[refactor] CustomAuthenticationFilter 의 addCorsHeader 제거 & Same site 방지

Author: LeeMinwoo115

backend/src/main/java/com/back/global/config/SecurityConfig.java

@@ -87,6 +87,7 @@ public UrlBasedCorsConfigurationSource corsConfigurationSource() {
 		config.setAllowedMethods(corsProperties.getAllowedMethods());
 		config.setAllowedHeaders(corsProperties.getAllowedHeaders());
 		config.setAllowCredentials(true);
+		config.setMaxAge(3600L);
 
 		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
 		source.registerCorsConfiguration("/**", config);

backend/src/main/java/com/back/global/properties/CookieProperties.java

@@ -0,0 +1,17 @@
+package com.back.global.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+@Component
+@ConfigurationProperties(prefix = "cookie")
+public class CookieProperties {
+	private boolean secure;
+	private String sameSite;
+	private String domain;
+}

backend/src/main/java/com/back/global/security/CustomAuthenticationFilter.java

@@ -5,6 +5,8 @@
 import java.util.Map;
 import java.util.Set;
 
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseCookie;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -19,7 +21,7 @@
 import com.back.domain.user.repository.UserRepository;
 import com.back.global.error.code.AuthErrorCode;
 import com.back.global.error.exception.ErrorException;
-import com.back.global.properties.SiteProperties;
+import com.back.global.properties.CookieProperties;
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -40,18 +42,15 @@ public class CustomAuthenticationFilter extends OncePerRequestFilter {
 
 	private final JwtProvider jwtProvider;
 	private final AuthTokenService tokenService;
-	private final SiteProperties siteProperties;
 	private final UserRepository userRepository;
+	private final CookieProperties cookieProperties;
 
 	@Override
 	protected void doFilterInternal(
 		HttpServletRequest request,
 		HttpServletResponse response,
 		FilterChain filterChain
 	) throws ServletException, IOException {
-
-		addCorsHeaders(response);
-
 		try {
 			authenticate(request, response, filterChain);
 		} catch (ErrorException e) {
@@ -173,30 +172,28 @@ private String ensureValidAccessToken(
 
 		JwtDto newTokens = tokenService.generateTokens(user);
 
-		addCookie(response, "accessToken", newTokens.accessToken(), request.isSecure());
-		addCookie(response, "refreshToken", newTokens.refreshToken(), request.isSecure());
+		addCookie(response, "accessToken", newTokens.accessToken());
+		addCookie(response, "refreshToken", newTokens.refreshToken());
 
 		return newTokens.accessToken();
 	}
 
 	private void addCookie(
 		HttpServletResponse response,
 		String name,
-		String value,
-		boolean secure
+		String value
 	) {
-		Cookie cookie = new Cookie(name, value);
-		cookie.setPath("/");
-		cookie.setHttpOnly(true);
-		cookie.setSecure(secure);
-		response.addCookie(cookie);
-	}
+		ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(name, value)
+			.httpOnly(true)
+			.path("/")
+			.secure(cookieProperties.isSecure())
+			.sameSite(cookieProperties.getSameSite());
+
+		if (cookieProperties.getDomain() != null && !cookieProperties.getDomain().isBlank()) {
+			builder.domain(cookieProperties.getDomain());
+		}
 
-	private void addCorsHeaders(HttpServletResponse response) {
-		response.setHeader("Access-Control-Allow-Origin", "http://localhost:5173");
-		response.setHeader("Access-Control-Allow-Credentials", "true");
-		response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
-		response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-		response.setHeader("Access-Control-Max-Age", "3600");
+		ResponseCookie cookie = builder.build();
+		response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
 	}
 }

backend/src/main/resources/application-dev.yml

@@ -10,4 +10,9 @@ spring:
 
 security:
   password:
-    bcrypt-strength: 4
+    bcrypt-strength: 4
+
+cookie:
+  secure: false
+  same-site: Lax
+  domain: ""

backend/src/main/resources/application-prod.yml

@@ -66,4 +66,14 @@ management:
         include: health,prometheus
   endpoint:
     health:
-      show-details: never
+      show-details: never
+
+# TODO: 프론트 완료 후 아래 주석처리 한 걸로 교체
+cookie:
+  secure: false
+  same-site: Lax
+  domain: ""
+#cookie:
+#  secure: true
+#  same-site: None
+#  domain: ".waitfair.shop"

backend/src/main/resources/application.yml

@@ -42,17 +42,23 @@ springdoc:
 custom:
   cors:
     allowed-origins:
+      - https://www.waitfair.shop
       - http://localhost:3000
       - http://localhost:5173
-      - http://localhost:8080
     allowed-methods:
       - GET
       - POST
       - PUT
       - DELETE
       - OPTIONS
     allowed-headers:
-      - "*"
+      - "Authorization"
+      - "Content-Type"
+      - "Accept"
+      - "Origin"
+      - "X-Requested-With"
+      - "Cache-Control"
+      - "Pragma"
 
   jwt:
     secret: ${JWT_SECRET}