[refactor] CustomAuthenticationFilter 와 HttpRequestContext 에 분산된 쿠키 관리 로직을 CookieManager 에서 통합 관리

Author: LeeMinwoo115

backend/src/main/java/com/back/api/auth/service/AuthService.java

@@ -75,8 +75,8 @@ public AuthResponse login(LoginRequest request) {
 
 		JwtDto tokens = authTokenService.generateTokens(user);
 
-		requestContext.setCookie("accessToken", tokens.accessToken());
-		requestContext.setCookie("refreshToken", tokens.refreshToken());
+		requestContext.setAccessTokenCookie(tokens.accessToken());
+		requestContext.setRefreshTokenCookie(tokens.refreshToken());
 
 		return buildAuthResponse(user, tokens);
 	}
@@ -96,8 +96,7 @@ public void logout() {
 
 		refreshToken.revoke();
 
-		requestContext.deleteCookie("accessToken");
-		requestContext.deleteCookie("refreshToken");
+		requestContext.deleteAuthCookies();
 	}
 
 	@Transactional

backend/src/main/java/com/back/api/auth/service/AuthTokenService.java

@@ -26,10 +26,16 @@ public JwtDto generateTokens(User user) {
 		String accessToken = jwtProvider.generateAccessToken(user);
 		String refreshTokenStr = jwtProvider.generateRefreshToken(user);
 
+		// === seconds 기준 ===
+		long accessValiditySeconds = jwtProvider.getAccessTokenValiditySeconds();
+		long refreshValiditySeconds = jwtProvider.getRefreshTokenValiditySeconds();
+
+		// === 현재 시각 ===
 		long nowEpochMillis = System.currentTimeMillis();
-		long refreshValidityMillis = jwtProvider.getRefreshTokenValidityMillis();
 		LocalDateTime issuedAt = LocalDateTime.now();
-		LocalDateTime expiresAt = issuedAt.plusNanos(refreshValidityMillis * 1_000_000L);
+
+		// === DB 저장용 만료 시각 (LocalDateTime) ===
+		LocalDateTime expiresAt = issuedAt.plusSeconds(refreshValiditySeconds);
 
 		String userAgent = requestContext.getUserAgent();
 		String ip = requestContext.getClientIp();
@@ -46,16 +52,18 @@ public JwtDto generateTokens(User user) {
 
 		tokenRepository.save(refreshToken);
 
-		long accessValidityMillis = jwtProvider.getAccessTokenValidityMillis();
+		// === API 응답용 epoch millis ===
+		long accessExpiresAtMillis = nowEpochMillis + (accessValiditySeconds * 1000);
+		long refreshExpiresAtMillis = nowEpochMillis + (refreshValiditySeconds * 1000);
 
 		return new JwtDto(
 			JwtDto.BEARER,
 			accessToken,
-			nowEpochMillis + accessValidityMillis,
-			accessValidityMillis,
+			accessExpiresAtMillis,
+			accessValiditySeconds * 1000,
 			refreshTokenStr,
-			nowEpochMillis + refreshValidityMillis,
-			refreshValidityMillis
+			refreshExpiresAtMillis,
+			refreshValiditySeconds * 1000
 		);
 	}
 

backend/src/main/java/com/back/api/user/service/UserService.java

@@ -61,8 +61,7 @@ public void deleteUser(long userId) {
 		refreshTokenRepository.revokeAllByUserId(userId);
 
 		// 현재 요청의 쿠키 삭제 (현재 기기 즉시 로그아웃 UX)
-		requestContext.deleteCookie("accessToken");
-		requestContext.deleteCookie("refreshToken");
+		requestContext.deleteAuthCookies();
 
 		user.softDelete();
 	}

backend/src/main/java/com/back/global/http/CookieManager.java

@@ -0,0 +1,98 @@
+package com.back.global.http;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseCookie;
+import org.springframework.stereotype.Component;
+
+import com.back.global.properties.CookieProperties;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+
+@Component
+@RequiredArgsConstructor
+public class CookieManager {
+
+	public static final String ACCESS_TOKEN_COOKIE = "accessToken";
+	public static final String REFRESH_TOKEN_COOKIE = "refreshToken";
+
+	private final CookieProperties cookieProperties;
+
+	public void setAccessToken(
+		HttpServletRequest request,
+		HttpServletResponse response,
+		String token,
+		long accessTokenDurationSeconds
+	) {
+		set(request, response, ACCESS_TOKEN_COOKIE, token, accessTokenDurationSeconds);
+	}
+
+	public void setRefreshToken(
+		HttpServletRequest request,
+		HttpServletResponse response,
+		String token,
+		long refreshTokenDurationSeconds
+	) {
+		set(request, response, REFRESH_TOKEN_COOKIE, token, refreshTokenDurationSeconds);
+	}
+
+	public void deleteAccessToken(HttpServletRequest request, HttpServletResponse response) {
+		delete(request, response, ACCESS_TOKEN_COOKIE);
+	}
+
+	public void deleteRefreshToken(HttpServletRequest request, HttpServletResponse response) {
+		delete(request, response, REFRESH_TOKEN_COOKIE);
+	}
+
+	public void deleteAuthCookies(HttpServletRequest request, HttpServletResponse response) {
+		deleteAccessToken(request, response);
+		deleteRefreshToken(request, response);
+	}
+
+	public void set(
+		HttpServletRequest request,
+		HttpServletResponse response,
+		String name,
+		String value,
+		long maxAgeSeconds
+	) {
+		String cookieValue = (value == null) ? "" : value;
+
+		boolean delete = cookieValue.isBlank();
+		long maxAge = delete ? 0 : Math.max(maxAgeSeconds, 0);
+
+		String sameSite = cookieProperties.getSameSite();
+		boolean secure = cookieProperties.isSecure();
+
+		ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(name, cookieValue)
+			.httpOnly(true)
+			.path("/")
+			.sameSite(sameSite)
+			.secure(secure)
+			.maxAge(maxAge);
+
+		String domain = cookieProperties.getDomain();
+
+		if (domain != null && !domain.isBlank()) {
+			builder.domain(domain);
+		}
+
+		ResponseCookie cookie = builder.build();
+		response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
+	}
+
+	public void delete(HttpServletRequest request, HttpServletResponse response, String name) {
+		set(request, response, name, "", 0);
+	}
+
+	private boolean iaHttpsRequest(HttpServletRequest request) {
+		String proto = request.getHeader("X-Forwarded-Proto");
+
+		if (proto != null && !proto.isBlank()) {
+			return "https".equalsIgnoreCase(proto);
+		}
+
+		return request.isSecure();
+	}
+}

backend/src/main/java/com/back/global/http/HttpRequestContext.java

@@ -26,15 +26,13 @@ public class HttpRequestContext {
 	private final HttpServletRequest request;
 	private final HttpServletResponse response;
 	private final UserRepository userRepository;
-
-	@Value("${custom.site.domain:localhost}")
-	private String domain;
+	private final CookieManager cookieManager;
 
 	@Value("${custom.jwt.access-token-duration}")
-	private long accessTokenDurationMillis;
+	private long accessTokenDurationSeconds;
 
 	@Value("${custom.jwt.refresh-token-duration}")
-	private long refreshTokenDurationMillis;
+	private long refreshTokenDurationSeconds;
 
 	private Authentication getAuthentication() {
 		return Optional.ofNullable(SecurityContextHolder.getContext().getAuthentication())
@@ -101,42 +99,40 @@ public String getCookieValue(String name, String defaultValue) {
 	}
 
 	public void setCookie(String name, String value) {
-		if (value == null) {
-			value = "";
-		}
-
-		Cookie cookie = new Cookie(name, value);
-		cookie.setPath("/");
-		cookie.setHttpOnly(true);
+		long maxAgeSec = 0;
 
-		boolean isLocalhostDomain = domain == null
-			|| domain.isBlank()
-			|| "localhost".equalsIgnoreCase(domain)
-			|| "127.0.0.1".equals(domain);
-
-		if (!isLocalhostDomain) {
-			cookie.setDomain(domain);
-		}
-
-		boolean secureRequest = request.isSecure();
-		// cookie.setSecure(secureRequest && !isLocalhostDomain); TODO 리팩토링
-		cookie.setSecure(true);
-		cookie.setAttribute("SameSite", "None");
-
-		if (value.isBlank()) {
-			cookie.setMaxAge(0);
-		} else {
+		if (value != null && !value.isBlank()) {
 			if ("accessToken".equals(name)) {
-				cookie.setMaxAge((int)accessTokenDurationMillis);
+				maxAgeSec = accessTokenDurationSeconds;
 			} else if ("refreshToken".equals(name)) {
-				cookie.setMaxAge((int)refreshTokenDurationMillis);
+				maxAgeSec = refreshTokenDurationSeconds;
 			}
 		}
 
-		response.addCookie(cookie);
+		cookieManager.set(request, response, name, value, maxAgeSec);
 	}
 
 	public void deleteCookie(String name) {
-		setCookie(name, null);
+		cookieManager.delete(request, response, name);
+	}
+
+	public void setAccessTokenCookie(String token) {
+		cookieManager.setAccessToken(request, response, token, accessTokenDurationSeconds);
+	}
+
+	public void setRefreshTokenCookie(String token) {
+		cookieManager.setRefreshToken(request, response, token, refreshTokenDurationSeconds);
+	}
+
+	public void deleteAccessTokenCookie() {
+		cookieManager.deleteAccessToken(request, response);
+	}
+
+	public void deleteRefreshTokenCookie() {
+		cookieManager.deleteRefreshToken(request, response);
+	}
+
+	public void deleteAuthCookies() {
+		cookieManager.deleteAuthCookies(request, response);
 	}
 }

backend/src/main/java/com/back/global/security/CustomAuthenticationFilter.java

@@ -5,8 +5,7 @@
 import java.util.Map;
 import java.util.Set;
 
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.ResponseCookie;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -21,7 +20,7 @@
 import com.back.domain.user.repository.UserRepository;
 import com.back.global.error.code.AuthErrorCode;
 import com.back.global.error.exception.ErrorException;
-import com.back.global.properties.CookieProperties;
+import com.back.global.http.CookieManager;
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -43,19 +42,21 @@ public class CustomAuthenticationFilter extends OncePerRequestFilter {
 	private final JwtProvider jwtProvider;
 	private final AuthTokenService tokenService;
 	private final UserRepository userRepository;
-	private final CookieProperties cookieProperties;
+	private final CookieManager cookieManager;
+
+	@Value("${jwt.access-token-duration:3600}")
+	private long accessTokenDurationSeconds;
+
+	@Value("${jwt.refresh-token-duration:1209600}")
+	private long refreshTokenDurationSeconds;
 
 	@Override
 	protected void doFilterInternal(
 		HttpServletRequest request,
 		HttpServletResponse response,
 		FilterChain filterChain
 	) throws ServletException, IOException {
-		try {
-			authenticate(request, response, filterChain);
-		} catch (ErrorException e) {
-			throw e;
-		}
+		authenticate(request, response, filterChain);
 	}
 
 	private void authenticate(
@@ -153,7 +154,7 @@ private String ensureValidAccessToken(
 			return accessToken;
 		}
 
-		String refreshToken = resolveCookie(request, "refreshToken");
+		String refreshToken = resolveCookie(request, CookieManager.REFRESH_TOKEN_COOKIE);
 
 		if (refreshToken == null || refreshToken.isBlank() || jwtProvider.isExpired(refreshToken)) {
 			// refreshToken도 없거나 만료 > 세션 종료 > 재로그인 필요
@@ -172,28 +173,9 @@ private String ensureValidAccessToken(
 
 		JwtDto newTokens = tokenService.generateTokens(user);
 
-		addCookie(response, "accessToken", newTokens.accessToken());
-		addCookie(response, "refreshToken", newTokens.refreshToken());
+		cookieManager.set(request, response, "accessToken", newTokens.accessToken(), accessTokenDurationSeconds);
+		cookieManager.set(request, response, "refreshToken", newTokens.refreshToken(), refreshTokenDurationSeconds);
 
 		return newTokens.accessToken();
 	}
-
-	private void addCookie(
-		HttpServletResponse response,
-		String name,
-		String value
-	) {
-		ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(name, value)
-			.httpOnly(true)
-			.path("/")
-			.secure(cookieProperties.isSecure())
-			.sameSite(cookieProperties.getSameSite());
-
-		if (cookieProperties.getDomain() != null && !cookieProperties.getDomain().isBlank()) {
-			builder.domain(cookieProperties.getDomain());
-		}
-
-		ResponseCookie cookie = builder.build();
-		response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
-	}
 }

backend/src/main/java/com/back/global/security/JwtProvider.java

@@ -21,10 +21,10 @@ public class JwtProvider {
 	private String secret;
 
 	@Value("${custom.jwt.access-token-duration}")
-	private long accessTokenDurationMillis;
+	private long accessTokenDurationSeconds;
 
 	@Value("${custom.jwt.refresh-token-duration}")
-	private long refreshTokenDurationMillis;
+	private long refreshTokenDurationSeconds;
 
 	private static final String CLAIM_ID = "id";
 	private static final String CLAIM_NICKNAME = "nickname";
@@ -39,7 +39,7 @@ public String generateAccessToken(User user) {
 
 		return JwtUtil.toString(
 			secret,
-			accessTokenDurationMillis,
+			accessTokenDurationSeconds,
 			claims
 		);
 	}
@@ -51,7 +51,7 @@ public String generateRefreshToken(User user) {
 
 		return JwtUtil.toString(
 			secret,
-			refreshTokenDurationMillis,
+			refreshTokenDurationSeconds,
 			claims
 		);
 	}
@@ -65,13 +65,13 @@ private Map<String, Object> createBaseClaims(User user) {
 	}
 
 	/** access token 유효 기간 (ms 단위) */
-	public long getAccessTokenValidityMillis() {
-		return accessTokenDurationMillis;
+	public long getAccessTokenValiditySeconds() {
+		return accessTokenDurationSeconds;
 	}
 
 	/** refresh token 유효 기간 (ms 단위) */
-	public long getRefreshTokenValidityMillis() {
-		return refreshTokenDurationMillis;
+	public long getRefreshTokenValiditySeconds() {
+		return refreshTokenDurationSeconds;
 	}
 
 	public Map<String, Object> payloadOrNull(String jwt) {