[refactor] ActiveSession 엔티티를 추가하여, 사용자의 다중 로그인을 방지

Author: LeeMinwoo115

backend/src/main/java/com/back/api/auth/service/AuthService.java

@@ -2,6 +2,7 @@
 
 import java.time.LocalDate;
 
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -12,7 +13,9 @@
 import com.back.api.auth.dto.response.AuthResponse;
 import com.back.api.auth.dto.response.TokenResponse;
 import com.back.api.auth.dto.response.UserResponse;
+import com.back.domain.auth.entity.ActiveSession;
 import com.back.domain.auth.entity.RefreshToken;
+import com.back.domain.auth.repository.ActiveSessionRepository;
 import com.back.domain.auth.repository.RefreshTokenRepository;
 import com.back.domain.user.entity.User;
 import com.back.domain.user.entity.UserActiveStatus;
@@ -33,6 +36,7 @@ public class AuthService {
 	private final AuthTokenService authTokenService;
 	private final HttpRequestContext requestContext;
 	private final RefreshTokenRepository refreshTokenRepository;
+	private final ActiveSessionRepository activeSessionRepository;
 
 	@Transactional
 	public AuthResponse signup(SignupRequest request) {
@@ -59,7 +63,7 @@ public AuthResponse signup(SignupRequest request) {
 
 		User savedUser = userRepository.save(user);
 
-		JwtDto tokens = authTokenService.generateTokens(savedUser);
+		JwtDto tokens = setSessionAndCookie(savedUser);
 
 		return buildAuthResponse(savedUser, tokens);
 	}
@@ -73,25 +77,20 @@ public AuthResponse login(LoginRequest request) {
 			throw new ErrorException(AuthErrorCode.LOGIN_FAILED);
 		}
 
-		JwtDto tokens = authTokenService.generateTokens(user);
-
-		requestContext.setAccessTokenCookie(tokens.accessToken());
-		requestContext.setRefreshTokenCookie(tokens.refreshToken());
+		JwtDto tokens = setSessionAndCookie(user);
 
 		return buildAuthResponse(user, tokens);
 	}
 
 	@Transactional
 	public void logout() {
 		String refreshTokenStr = requestContext.getCookieValue("refreshToken", null);
-		if (refreshTokenStr == null || refreshTokenStr.isBlank()) {
+		if (StringUtils.isBlank(refreshTokenStr)) {
 			throw new ErrorException(AuthErrorCode.REFRESH_TOKEN_REQUIRED);
 		}
 
-		User currentUser = requestContext.getUser();
-
 		RefreshToken refreshToken = refreshTokenRepository
-			.findByTokenAndUserIdAndRevokedFalse(refreshTokenStr, currentUser.getId())
+			.findByTokenAndUserIdAndRevokedFalse(refreshTokenStr, requestContext.getUserId())
 			.orElseThrow(() -> new ErrorException(AuthErrorCode.REFRESH_TOKEN_NOT_FOUND));
 
 		refreshToken.revoke();
@@ -108,6 +107,22 @@ public void verifyPassword(String rawPassword) {
 		}
 	}
 
+	private JwtDto setSessionAndCookie(User user) {
+		ActiveSession session = activeSessionRepository.findByUserIdForUpdate(user.getId())
+			.orElseGet(() -> activeSessionRepository.save(ActiveSession.create(user)));
+
+		session.rotate();
+
+		refreshTokenRepository.revokeAllActiveByUserId(user.getId());
+
+		JwtDto tokens = authTokenService.issueTokens(user, session.getSessionId(), session.getTokenVersion());
+
+		requestContext.setAccessTokenCookie(tokens.accessToken());
+		requestContext.setRefreshTokenCookie(tokens.refreshToken());
+
+		return tokens;
+	}
+
 	private AuthResponse buildAuthResponse(User user, JwtDto tokens) {
 		TokenResponse tokenResponse = new TokenResponse(
 			tokens.tokenType(),

backend/src/main/java/com/back/api/auth/service/AuthTokenService.java

@@ -1,15 +1,22 @@
 package com.back.api.auth.service;
 
 import java.time.LocalDateTime;
-import java.util.Map;
 
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
 
 import com.back.api.auth.dto.JwtDto;
+import com.back.domain.auth.entity.ActiveSession;
 import com.back.domain.auth.entity.RefreshToken;
+import com.back.domain.auth.repository.ActiveSessionRepository;
 import com.back.domain.auth.repository.RefreshTokenRepository;
 import com.back.domain.user.entity.User;
+import com.back.domain.user.repository.UserRepository;
+import com.back.global.error.code.AuthErrorCode;
+import com.back.global.error.exception.ErrorException;
 import com.back.global.http.HttpRequestContext;
+import com.back.global.security.JwtClaims;
 import com.back.global.security.JwtProvider;
 
 import lombok.RequiredArgsConstructor;
@@ -20,11 +27,14 @@ public class AuthTokenService {
 
 	private final JwtProvider jwtProvider;
 	private final RefreshTokenRepository tokenRepository;
+	private final ActiveSessionRepository activeSessionRepository;
+	private final UserRepository userRepository;
 	private final HttpRequestContext requestContext;
 
-	public JwtDto generateTokens(User user) {
-		String accessToken = jwtProvider.generateAccessToken(user);
-		String refreshTokenStr = jwtProvider.generateRefreshToken(user);
+	@Transactional
+	public JwtDto issueTokens(User user, String sessionId, long tokenVersion) {
+		String accessToken = jwtProvider.generateAccessToken(user, sessionId, tokenVersion);
+		String refreshTokenStr = jwtProvider.generateRefreshToken(user, sessionId, tokenVersion);
 
 		// === seconds 기준 ===
 		long accessValiditySeconds = jwtProvider.getAccessTokenValiditySeconds();
@@ -37,17 +47,16 @@ public JwtDto generateTokens(User user) {
 		// === DB 저장용 만료 시각 (LocalDateTime) ===
 		LocalDateTime expiresAt = issuedAt.plusSeconds(refreshValiditySeconds);
 
-		String userAgent = requestContext.getUserAgent();
-		String ip = requestContext.getClientIp();
-
 		RefreshToken refreshToken = RefreshToken.builder()
 			.user(user)
 			.token(refreshTokenStr)
 			.issuedAt(issuedAt)
 			.expiresAt(expiresAt)
 			.revoked(false)
-			.userAgent(userAgent)
-			.ipAddress(ip)
+			.userAgent(requestContext.getUserAgent())
+			.ipAddress(requestContext.getClientIp())
+			.sessionId(sessionId)
+			.tokenVersion(tokenVersion)
 			.build();
 
 		tokenRepository.save(refreshToken);
@@ -67,7 +76,41 @@ public JwtDto generateTokens(User user) {
 		);
 	}
 
-	public Map<String, Object> payloadOrNull(String accessToken) {
-		return jwtProvider.payloadOrNull(accessToken);
+	@Transactional
+	public JwtDto rotateTokenByRefreshToken(String refreshTokenStr) {
+		if (StringUtils.isBlank(refreshTokenStr)) {
+			throw new ErrorException(AuthErrorCode.REFRESH_TOKEN_REQUIRED);
+		}
+
+		if (jwtProvider.isExpired(refreshTokenStr)) {
+			throw new ErrorException(AuthErrorCode.TOKEN_EXPIRED);
+		}
+
+		JwtClaims claims = jwtProvider.payloadOrNull(refreshTokenStr);
+
+		if (claims == null || !"refresh".equals(claims.tokenType())) {
+			throw new ErrorException(AuthErrorCode.INVALID_TOKEN);
+		}
+
+		long userId = claims.userId();
+		String sid = claims.sessionId();
+		long tokenVersion = claims.tokenVersion();
+
+		ActiveSession active = activeSessionRepository.findByUserIdForUpdate(userId)
+			.orElseThrow(() -> new ErrorException(AuthErrorCode.UNAUTHORIZED));
+
+		if (!active.getSessionId().equals(sid) || active.getTokenVersion() != tokenVersion) {
+			throw new ErrorException(AuthErrorCode.ACCESS_OTHER_DEVICE);
+		}
+
+		int revoked = tokenRepository.revokeIfActive(refreshTokenStr);
+		if (revoked != 1) {
+			throw new ErrorException(AuthErrorCode.REFRESH_TOKEN_NOT_FOUND);
+		}
+
+		User user = userRepository.findById(userId)
+			.orElseThrow(() -> new ErrorException(AuthErrorCode.UNAUTHORIZED));
+
+		return issueTokens(user, active.getSessionId(), active.getTokenVersion());
 	}
 }

backend/src/main/java/com/back/domain/auth/entity/ActiveSession.java

@@ -0,0 +1,82 @@
+package com.back.domain.auth.entity;
+
+import java.time.LocalDateTime;
+import java.util.UUID;
+
+import com.back.domain.user.entity.User;
+import com.back.global.entity.BaseEntity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.Id;
+import jakarta.persistence.Index;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.Table;
+import jakarta.persistence.UniqueConstraint;
+import lombok.AccessLevel;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+
+@Entity
+@Table(
+	name = "activeSessions",
+	uniqueConstraints = {
+		@UniqueConstraint(name = "uk_active_session_user", columnNames = {"user_id"})
+	},
+	indexes = {
+		@Index(name = "idx_active_session_session_id", columnList = "session_id")
+	}
+)
+@Getter
+@NoArgsConstructor(access = AccessLevel.PROTECTED)
+public class ActiveSession extends BaseEntity {
+
+	@Id
+	@GeneratedValue
+	private Long id;
+
+	@OneToOne(fetch = FetchType.LAZY)
+	@JoinColumn(name = "user_id", nullable = false)
+	private User user;
+
+	@Column(name = "session_id", nullable = false, length = 36)
+	private String sessionId;
+
+	@Column(name = "token_version", nullable = false)
+	private long tokenVersion;
+
+	@Column(name = "last_login_at", nullable = false)
+	private LocalDateTime lastLoginAt;
+
+	@Builder
+	private ActiveSession(
+		User user,
+		String sessionId,
+		long tokenVersion,
+		LocalDateTime lastLoginAt
+	) {
+		this.user = user;
+		this.sessionId = sessionId;
+		this.tokenVersion = tokenVersion;
+		this.lastLoginAt = lastLoginAt;
+	}
+
+	public static ActiveSession create(User user) {
+		return ActiveSession.builder()
+			.user(user)
+			.sessionId(UUID.randomUUID().toString())
+			.tokenVersion(1L)
+			.lastLoginAt(LocalDateTime.now())
+			.build();
+	}
+
+	public void rotate() {
+		this.sessionId = UUID.randomUUID().toString();
+		this.tokenVersion += 1;
+		this.lastLoginAt = LocalDateTime.now();
+	}
+}

backend/src/main/java/com/back/domain/auth/entity/RefreshToken.java

@@ -49,6 +49,12 @@ public class RefreshToken extends BaseEntity {
 	@Column(name = "expires_at")
 	private LocalDateTime expiresAt;
 
+	@Column(name = "session_id", length = 36)
+	private String sessionId;
+
+	@Column(name = "token_version")
+	private Long tokenVersion;
+
 	private boolean revoked; // 기기 로그아웃 확인
 
 	private String userAgent;
@@ -61,6 +67,8 @@ private RefreshToken(
 		String token,
 		LocalDateTime issuedAt,
 		LocalDateTime expiresAt,
+		String sessionId,
+		long tokenVersion,
 		boolean revoked,
 		String userAgent,
 		String ipAddress
@@ -69,6 +77,8 @@ private RefreshToken(
 		this.token = token;
 		this.issuedAt = issuedAt;
 		this.expiresAt = expiresAt;
+		this.sessionId = sessionId;
+		this.tokenVersion = tokenVersion;
 		this.revoked = revoked;
 		this.userAgent = userAgent;
 		this.ipAddress = ipAddress;
@@ -77,14 +87,4 @@ private RefreshToken(
 	public void revoke() {
 		this.revoked = true;
 	}
-
-	public void updateRefreshToken(
-		String newToken,
-		LocalDateTime newIssuedAt,
-		LocalDateTime newExpiresAt
-	) {
-		this.token = newToken;
-		this.issuedAt = newIssuedAt;
-		this.expiresAt = newExpiresAt;
-	}
 }

backend/src/main/java/com/back/domain/auth/repository/ActiveSessionRepository.java

@@ -0,0 +1,21 @@
+package com.back.domain.auth.repository;
+
+import java.util.Optional;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Lock;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+
+import com.back.domain.auth.entity.ActiveSession;
+
+import jakarta.persistence.LockModeType;
+
+public interface ActiveSessionRepository extends JpaRepository<ActiveSession, Long> {
+
+	@Lock(LockModeType.PESSIMISTIC_WRITE)
+	@Query("SELECT s FROM ActiveSession s WHERE s.user.id = :userId")
+	Optional<ActiveSession> findByUserIdForUpdate(@Param("userId") long userId);
+
+	Optional<ActiveSession> findByUserId(long userId);
+}

backend/src/main/java/com/back/domain/auth/repository/RefreshTokenRepository.java

@@ -21,5 +21,22 @@ public interface RefreshTokenRepository extends JpaRepository<RefreshToken, Long
 	@Query("update RefreshToken rt set rt.revoked = true where rt.user.id = :userId and rt.revoked = false")
 	int revokeAllByUserId(@Param("userId") Long userId);
 
+	@Modifying
+	@Query("""
+			UPDATE RefreshToken rt
+			set rt.revoked = true
+			where rt.token = :token
+			and rt.revoked = false
+		""")
+	int revokeIfActive(@Param("token") String token);
+
+	@Modifying(clearAutomatically = true, flushAutomatically = true)
+	@Query("""
+			update RefreshToken rt
+			set rt.revoked = true
+			where rt.user.id = :userId and rt.revoked = false
+		""")
+	int revokeAllActiveByUserId(@Param("userId") long userId);
+
 	Optional<RefreshToken> findByUserIdAndRevokedFalse(Long userId);
 }

backend/src/main/java/com/back/global/error/code/AuthErrorCode.java

@@ -12,6 +12,7 @@ public enum AuthErrorCode implements ErrorCode {
 	ALREADY_EXIST_NICKNAME(HttpStatus.BAD_REQUEST, "이미 존재하는 닉네임입니다."),
 
 	UNAUTHORIZED(HttpStatus.UNAUTHORIZED, "로그인 후 이용해주세요."),
+	ACCESS_OTHER_DEVICE(HttpStatus.UNAUTHORIZED, "다른 환경에서 로그인했습니다."),
 
 	FORBIDDEN(HttpStatus.FORBIDDEN, "접근 권한이 없습니다."),
 	ADMIN_ONLY(HttpStatus.FORBIDDEN, "관리자 계정만 접근 가능합니다."),