[BE] 로그아웃 기능 및 인증 관련 정비

backend/src/main/java/harustudy/backend/auth/controller/AuthController.java

@@ -51,28 +51,54 @@ public ResponseEntity<TokenResponse> oauthLogin(
     @Operation(summary = "access 토큰, refresh 토큰 갱신")
     @PostMapping("/api/auth/refresh")
     public ResponseEntity<TokenResponse> refresh(
-            HttpServletRequest httpServletRequest,
-            HttpServletResponse httpServletResponse
+            HttpServletRequest request,
+            HttpServletResponse response
     ) {
-        String refreshToken = extractRefreshTokenFromCookie(httpServletRequest);
+        String refreshToken = extractRefreshTokenFromCookie(request);
         TokenResponse tokenResponse = authService.refresh(refreshToken);
         Cookie cookie = setUpRefreshTokenCookie(tokenResponse);
-        httpServletResponse.addCookie(cookie);
+        response.addCookie(cookie);
         return ResponseEntity.ok(tokenResponse);
     }
 
     private Cookie setUpRefreshTokenCookie(TokenResponse tokenResponse) {
         Cookie cookie = new Cookie("refreshToken", tokenResponse.refreshToken().toString());
         cookie.setMaxAge(refreshTokenExpireLength.intValue() / 1000);
         cookie.setPath("/");
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
         return cookie;
     }
 
-    private String extractRefreshTokenFromCookie(HttpServletRequest httpServletRequest) {
-        return Arrays.stream(httpServletRequest.getCookies())
+    private String extractRefreshTokenFromCookie(HttpServletRequest request) {
+        return Arrays.stream(request.getCookies())
                 .filter(cookie -> cookie.getName().equals("refreshToken"))
                 .map(Cookie::getValue)
                 .findAny()
                 .orElseThrow(RefreshTokenNotExistsException::new);
     }
+
+    @Operation(summary = "로그아웃, access & refresh 토큰 삭제")
+    @PostMapping("/api/auth/logout")
+    public ResponseEntity<Void> logout(
+            HttpServletRequest request,
+            HttpServletResponse response
+    ) {
+        String refreshToken = extractRefreshTokenFromCookie(request);
+        authService.deleteStringifiedRefreshToken(refreshToken);
+
+        deleteCookies(request, response);
+
+        return ResponseEntity.ok().build();
+    }
+
+    private void deleteCookies(HttpServletRequest request, HttpServletResponse response) {
+        Cookie[] cookies = request.getCookies();
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                cookie.setMaxAge(0);
+                response.addCookie(cookie);
+            }
+        }
+    }
 }

backend/src/main/java/harustudy/backend/auth/repository/RefreshTokenRepository.java

@@ -5,10 +5,16 @@
 import java.util.Optional;
 import java.util.UUID;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
 
 public interface RefreshTokenRepository extends JpaRepository<RefreshToken, Long> {
 
     Optional<RefreshToken> findByUuid(UUID refreshToken);
 
     Optional<RefreshToken> findByMember(Member member);
+
+    @Modifying
+    @Query("delete from RefreshToken r where r.uuid = :uuid")
+    void deleteTokenWithoutContextUpdate(UUID uuid);
 }

backend/src/main/java/harustudy/backend/auth/service/AuthService.java

@@ -93,4 +93,9 @@ public void validateAccessToken(String accessToken) {
     public String parseMemberId(String accessToken) {
         return jwtTokenProvider.parseSubject(accessToken, tokenConfig.secretKey());
     }
+
+    public void deleteStringifiedRefreshToken(String refreshToken) {
+        UUID uuid = UUID.fromString(refreshToken);
+        refreshTokenRepository.deleteTokenWithoutContextUpdate(uuid);
+    }
 }

backend/src/main/java/harustudy/backend/auth/service/OauthLoginFacade.java

@@ -11,16 +11,19 @@
 import java.util.Map;
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
 
 @RequiredArgsConstructor
 @Component
+@Transactional
 public class OauthLoginFacade {
 
     private final OauthProperties oauthProperties;
     private final GoogleOauthClient googleOauthClient;
     private final AuthService authService;
 
     public TokenResponse oauthLogin(OauthLoginRequest request) {
+        // TODO: 에러 핸들링
         UserInfo userInfo = requestUserInfo(request.oauthProvider(), request.code());
         return authService.userLogin(request, userInfo);
     }

backend/src/test/java/harustudy/backend/auth/service/AuthServiceTest.java

@@ -1,7 +1,11 @@
 package harustudy.backend.auth.service;
 
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 import static org.assertj.core.api.SoftAssertions.assertSoftly;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
 
@@ -12,7 +16,9 @@
 import harustudy.backend.auth.dto.OauthTokenResponse;
 import harustudy.backend.auth.dto.TokenResponse;
 import harustudy.backend.auth.dto.UserInfo;
+import harustudy.backend.auth.exception.InvalidAccessTokenException;
 import harustudy.backend.auth.infrastructure.GoogleOauthClient;
+import harustudy.backend.auth.util.JwtTokenProvider;
 import harustudy.backend.member.domain.LoginType;
 import harustudy.backend.member.domain.Member;
 import jakarta.persistence.EntityManager;
@@ -38,6 +44,9 @@ class AuthServiceTest {
     @Autowired
     private AuthService authService;
 
+    @Autowired
+    private JwtTokenProvider jwtTokenProvider;
+
     @Autowired
     private TokenConfig tokenConfig;
 
@@ -109,4 +118,55 @@ class AuthServiceTest {
         // then
         assertThat(response.refreshToken()).isNotEqualTo(refreshToken.getUuid());
     }
+
+    @Test
+    void 유효한_액세스_토큰의_유효성_검사_시_예외를_반환한다() {
+        // given
+        Long memberId = 1L;
+        String accessToken = jwtTokenProvider.builder()
+                .subject(String.valueOf(memberId))
+                .accessTokenExpireLength(999999L)
+                .secretKey(tokenConfig.secretKey())
+                .build();
+
+        // when, then
+        assertDoesNotThrow(() -> authService.validateAccessToken(accessToken));
+    }
+
+    @Test
+    void 만료된_액세스_토큰의_유효성_검사_시_예외를_반환한다() {
+        // given
+        Long memberId = 1L;
+        String accessToken = jwtTokenProvider.builder()
+                .subject(String.valueOf(memberId))
+                .accessTokenExpireLength(0L)
+                .secretKey(tokenConfig.secretKey())
+                .build();
+
+        // when, then
+        assertThatThrownBy(() -> authService.validateAccessToken(accessToken)).isInstanceOf(
+                InvalidAccessTokenException.class);
+    }
+
+    @Test
+    void 갱신_토큰을_삭제한다() {
+        // given
+        Member member = new Member("test", "[email protected]", "test.png", LoginType.GOOGLE);
+        RefreshToken refreshToken = new RefreshToken(member,
+                tokenConfig.refreshTokenExpireLength());
+
+        entityManager.persist(member);
+        entityManager.persist(refreshToken);
+        entityManager.flush();
+        entityManager.clear();
+
+        // when
+        String stringifiedUUID = refreshToken.getUuid().toString();
+
+        // then
+        assertNotNull(entityManager.find(RefreshToken.class, refreshToken.getId()));
+        authService.deleteStringifiedRefreshToken(stringifiedUUID);
+        entityManager.clear();
+        assertNull(entityManager.find(RefreshToken.class, refreshToken.getId()));
+    }
 }