokenVersion) {
+		String accessToken = jwtProvider.generateAccessToken(user, sessionId, tokenVersion);
+		String refreshToken = jwtProvider.generateRefreshToken(user, sessionId, tokenVersion);
+
+		// === seconds 기준 ===
+		long accessValiditySeconds = jwtProvider.getAccessTokenValiditySeconds();
+		long refreshValiditySeconds = jwtProvider.getRefreshTokenValiditySeconds();
+
+		// === 현재 시각 ===
+		long nowEpochMillis = System.currentTimeMillis();
+
+		// === API 응답용 epoch millis ===
+		long accessExpiresAtMillis = nowEpochMillis + (accessValiditySeconds * 1000);
+		long refreshExpiresAtMillis = nowEpochMillis + (refreshValiditySeconds * 1000);
+
+		return new JwtDto(
+			JwtDto.BEARER,
+			accessToken,
+			accessExpiresAtMillis,
+			accessValiditySeconds * 1000,
+			refreshToken,
+			refreshExpiresAtMillis,
+			refreshValiditySeconds * 1000
+		);
+	}
+
+	private void saveRefreshToRedis(long userId, String refreshToken, String sid, long tokenVersion) {
+		JwtClaims claims = jwtProvider.payloadOrNull(refreshToken);
+		if (claims == null) {
+			throw new ErrorException(AuthErrorCode.INVALID_TOKEN);
+		}
+
+		long refreshValiditySeconds = jwtProvider.getRefreshTokenValiditySeconds();
+
+		RefreshTokenCache cache = RefreshTokenCache.builder()
+			.refreshTokenHash(TokenHash.sha256(refreshToken))
+			.sessionId(sid)
+			.tokenVersion(tokenVersion)
+			.jti(claims.jti())
+			.issuedAtEpochMs(System.currentTimeMillis())
+			.build();
+
+		refreshTokenRedisRepository.save(userId, cache, Duration.ofSeconds(refreshValiditySeconds));
+	}
+
+	private void saveRefreshMetaToDB(User user, String refreshToken, String sid, long tokenVersion) {
+		JwtClaims claims = jwtProvider.payloadOrNull(refreshToken);
+		String jti = (claims == null) ? null : claims.jti();
+
+		LocalDateTime issuedAt = LocalDateTime.now();
+		LocalDateTime expiresAt = issuedAt.plusSeconds(jwtProvider.getRefreshTokenValiditySeconds());
+
+		RefreshToken meta = RefreshToken.builder()
+			.user(user)
+			.token(TokenHash.sha256(refreshToken))
+			.jti(jti)
+			.issuedAt(issuedAt)
+			.expiresAt(expiresAt)
+			.revoked(false)
+			.userAgent(requestContext.getUserAgent())
+			.ipAddress(requestContext.getClientIp())
+			.sessionId(sid)
+			.tokenVersion(tokenVersion)
+			.build();
+
+		tokenRepository.save(meta);
+	}
 }

backend/src/main/java/com/back/api/auth/service/SessionGuard.java

@@ -0,0 +1,36 @@
+package com.back.api.auth.service;
+
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.back.domain.auth.entity.ActiveSession;
+import com.back.domain.auth.repository.ActiveSessionRepository;
+import com.back.global.error.code.AuthErrorCode;
+import com.back.global.error.exception.ErrorException;
+
+import lombok.RequiredArgsConstructor;
+
+@Component
+@RequiredArgsConstructor
+public class SessionGuard {
+
+	private final ActiveSessionRepository activeSessionRepository;
+
+	@Transactional(readOnly = true)
+	public ActiveSession requireActiveSession(long userId) {
+		return activeSessionRepository.findByUserId(userId)
+			.orElseThrow(() -> new ErrorException(AuthErrorCode.UNAUTHORIZED));
+	}
+
+	@Transactional
+	public ActiveSession requireActiveSessionForUpdate(long userId) {
+		return activeSessionRepository.findByUserIdForUpdate(userId)
+			.orElseThrow(() -> new ErrorException(AuthErrorCode.UNAUTHORIZED));
+	}
+
+	public void assertMatches(ActiveSession active, String sid, long tokenVersion) {
+		if (!active.getSessionId().equals(sid) || active.getTokenVersion() != tokenVersion) {
+			throw new ErrorException(AuthErrorCode.ACCESS_OTHER_DEVICE);
+		}
+	}
+}

backend/src/main/java/com/back/api/event/controller/AdminEventController.java

@@ -2,6 +2,7 @@
 
 import java.util.List;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -30,6 +31,7 @@ public class AdminEventController implements AdminEventApi {
 
 	@Override
 	@PostMapping
+	@PreAuthorize("hasRole('ADMIN')")
 	public ApiResponse<EventResponse> createEvent(
 		@Valid @RequestBody EventCreateRequest request) {
 		EventResponse response = adminEventService.createEvent(request);
@@ -38,6 +40,7 @@ public ApiResponse<EventResponse> createEvent(
 
 	@Override
 	@PutMapping("/{eventId}")
+	@PreAuthorize("hasRole('ADMIN')")
 	public ApiResponse<EventResponse> updateEvent(
 		@PathVariable Long eventId,
 		@Valid @RequestBody EventUpdateRequest request) {
@@ -47,6 +50,7 @@ public ApiResponse<EventResponse> updateEvent(
 
 	@Override
 	@DeleteMapping("/{eventId}")
+	@PreAuthorize("hasRole('ADMIN')")
 	public ApiResponse<Void> deleteEvent(
 		@PathVariable Long eventId) {
 		adminEventService.deleteEvent(eventId);
@@ -55,6 +59,7 @@ public ApiResponse<Void> deleteEvent(
 
 	@Override
 	@GetMapping("/dashboard")
+	@PreAuthorize("hasRole('ADMIN')")
 	public ApiResponse<List<AdminEventDashboardResponse>> getAllEventsDashboard() {
 		List<AdminEventDashboardResponse> responses = adminEventService.getAllEventsDashboard();
 		return ApiResponse.ok("이벤트 현황 조회 성공", responses);

backend/src/main/java/com/back/api/event/controller/EventController.java

@@ -3,6 +3,7 @@
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.web.PageableDefault;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -27,6 +28,7 @@ public class EventController implements EventApi {
 
 	@Override
 	@GetMapping("/{eventId}")
+	@PreAuthorize("hasRole('NORMAL')")
 	public ApiResponse<EventResponse> getEvent(
 		@PathVariable Long eventId) {
 		EventResponse response = eventService.getEvent(eventId);
@@ -35,6 +37,7 @@ public ApiResponse<EventResponse> getEvent(
 
 	@Override
 	@GetMapping
+	@PreAuthorize("hasRole('NORMAL')")
 	public ApiResponse<Page<EventListResponse>> getEvents(
 		@RequestParam(required = false) EventStatus status,
 		@RequestParam(required = false) EventCategory category,