[Feat] 카카오 로그인 시 동적 redirect URI 허용 및 검증 추가 (#67)

soonge2 · web-flow · commit ae487de614f3 · 2025-05-07T16:35:07.000+09:00
diff --git a/src/main/java/com/moa/moa_server/domain/auth/controller/AuthController.java b/src/main/java/com/moa/moa_server/domain/auth/controller/AuthController.java
@@ -33,10 +33,11 @@ public class AuthController {
     @PostMapping("/login/oauth")
     public ResponseEntity<ApiResponse> oAuthLogin(
             @RequestBody LoginRequest request,
+            @RequestHeader("X-Redirect-Uri") String redirectUri,
             HttpServletResponse response
     ) {
         // OAuth 로그인 서비스 로직 수행
-        LoginResult dto = authService.login(request.provider(), request.code());
+        LoginResult dto = authService.login(request.provider(), request.code(), redirectUri);
         LoginResponse loginResponseDto = dto.loginResponseDto();
         String refreshToken = dto.refreshToken();
 
diff --git a/src/main/java/com/moa/moa_server/domain/auth/handler/AuthErrorCode.java b/src/main/java/com/moa/moa_server/domain/auth/handler/AuthErrorCode.java
@@ -13,7 +13,8 @@ public enum AuthErrorCode implements BaseErrorCode {
     INVALID_PROVIDER(HttpStatus.BAD_REQUEST),
     KAKAO_TOKEN_FAILED(HttpStatus.UNAUTHORIZED),
     KAKAO_USERINFO_FAILED(HttpStatus.UNAUTHORIZED),
-    OAUTH_NOT_FOUND(HttpStatus.NOT_FOUND),;
+    OAUTH_NOT_FOUND(HttpStatus.NOT_FOUND),
+    INVALID_REDIRECT_URI(HttpStatus.BAD_REQUEST),;
 
     private final HttpStatus status;
 
diff --git a/src/main/java/com/moa/moa_server/domain/auth/service/AuthService.java b/src/main/java/com/moa/moa_server/domain/auth/service/AuthService.java
@@ -14,23 +14,35 @@
 import org.springframework.transaction.annotation.Transactional;
 
 import java.util.Map;
+import java.util.Set;
 
 @Slf4j
 @Service
 @RequiredArgsConstructor
 public class AuthService {
 
+    private static final Set<String> ALLOWED_REDIRECT_URIS = Set.of(
+            "http://localhost:5173/auth/callback",
+            "https://b4z.moagenda.com/auth/callback",
+            "http://localhost:8080/api/v1/auth/login/oauth"
+    );
+
     private final Map<String, OAuthLoginStrategy> strategies;
     private final JwtTokenService jwtTokenService;
     private final RefreshTokenService refreshTokenService;
 
-    public LoginResult login(String provider, String code) {
+    public LoginResult login(String provider, String code, String redirectUri) {
         if (!OAuth.ProviderCode.isSupported(provider)) {
             throw new AuthException(AuthErrorCode.INVALID_PROVIDER);
         }
 
+        if (!ALLOWED_REDIRECT_URIS.contains(redirectUri)) {
+            log.error("redirectUri: {} is not allowed. ALLOWED_REDIRECT_URIS: {}", redirectUri, ALLOWED_REDIRECT_URIS);
+            throw new AuthException(AuthErrorCode.INVALID_REDIRECT_URI);
+        }
+
         OAuthLoginStrategy strategy = strategies.get(provider.toLowerCase());
-        return strategy.login(code);
+        return strategy.login(code, redirectUri);
     }
 
     @Transactional(readOnly = true)
diff --git a/src/main/java/com/moa/moa_server/domain/auth/service/strategy/KakaoOAuthLoginStrategy.java b/src/main/java/com/moa/moa_server/domain/auth/service/strategy/KakaoOAuthLoginStrategy.java
@@ -60,9 +60,9 @@ public class KakaoOAuthLoginStrategy implements OAuthLoginStrategy {
 
     @Transactional
     @Override
-    public LoginResult login(String code) {
+    public LoginResult login(String code, String redirectUri) {
         // 인가코드로 카카오 액세스 토큰 요청
-        String kakaoAccessToken = getAccessToken(code);
+        String kakaoAccessToken = getAccessToken(code, redirectUri);
 
         // 카카오 액세스 토큰으로 사용자 정보 요청
         Long kakaoId = getUserInfo(kakaoAccessToken);
@@ -95,15 +95,15 @@ public LoginResult login(String code) {
         return new LoginResult(loginResponseDto, refreshToken);
     }
 
-    private String getAccessToken(String code) {
+    private String getAccessToken(String code, String redirectUri) {
 
         HttpHeaders headers = new HttpHeaders();
         headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
 
         MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
         body.add("grant_type", "authorization_code");
         body.add("client_id", kakaoClientId);
-        body.add("redirect_uri", kakaoRedirectUri);
+        body.add("redirect_uri", redirectUri);
         body.add("code", code);
 
         HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(body, headers);
diff --git a/src/main/java/com/moa/moa_server/domain/auth/service/strategy/OAuthLoginStrategy.java b/src/main/java/com/moa/moa_server/domain/auth/service/strategy/OAuthLoginStrategy.java
@@ -3,6 +3,6 @@
 import com.moa.moa_server.domain.auth.dto.model.LoginResult;
 
 public interface OAuthLoginStrategy {
-    LoginResult login(String code);
+    LoginResult login(String code, String redirectUri);
     void unlink(Long oauthId);
 }
diff --git a/src/main/resources/application-dev.yaml b/src/main/resources/application-dev.yaml
@@ -27,4 +27,5 @@ mock:
 
 logging:
   level:
+    root: INFO
     org.springframework.security: DEBUG

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,6 @@`
`3`	`3`	`import com.moa.moa_server.domain.auth.dto.model.LoginResult;`
`4`	`4`
`5`	`5`	`public interface OAuthLoginStrategy {`
`6`		`- LoginResult login(String code);`
	`6`	`+ LoginResult login(String code, String redirectUri);`
`7`	`7`	`void unlink(Long oauthId);`
`8`	`8`	`}`