refactor: JWT 로직 수정

rudalsss · rudalsss · commit 6f30cb03ef3a · 2025-10-06T16:27:29.000+09:00
diff --git a/src/main/java/com/financedoc/gateway_service/config/SecurityConfig.java b/src/main/java/com/financedoc/gateway_service/config/SecurityConfig.java
@@ -1,21 +1,40 @@
 package com.financedoc.gateway_service.config;
 
+import com.financedoc.gateway_service.jwt.JwtFilter;
+import com.financedoc.gateway_service.jwt.JwtUtil;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 
 @Configuration
 @EnableWebFluxSecurity
+@RequiredArgsConstructor
 public class SecurityConfig {
+
+    private final JwtFilter jwtFilter;
+
+    @Order(0)
     @Bean
     public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
-        return http
+        http
                 .csrf(ServerHttpSecurity.CsrfSpec::disable) // CSRF 비활성화
                 .authorizeExchange(exchanges -> exchanges
-                        .anyExchange().permitAll() // 모든 요청 허용
+                        // 인증이 필요없는 경로
+                        .pathMatchers("/actuator/health", "/error", "/swagger-ui/**", "/v3/api-docs/**",
+                                "/test-token", "/user/auth/kakao", "/user/auth/login", "/user/auth/refresh"
+                        ).permitAll()
+                        // 그외 필터에서 검증 후 X-User-Id 헤더가 없으면 차단
+                        .anyExchange().authenticated()
                 )
-                .build();
+                .addFilterAt(jwtFilter, SecurityWebFiltersOrder.AUTHENTICATION) // JWT 검증 필터 적용
+                .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
+                .formLogin(ServerHttpSecurity.FormLoginSpec::disable);
+
+        return http.build();
     }
 }
diff --git a/src/main/java/com/financedoc/gateway_service/jwt/JwtFilter.java b/src/main/java/com/financedoc/gateway_service/jwt/JwtFilter.java
@@ -6,25 +6,24 @@
 import io.jsonwebtoken.UnsupportedJwtException;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.cloud.gateway.filter.GatewayFilterChain;
-import org.springframework.cloud.gateway.filter.GlobalFilter;
-import org.springframework.core.Ordered;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.stereotype.Component;
 import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
 import reactor.core.publisher.Mono;
 
 @Component
 @RequiredArgsConstructor
 @Slf4j
-public class JwtFilter implements GlobalFilter, Ordered {
+public class JwtFilter implements WebFilter {
 
     private final JwtUtil jwtUtil;
 
     @Override
-    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
+    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 
         // CORS 프리플라이트는 바로 통과
         HttpMethod method = exchange.getRequest().getMethod();
@@ -36,6 +35,17 @@ public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
         String authHeader = exchange.getRequest().getHeaders().getFirst("Authorization");
         log.info("[JwtFilter] 요청 path={}, Authorization={}", path, authHeader);
 
+        // 화이트리스트 경로 예외 처리
+        if (path.startsWith("/actuator/health") ||
+                path.startsWith("/test-token") ||
+                path.startsWith("/user/auth/") ||
+                path.startsWith("/swagger-ui") ||
+                path.startsWith("/v3/api-docs") ||
+                path.startsWith("/error")) {
+            log.info("[JwtFilter] 통과 path={}", path);
+            return chain.filter(exchange);
+        }
+
         if (authHeader == null || !authHeader.startsWith("Bearer ")) {
             log.warn("[JwtFilter] Authorization 헤더 없음 또는 Bearer 형식 아님");
             exchange.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
@@ -75,9 +85,4 @@ public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
         exchange.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
         return exchange.getResponse().setComplete();
     }
-
-    @Override
-    public int getOrder() {
-        return -1; // 먼저 실행
-    }
 }
diff --git a/src/main/java/com/financedoc/gateway_service/jwt/JwtUtil.java b/src/main/java/com/financedoc/gateway_service/jwt/JwtUtil.java
@@ -11,7 +11,9 @@
 
 import javax.crypto.SecretKey;
 import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.Map;
 
 @Component
@@ -32,34 +34,34 @@ public void init() {
     }
 
     private String ensureBase64(String value) {
-        boolean looksBase64 = value.matches("^[A-Za-z0-9+/=]+$");
-        if (!looksBase64) {
-            return java.util.Base64.getEncoder().encodeToString(value.getBytes(java.nio.charset.StandardCharsets.UTF_8));
-        }
-        return value;
+        if (value == null) return "";
+        boolean looksBase64 = value.matches("^[A-Za-z0-9+/=]+={0,2}$");
+        return looksBase64 ? value
+                : Base64.getEncoder().encodeToString(value.getBytes(StandardCharsets.UTF_8));
     }
 
-    public String createAccessToken(String subject, Map<String, Object> claims) {
+    public String createAccessToken(String userId, Map<String, Object> extraClaims) {
+        Map<String, Object> claims = (extraClaims == null) ? new HashMap<>() : new HashMap<>(extraClaims);
+        claims.putIfAbsent("user_id", userId);
+        claims.put("category", "access");
+
         Date now = new Date();
-        Date expiry = new Date(now.getTime() + accessTokenValidityMs);
-        return buildToken(subject, claims, now, expiry);
-    }
+        Date exp = new Date(now.getTime() + accessTokenValidityMs);
 
-    private String buildToken(String subject, Map<String, Object> claims, Date issuedAt, Date expiry) {
         return Jwts.builder()
                 .setClaims(claims)
-                .setSubject(subject)
-                .setIssuedAt(issuedAt)
-                .setExpiration(expiry)
+                .setSubject(userId)
+                .setIssuedAt(now)
+                .setExpiration(exp)
                 .signWith(secretKey)
                 .compact();
     }
 
     public Claims parseClaims(String token) {
-        return Jwts.parser()              // ← parserBuilder()가 아니라 parser()
-                .verifyWith(secretKey)    // ← setSigningKey(...) 대신 verifyWith(Key)
+        return Jwts.parser()              // parserBuilder() 아님
+                .verifyWith(secretKey)    // setSigningKey(...) 대신 verifyWith(Key)
                 .build()
-                .parseSignedClaims(token) // ← parseClaimsJws(...) → parseSignedClaims(...)
+                .parseSignedClaims(token)
                 .getPayload();
     }
 }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -4,7 +4,6 @@ server:
 spring:
   application:
     name: gateway-service
-
   cloud:
     gateway:
       server:
@@ -38,5 +37,5 @@ management:
 
 jwt:
   secret: ${JWT_SECRET}
-  access-token-validity: 3600000 # 엑세스 토큰 만료 시간
+  access-token-validity: 180000  # 3분(3 * 60 * 1000)
   refresh-token-validity: 120960000 # 리프레시 토큰 만료 시간
