[BE] JWT 토큰 사용 제거, Interceptor와 ArgumentResolver 중복 로직 제거

backend/build.gradle

@@ -36,10 +36,6 @@ dependencies {
 	implementation 'org.flywaydb:flyway-core'
 	implementation 'org.flywaydb:flyway-mysql'
 
-	implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
-	implementation 'io.jsonwebtoken:jjwt-impl:0.11.5'
-	implementation 'io.jsonwebtoken:jjwt-jackson:0.11.5'
-
 	implementation 'mysql:mysql-connector-java:8.0.33'
 
 	compileOnly 'org.projectlombok:lombok'

backend/src/main/java/harustudy/backend/auth/AuthArgumentResolver.java

@@ -1,25 +1,19 @@
 package harustudy.backend.auth;
 
 import harustudy.backend.auth.dto.AuthMember;
-import harustudy.backend.auth.service.AuthService;
-import harustudy.backend.auth.util.BearerAuthorizationParser;
 import lombok.RequiredArgsConstructor;
 import org.springframework.core.MethodParameter;
-import org.springframework.http.HttpHeaders;
 import org.springframework.stereotype.Component;
 import org.springframework.web.bind.support.WebDataBinderFactory;
 import org.springframework.web.context.request.NativeWebRequest;
+import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.method.support.ModelAndViewContainer;
 
 @RequiredArgsConstructor
 @Component
 public class AuthArgumentResolver implements HandlerMethodArgumentResolver {
 
-    private final AuthService authService;
-
-    private final BearerAuthorizationParser bearerAuthorizationParser;
-
     @Override
     public boolean supportsParameter(MethodParameter parameter) {
         return parameter.hasParameterAnnotation(Authenticated.class);
@@ -28,9 +22,7 @@ public boolean supportsParameter(MethodParameter parameter) {
     @Override
     public AuthMember resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer,
                                       NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
-        String authorizationHeader = webRequest.getHeader(HttpHeaders.AUTHORIZATION);
-        String accessToken = bearerAuthorizationParser.parse(authorizationHeader);
-        long memberId = Long.parseLong(authService.parseMemberId(accessToken));
+        Long memberId = (Long) webRequest.getAttribute("memberId", RequestAttributes.SCOPE_REQUEST);
         return new AuthMember(memberId);
     }
 }

backend/src/main/java/harustudy/backend/auth/AuthInterceptor.java

@@ -25,7 +25,8 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
         }
         String authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
         String accessToken = bearerAuthorizationParser.parse(authorizationHeader);
-        authService.validateAccessToken(accessToken);
+        Long memberId = authService.parseMemberId(accessToken);
+        request.setAttribute("memberId", memberId);
         return HandlerInterceptor.super.preHandle(request, response, handler);
     }
 }

backend/src/main/java/harustudy/backend/auth/config/TokenConfig.java

@@ -5,9 +5,9 @@
 
 @Component
 public record TokenConfig(
-        @Value("${jwt.secret-key}") String secretKey,
-        @Value("${jwt.expire-length}") long accessTokenExpireLength,
-        @Value("${jwt.guest-expire-length}") long guestAccessTokenExpireLength,
+        @Value("${access-token.secret-key}") String secretKey,
+        @Value("${access-token.expire-length}") long accessTokenExpireLength,
+        @Value("${access-token.guest-expire-length}") long guestAccessTokenExpireLength,
         @Value("${refresh-token.expire-length}") long refreshTokenExpireLength) {
 
 }

backend/src/main/java/harustudy/backend/auth/exception/InvalidAccessTokenException.java

@@ -2,7 +2,13 @@
 
 import harustudy.backend.common.exception.HaruStudyException;
 
-public class InvalidAccessTokenException extends
-        HaruStudyException {
+public class InvalidAccessTokenException extends HaruStudyException {
 
+    public InvalidAccessTokenException() {
+
+    }
+
+    public InvalidAccessTokenException(Exception e) {
+        super(e);
+    }
 }

backend/src/main/java/harustudy/backend/auth/service/AuthService.java

@@ -5,17 +5,14 @@
 import harustudy.backend.auth.dto.OauthLoginRequest;
 import harustudy.backend.auth.dto.TokenResponse;
 import harustudy.backend.auth.dto.UserInfo;
-import harustudy.backend.auth.exception.InvalidAccessTokenException;
 import harustudy.backend.auth.exception.InvalidRefreshTokenException;
 import harustudy.backend.auth.repository.RefreshTokenRepository;
-import harustudy.backend.auth.util.JwtTokenProvider;
+import harustudy.backend.auth.util.AesTokenProvider;
 import harustudy.backend.member.domain.LoginType;
 import harustudy.backend.member.domain.Member;
 import harustudy.backend.member.repository.MemberRepository;
-import io.jsonwebtoken.JwtException;
 import java.util.UUID;
 import lombok.RequiredArgsConstructor;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -24,7 +21,7 @@
 @Service
 public class AuthService {
 
-    private final JwtTokenProvider jwtTokenProvider;
+    private final AesTokenProvider aesTokenProvider;
     private final TokenConfig tokenConfig;
     private final MemberRepository memberRepository;
     private final RefreshTokenRepository refreshTokenRepository;
@@ -44,11 +41,8 @@ private Member saveOrUpdateMember(String oauthProvider, UserInfo userInfo) {
     }
 
     private String generateAccessToken(Long memberId) {
-        return jwtTokenProvider.builder()
-                .subject(String.valueOf(memberId))
-                .accessTokenExpireLength(tokenConfig.accessTokenExpireLength())
-                .secretKey(tokenConfig.secretKey())
-                .build();
+        return aesTokenProvider.createAccessToken(memberId, tokenConfig.accessTokenExpireLength(),
+                tokenConfig.secretKey());
     }
 
     private RefreshToken saveRefreshTokenOf(Member member) {
@@ -67,11 +61,8 @@ public TokenResponse guestLogin() {
     }
 
     private String generateGuestAccessToken(Long memberId) {
-        return jwtTokenProvider.builder()
-                .subject(String.valueOf(memberId))
-                .accessTokenExpireLength(tokenConfig.guestAccessTokenExpireLength())
-                .secretKey(tokenConfig.secretKey())
-                .build();
+        return aesTokenProvider.createAccessToken(memberId,
+                tokenConfig.guestAccessTokenExpireLength(), tokenConfig.secretKey());
     }
 
     public TokenResponse refresh(String refreshTokenRequest) {
@@ -80,19 +71,12 @@ public TokenResponse refresh(String refreshTokenRequest) {
         refreshToken.validateExpired();
         refreshToken.updateUuidAndExpireDateTime(tokenConfig.refreshTokenExpireLength());
         String accessToken = generateAccessToken(refreshToken.getMember().getId());
-        return TokenResponse.forLoggedIn(accessToken, refreshToken, tokenConfig.refreshTokenExpireLength());
-    }
-
-    public void validateAccessToken(String accessToken) {
-        try {
-            jwtTokenProvider.validateAccessToken(accessToken, tokenConfig.secretKey());
-        } catch (JwtException e) {
-            throw new InvalidAccessTokenException();
-        }
+        return TokenResponse.forLoggedIn(accessToken, refreshToken,
+                tokenConfig.refreshTokenExpireLength());
     }
 
-    public String parseMemberId(String accessToken) {
-        return jwtTokenProvider.parseSubject(accessToken, tokenConfig.secretKey());
+    public Long parseMemberId(String accessToken) {
+        return aesTokenProvider.parseSubject(accessToken, tokenConfig.secretKey());
     }
 
     public void deleteStringifiedRefreshToken(String refreshToken) {

backend/src/main/java/harustudy/backend/auth/util/AesTokenProvider.java

@@ -0,0 +1,83 @@
+package harustudy.backend.auth.util;
+
+import harustudy.backend.auth.exception.InvalidAccessTokenException;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Base64;
+import java.util.Date;
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import org.springframework.stereotype.Component;
+
+@Component
+public class AesTokenProvider {
+
+    private static final String alg = "AES/CBC/PKCS5Padding";
+    private static final String iv = "0123456789abcdef"; // 16byte
+    private static final SimpleDateFormat DATE_FORMAT = new SimpleDateFormat("MMddHH:mm:ssyyyy");
+
+    public String createAccessToken(Long subject, Long accessTokenExpireLength, String secretKey) {
+        Date now = new Date();
+        Date expireAt = new Date(now.getTime() + accessTokenExpireLength);
+        String formatted = DATE_FORMAT.format(expireAt);
+        String text = subject + " " + formatted;
+        return encrypt(text, secretKey);
+    }
+
+    private String encrypt(String text, String secretKey) {
+        try {
+            Cipher cipher = Cipher.getInstance(alg);
+            SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), "AES");
+            IvParameterSpec ivParamSpec = new IvParameterSpec(iv.getBytes());
+            cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivParamSpec);
+
+            byte[] encrypted = cipher.doFinal(text.getBytes(StandardCharsets.UTF_8));
+            return Base64.getEncoder().encodeToString(encrypted);
+        } catch (GeneralSecurityException e) {
+            throw new InvalidAccessTokenException(e);
+        }
+    }
+
+    public Long parseSubject(String accessToken, String secretKey) {
+        try {
+            String[] splitted = decrypt(accessToken, secretKey);
+            validateLength(splitted);
+            validateExpiration(splitted);
+            return parseSubject(splitted);
+        } catch (Exception e) {
+            throw new InvalidAccessTokenException(e);
+        }
+    }
+
+    private String[] decrypt(String accessToken, String secretKey) throws GeneralSecurityException {
+        Cipher cipher = Cipher.getInstance(alg);
+        SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), "AES");
+        IvParameterSpec ivParamSpec = new IvParameterSpec(iv.getBytes());
+        cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParamSpec);
+
+        byte[] decodedBytes = Base64.getDecoder().decode(accessToken);
+        byte[] decrypted = cipher.doFinal(decodedBytes);
+        String string = new String(decrypted, StandardCharsets.UTF_8);
+        return string.split(" ");
+    }
+
+    private void validateLength(String[] splitted) {
+        if (splitted.length != 2) {
+            throw new InvalidAccessTokenException();
+        }
+    }
+
+    private void validateExpiration(String[] splitted) throws ParseException {
+        Date expireAt = DATE_FORMAT.parse(splitted[1]);
+        if (expireAt.before(new Date())) {
+            throw new InvalidAccessTokenException();
+        }
+    }
+
+    private Long parseSubject(String[] splitted) {
+        return Long.parseLong(splitted[0]);
+    }
+}

backend/src/main/java/harustudy/backend/common/exception/HaruStudyException.java

@@ -5,6 +5,10 @@ public abstract class HaruStudyException extends RuntimeException {
     protected HaruStudyException() {
     }
 
+    protected HaruStudyException(Exception e) {
+        super(e);
+    }
+
     protected HaruStudyException(String message) {
         super(message);
     }

backend/src/test/java/harustudy/backend/acceptance/AcceptanceTest.java

@@ -1,6 +1,7 @@
 package harustudy.backend.acceptance;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -13,7 +14,7 @@
 import harustudy.backend.auth.dto.OauthLoginRequest;
 import harustudy.backend.auth.dto.OauthTokenResponse;
 import harustudy.backend.auth.dto.TokenResponse;
-import harustudy.backend.auth.util.JwtTokenProvider;
+import harustudy.backend.auth.util.AesTokenProvider;
 import harustudy.backend.content.dto.WritePlanRequest;
 import harustudy.backend.content.dto.WriteRetrospectRequest;
 import harustudy.backend.integration.LoginResponse;
@@ -27,7 +28,6 @@
 import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.Map;
-import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.DisplayNameGeneration;
@@ -66,7 +66,7 @@ class AcceptanceTest {
     private MockMvc mockMvc;
 
     @Autowired
-    private JwtTokenProvider jwtTokenProvider;
+    private AesTokenProvider aesTokenProvider;
 
     @Autowired
     private TokenConfig tokenConfig;
@@ -127,8 +127,8 @@ void setUp() {
 
     private List<StudyResponse> 회원으로_진행했던_모든_스터디_목록을_조회한다(LoginResponse 로그인_정보)
             throws Exception {
-        long memberId = Long.parseLong(jwtTokenProvider
-                .parseSubject(로그인_정보.tokenResponse().accessToken(), tokenConfig.secretKey()));
+        Long memberId = aesTokenProvider.parseSubject(로그인_정보.tokenResponse().accessToken(),
+                tokenConfig.secretKey());
 
         MvcResult result = mockMvc.perform(
                         get("/api/studies")
@@ -196,8 +196,8 @@ void setUp() {
     }
 
     private Long 스터디에_참여한다(LoginResponse 로그인_정보, Long 스터디_아이디) throws Exception {
-        Long memberId = Long.valueOf(jwtTokenProvider
-                .parseSubject(로그인_정보.tokenResponse().accessToken(), tokenConfig.secretKey()));
+        Long memberId = aesTokenProvider.parseSubject(로그인_정보.tokenResponse().accessToken(),
+                tokenConfig.secretKey());
         ParticipateStudyRequest request = new ParticipateStudyRequest(memberId, "nickname");
         String jsonRequest = objectMapper.writeValueAsString(request);
 
@@ -291,7 +291,6 @@ void setUp() {
                 .andExpect(status().isOk())
                 .andReturn();
         String response = result.getResponse().getContentAsString(StandardCharsets.UTF_8);
-        Assertions.assertDoesNotThrow(() -> objectMapper.readValue(response,
-                StudyResponse.class));
+        assertDoesNotThrow(() -> objectMapper.readValue(response, StudyResponse.class));
     }
 }