Merge pull request #41 from trans-talk/develop

[release] manage blackList token

Author: taeseonYoo

src/main/java/com/wootech/transtalk/client/GoogleClient.java

@@ -51,15 +51,16 @@ public URI buildAuthorizeApiUri() {
                 .queryParam("response_type", "code")
                 .queryParam("scope", "email profile")
                 .queryParam("access_type", "offline")
+                .queryParam("prompt", "select_account")
                 .build()
                 .toUri();
     }
 
     public String requestToken(String code) {
-         URI uri = UriComponentsBuilder.fromUriString(this.tokenUri)
-                 .build()
-                 .toUri();
-         log.info("[GoogleClient] API URI: {}", uri);
+        URI uri = UriComponentsBuilder.fromUriString(this.tokenUri)
+                .build()
+                .toUri();
+        log.info("[GoogleClient] API URI: {}", uri);
 
         GoogleApiRequest tokenRequest = GoogleApiRequest.builder()
                 .code(code)
@@ -69,26 +70,25 @@ public String requestToken(String code) {
                 .grantType("authorization_code")
                 .build();
 
-         GoogleApiResponse tokenResponse = restClient.post()
-                 .uri(uri)
-                 .header(HttpHeaders.ACCEPT)
-                 .acceptCharset(StandardCharsets.UTF_8)
-                 .contentType(MediaType.APPLICATION_JSON)
-                 .body(tokenRequest)
-                 .retrieve()
-                 .onStatus(HttpStatusCode::isError, ((request, response) -> {
-                     String body = new String(response.getBody().readAllBytes());
-                     log.error("[GoogleAPI] Raw Response: {}", body);
-
-                     throw new GoogleApiException("Token Request Failed: " + body, response.getStatusCode());
-                 }))
-                 .body(GoogleApiResponse.class);
-
-         // TODO: external api logging
-         log.info("[GoogleAPI] Token Response: {}", tokenResponse);
-
-         String accessToken = extractAccessCode(tokenResponse);
-         return accessToken;
+        GoogleApiResponse tokenResponse = restClient.post()
+                .uri(uri)
+                .header(HttpHeaders.ACCEPT)
+                .acceptCharset(StandardCharsets.UTF_8)
+                .contentType(MediaType.APPLICATION_JSON)
+                .body(tokenRequest)
+                .retrieve()
+                .onStatus(HttpStatusCode::isError, ((request, response) -> {
+                    String body = new String(response.getBody().readAllBytes());
+                    log.error("[GoogleAPI] Raw Response: {}", body);
+
+                    throw new GoogleApiException("Token Request Failed: " + body, response.getStatusCode());
+                }))
+                .body(GoogleApiResponse.class);
+
+        log.info("[GoogleAPI] Token Response: {}", tokenResponse);
+
+        String accessToken = extractAccessCode(tokenResponse);
+        return accessToken;
     }
 
     private String extractAccessCode(GoogleApiResponse response) {
@@ -107,7 +107,7 @@ public GoogleProfileResponse requestProfile(String accessToken) {
 
         GoogleProfileResponse googleProfileResponse = restClient.get()
                 .uri(uri)
-                .header(HttpHeaders.AUTHORIZATION, BEARER_PREFIX  + accessToken)
+                .header(HttpHeaders.AUTHORIZATION, BEARER_PREFIX + accessToken)
                 .retrieve()
                 .onStatus(HttpStatusCode::isError, ((request, response) -> {
                     String body = new String(response.getBody().readAllBytes());

src/main/java/com/wootech/transtalk/config/AppLogOutHandler.java

@@ -1,7 +1,7 @@
 package com.wootech.transtalk.config;
 
 import com.wootech.transtalk.config.util.JwtUtil;
-import com.wootech.transtalk.dto.auth.AuthUser;
+import com.wootech.transtalk.service.auth.BlackListService;
 import com.wootech.transtalk.service.auth.RefreshTokenService;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
@@ -12,16 +12,60 @@
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.stereotype.Component;
 
+import java.util.Date;
+
+import static com.wootech.transtalk.config.util.CookieUtil.deleteRefreshTokenCookie;
+
 @Slf4j
 @Component
 @RequiredArgsConstructor
 public class AppLogOutHandler implements LogoutHandler {
 
     private final RefreshTokenService refreshTokenService;
     private final JwtUtil jwtUtil;
+    private final BlackListService blackListService;
 
     @Override
     public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+        String accessToken = extractAccessToken(request);
+
+        if (accessToken != null && jwtUtil.validateToken(accessToken)) {
+            String jti = jwtUtil.extractJti(accessToken);
+            Date exp = jwtUtil.extractExpiration(accessToken);
+            long ttlSeconds = Math.max(0, (exp.getTime() - System.currentTimeMillis()) / 1000);
+            if (jti != null && ttlSeconds > 0) {
+                blackListService.add(jti, ttlSeconds);
+                log.info("[AppLogOutHandler] Access Token JTI Blacklisted JTI={} ttl={}s", jti, ttlSeconds);
+            }
+
+            // access token 만료시
+            String refreshToken = extractCookieValue(request);
+            if (refreshToken != null) {
+                try {
+                    Long userId = Long.parseLong(jwtUtil.extractUserId(refreshToken));
+                    if (refreshTokenService.hasRefreshToken(userId, refreshToken)) {
+                        refreshTokenService.deleteRefreshToken(userId, refreshToken);
+                    }
+                } catch (Exception e) {
+                    log.warn("[AppLogOutHandler] Failed to Delete Refresh Token: {}", e.getMessage());
+                }
+            }
+
+            deleteRefreshTokenCookie(response);
+            log.info("[LogOutHandler] Refresh Token Set Null");
+        }
+    }
+
+
+    private String extractAccessToken(HttpServletRequest request) {
+        String header = request.getHeader("Authorization");
+        if (header != null && header.startsWith("Bearer ")) {
+            return header.substring(7);
+        }
+        return null;
+    }
+
+    private String extractCookieValue(HttpServletRequest request) {
         // 쿠키에서 refresh token 조회
         String refreshToken = null;
         Cookie[] cookies = request.getCookies();
@@ -33,41 +77,6 @@ public void logout(HttpServletRequest request, HttpServletResponse response, Aut
                 }
             }
         }
-
-        Long userId = null;
-
-        // access token 유효시
-        if (authentication != null && authentication.getPrincipal() instanceof AuthUser) {
-            AuthUser authUser = (AuthUser) authentication.getPrincipal();
-            userId = authUser.getUserId();
-            log.info("[AppLogOutHandler] - Get Authentication From User ID={}", userId);
-        }
-
-        // access token 만료시
-        if (userId == null && refreshToken != null && jwtUtil.validateToken(refreshToken)) {
-            try {
-                userId = Long.parseLong(jwtUtil.extractUserId(refreshToken));
-                log.info("[LogOutHandler] Log Out Requested: Extract User ID={} From Refresh Token", userId);
-            } catch (Exception e) {
-                log.warn("Extract Failed From Refresh Token={}", e.getMessage());
-            }
-        }
-
-        if (userId != null && refreshToken != null) {
-            if (refreshTokenService.hasRefreshToken(userId, refreshToken)) {
-                refreshTokenService.deleteRefreshToken(userId, refreshToken);
-                log.info("[LogOutHandler] Delete Refresh Token Succeed");
-            } else {
-                log.warn("[LogOutHandler] Delete Refresh Token Failed Refresh Token={}", refreshToken);
-            }
-
-            Cookie refreshTokenCookie = new Cookie("refreshToken", null);
-            refreshTokenCookie.setMaxAge(0);
-            refreshTokenCookie.setPath("/");
-            refreshTokenCookie.setHttpOnly(true);
-            refreshTokenCookie.setSecure(true);
-            response.addCookie(refreshTokenCookie);
-            log.info("[LogOutHandler] Refresh Token Set Null");
-        }
+        return refreshToken;
     }
 }

src/main/java/com/wootech/transtalk/config/DataInitializer.java

@@ -16,7 +16,7 @@
 import java.time.Instant;
 import java.util.List;
 
-@Component
+//@Component
 @RequiredArgsConstructor
 public class DataInitializer {
     private final UserRepository userRepository;

src/main/java/com/wootech/transtalk/config/jwt/JwtAuthenticationFilter.java

@@ -1,9 +1,12 @@
 package com.wootech.transtalk.config.jwt;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.wootech.transtalk.config.util.JwtUtil;
+import com.wootech.transtalk.dto.ApiResponse;
 import com.wootech.transtalk.dto.auth.AuthUser;
 import com.wootech.transtalk.enums.UserRole;
 import com.wootech.transtalk.exception.custom.NotFoundException;
+import com.wootech.transtalk.service.auth.BlackListService;
 import com.wootech.transtalk.service.user.UserDetailsServiceImpl;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
@@ -16,13 +19,17 @@
 import lombok.NonNull;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
+import java.util.List;
 
 import static com.wootech.transtalk.exception.ErrorMessages.*;
 
@@ -33,6 +40,8 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
     private final JwtUtil jwtUtil;
     private final UserDetailsServiceImpl userDetailsService;
+    private final BlackListService blackListService;
+    private final ObjectMapper objectMapper;
 
     @Override
     protected void doFilterInternal(
@@ -45,6 +54,16 @@ protected void doFilterInternal(
         if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
             String jwt = jwtUtil.substringToken(authorizationHeader);
 
+            String jti = jwtUtil.extractJti(jwt);
+            if (jti != null && blackListService.contains(jti)) {
+                // 블랙리스트에 있으면 즉시 인증 실패 처리
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+                response.setContentType("application/json;charset=UTF-8");
+                ApiResponse<Void> body = ApiResponse.error(LOGGED_OUT_USER_ERROR, HttpStatus.UNAUTHORIZED.name());
+                response.getWriter().write(objectMapper.writeValueAsString(body));
+                return;
+            }
+
             try {
                 Claims claims = jwtUtil.extractClaims(jwt);
                 String email = jwtUtil.getEmail(jwt);

src/main/java/com/wootech/transtalk/config/jwt/JwtChannelInterceptor.java

@@ -2,16 +2,18 @@
 
 import com.wootech.transtalk.config.util.JwtUtil;
 import com.wootech.transtalk.enums.UserRole;
-import com.wootech.transtalk.exception.custom.NotFoundException;
-import com.wootech.transtalk.exception.custom.UnauthorizedException;
 import com.wootech.transtalk.event.Events;
 import com.wootech.transtalk.event.ExitToChatRoomEvent;
+import com.wootech.transtalk.exception.custom.NotFoundException;
+import com.wootech.transtalk.exception.custom.UnauthorizedException;
+import com.wootech.transtalk.service.auth.BlackListService;
 import com.wootech.transtalk.service.user.UserDetailsServiceImpl;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatusCode;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.MessageChannel;
+import org.springframework.messaging.MessagingException;
 import org.springframework.messaging.simp.stomp.StompCommand;
 import org.springframework.messaging.simp.stomp.StompHeaderAccessor;
 import org.springframework.messaging.support.ChannelInterceptor;
@@ -21,8 +23,7 @@
 
 import java.util.List;
 
-import static com.wootech.transtalk.exception.ErrorMessages.JWT_DOES_NOT_EXIST_ERROR;
-import static com.wootech.transtalk.exception.ErrorMessages.WITHDRAWN_USER_ERROR;
+import static com.wootech.transtalk.exception.ErrorMessages.*;
 
 @Slf4j
 @Component
@@ -31,6 +32,7 @@ public class JwtChannelInterceptor implements ChannelInterceptor {
 
     private final JwtUtil jwtUtil;
     private final UserDetailsServiceImpl userDetailsService;
+    private final BlackListService blackListService;
 
     @Override
     public Message<?> preSend(Message<?> message, MessageChannel channel) {
@@ -67,8 +69,14 @@ private void handleConnect(StompHeaderAccessor accessor) {
         accessor.setUser(new UsernamePasswordAuthenticationToken(userEmail, null, List.of(UserRole.ROLE_USER)));
         log.info("[JwtChannelInterceptor] CONNECT - JWT Token validated for user={}", userEmail);
     }
+
     private String extractAccessToken(StompHeaderAccessor accessor) {
         String accessToken = accessor.getFirstNativeHeader("Authorization");
+        // 로그아웃 처리
+        String jti = jwtUtil.extractJti(accessToken);
+        if (blackListService.contains(jti)) {
+            throw new MessagingException(LOGGED_OUT_USER_ERROR);
+        }
         if (accessToken == null || accessToken.isBlank()) {
             log.error("[JwtChannelInterceptor] {}", JWT_DOES_NOT_EXIST_ERROR);
             throw new UnauthorizedException(JWT_DOES_NOT_EXIST_ERROR, HttpStatusCode.valueOf(401));
@@ -78,6 +86,7 @@ private String extractAccessToken(StompHeaderAccessor accessor) {
 
         return accessToken.trim();
     }
+
     private void validateAccessToken(String accessToken) {
         try {
             if (!jwtUtil.validateToken(accessToken)) {
@@ -96,6 +105,7 @@ private void inToChatRoom(StompHeaderAccessor accessor) {
 
         handleConnect(accessor);
     }
+
     private void exitToChatRoom(StompHeaderAccessor accessor) {
         String subscriptionId = accessor.getSubscriptionId();
 
@@ -107,7 +117,7 @@ private void exitToChatRoom(StompHeaderAccessor accessor) {
         String roomId = destination.replace("/topic/chat/", "");
         String userEmail = accessor.getUser().getName();
 
-        Events.raise(new ExitToChatRoomEvent(userEmail,Long.valueOf(roomId)));
+        Events.raise(new ExitToChatRoomEvent(userEmail, Long.valueOf(roomId)));
     }
 
 }

src/main/java/com/wootech/transtalk/config/util/JwtUtil.java

@@ -1,8 +1,8 @@
 package com.wootech.transtalk.config.util;
 
 import com.wootech.transtalk.enums.UserRole;
-import com.wootech.transtalk.exception.custom.UnauthorizedException;
 import com.wootech.transtalk.exception.custom.ExpiredJwtException;
+import com.wootech.transtalk.exception.custom.UnauthorizedException;
 import io.jsonwebtoken.*;
 import io.jsonwebtoken.security.Keys;
 import jakarta.annotation.PostConstruct;
@@ -42,6 +42,7 @@ public void init() {
 
     public String createAccessToken(Long userId, String email, String name, UserRole userRole) {
         Date date = new Date();
+        String jti = UUID.randomUUID().toString();
 
         return BEARER_PREFIX +
                 Jwts.builder()
@@ -50,6 +51,7 @@ public String createAccessToken(Long userId, String email, String name, UserRole
                         .claim("name", name)
                         .claim("userRole", userRole)
                         .expiration(new Date(System.currentTimeMillis() + ACCESS_TOKEN_TIME))
+                        .id(jti)
                         .setIssuedAt(date)
                         .signWith(key, signatureAlgorithm)
                         .compact();
@@ -111,22 +113,6 @@ public String getEmail(String token) {
         return extractClaims(token).get("email", String.class);
     }
 
-    // refresh token 유효성 검증
-    public boolean validateRefreshToken(String token) {
-        try {
-            Jwts.parser()
-                    .verifyWith(key)
-                    .build()
-                    .parseSignedClaims(token);
-            return true;
-        } catch (ExpiredJwtException e) {
-            log.error(EXPIRED_REFRESH_TOKEN_ERROR + ": {}", e.getMessage());
-            throw new ExpiredJwtException(EXPIRED_REFRESH_TOKEN_ERROR, HttpStatus.valueOf(406));
-        } catch (Exception e) {
-            return false;
-        }
-    }
-
     // refresh token 에서 userId 값 추출
     public String extractUserId(String refreshToken) {
         Claims claims = Jwts.parser()
@@ -137,4 +123,12 @@ public String extractUserId(String refreshToken) {
 
         return claims.get("userId", String.class);
     }
+
+    public String extractJti(String token) {
+        return extractClaims(token).getId();
+    }
+
+    public Date extractExpiration(String token) {
+        return extractClaims(token).getExpiration();
+    }
 }