Portfolio

1. 현재 로그인 코드 분석 및 문제점

현재 구글 소셜 로그인 코드 흐름

프론트에서 구글 로그인 url 요청 http://localhost:8080/oath2/authorization/google →

구글 인증 서버 인증 → 구글 리소스 서버 접근 → 유저 정보 저장 및 토큰 생성 → 토큰은 redirect URL에 Query String으로 발급

현재 redirectUrl은 bidmarket.vercel.app/auth?token=~~ 으로 하드코딩 되어있는상태

현재 상황에서 토큰을 쿠키에 http only 옵션을 줘서 저장하고 메인페이지로 리다이렉트 시켜주고 싶음

우선 현재 코드가 어떻게 작동하는지 파악 할것임

현재 security 코드 분석

WebSecurityConfig 파일




@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

  ...생략

  @Bean
  public SecurityFilterChain filterChain(Jwt jwt,
                                         HttpSecurity http,
                                         OAuth2AuthorizedClientRepository repository,
                                         OAuth2AuthenticationSuccessHandler handler
  ) throws Exception {

    http.authorizeRequests()
        ...생략
        /**
         * OAuth2 설정
         */
        .oauth2Login()
        .authorizationEndpoint()
        .authorizationRequestRepository(authorizationRequestRepository())
        .and()
        .successHandler(handler)
        .authorizedClientRepository(repository)
        .and()

				...생략

    return http.build();
  }
}

OAuth2AuthenticationSuccessHandler 파일


package com.saiko.bidmarket.common.oauth2;

import java.io.IOException;
import java.nio.charset.StandardCharsets;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

import com.saiko.bidmarket.common.jwt.Jwt;
import com.saiko.bidmarket.user.entity.User;
import com.saiko.bidmarket.user.service.UserService;

public class OAuth2AuthenticationSuccessHandler extends
    SavedRequestAwareAuthenticationSuccessHandler {

  private final Logger log = LoggerFactory.getLogger(this.getClass());

  private final Jwt jwt;

  private final UserService userService;

  public OAuth2AuthenticationSuccessHandler(Jwt jwt, UserService userService) {

    this.jwt = jwt;
    this.userService = userService;
  }

  @Override
  public void onAuthenticationSuccess(
      HttpServletRequest request,
      HttpServletResponse response,
      Authentication authentication)
      throws
      IOException {

    if (authentication instanceof OAuth2AuthenticationToken) {
      OAuth2AuthenticationToken oauth2Token = (OAuth2AuthenticationToken)authentication;
      OAuth2User principal = oauth2Token.getPrincipal();
      log.debug("Message {}, {}", principal.getName(), principal.getAttributes());
      String registrationId = oauth2Token.getAuthorizedClientRegistrationId();

      User user = processUserOAuth2UserJoin(principal, registrationId);
      String loginSuccessJson = generateLoginSuccessJson(user);
      response.setContentType("application/json;charset=UTF-8");
      response.setContentLength(loginSuccessJson.getBytes(StandardCharsets.UTF_8).length);
      response.sendRedirect("http://localhost:3000/auth?" + loginSuccessJson);
    }
  }

  private User processUserOAuth2UserJoin(OAuth2User oAuth2User, String registrationId) {
    return userService.join(oAuth2User, registrationId);
  }

  private String generateLoginSuccessJson(User user) {
    String token = generateToken(user);
    log.debug("Jwt({}) created for oauth2 login user {}", token, user.getId());
    return "token=" + token;
  }

  private String generateToken(User user) {
    return jwt.sign(Jwt.Claims.from(user.getId(), new String[]{"ROLE_USER"}));
  }
}