Merge pull request #40 from SoongSilComputingClub/fix/#39-socialsuccesshandler-cookies-changing-cors-setting

bell-person-ii · web-flow · commit f4baf655ba2e · 2026-02-09T18:11:14.000+09:00
[Fix/#39] SocialSuccessHandler cookie 설정 수정
diff --git a/src/main/java/com/example/ssccwebbe/global/security/handler/SocialSuccessHandler.java b/src/main/java/com/example/ssccwebbe/global/security/handler/SocialSuccessHandler.java
@@ -4,12 +4,12 @@
 import java.util.Map;
 
 import jakarta.servlet.ServletException;
-import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseCookie;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.stereotype.Component;
@@ -30,6 +30,12 @@ public class SocialSuccessHandler implements AuthenticationSuccessHandler {
     @Value("${frontend.cookie.secure}")
     private boolean cookieSecure;
 
+    @Value("${frontend.cookie.same-site}")
+    private String cookieSameSite;
+
+    @Value("${frontend.cookie.http-only}")
+    private boolean cookieHttpOnly;
+
     public SocialSuccessHandler(@Qualifier("preJwtService") JwtService preJwtService) {
         // JWT Service 매핑 (Strategy 패턴)
         this.jwtServiceMap =
@@ -62,14 +68,17 @@ public void onAuthenticationSuccess(
         // 발급한 Refresh DB 테이블 저장 (Refresh whitelist)
         jwtService.addRefresh(username, refreshToken);
 
-        // 응답
-        Cookie refreshCookie = new Cookie("refreshToken", refreshToken);
-        refreshCookie.setHttpOnly(true);
-        refreshCookie.setSecure(cookieSecure);
-        refreshCookie.setPath("/");
-        refreshCookie.setMaxAge(10); // 10초 (프론트에서 발급 후 바로 헤더 전환 로직 진행 예정)
-
-        response.addCookie(refreshCookie);
+        // 응답 (ResponseCookie 사용 - SameSite 속성 지원)
+        ResponseCookie refreshCookie =
+                ResponseCookie.from("refreshToken", refreshToken)
+                        .httpOnly(cookieHttpOnly)
+                        .secure(cookieSecure)
+                        .path("/")
+                        .maxAge(10) // 10초 (프론트에서 발급 후 바로 헤더 전환 로직 진행 예정)
+                        .sameSite(cookieSameSite) // SameSite 속성 추가
+                        .build();
+
+        response.addHeader("Set-Cookie", refreshCookie.toString());
         response.sendRedirect(frontendUrl + "/cookie"); // 프론트 주소로 redirect
     }
 
diff --git a/src/main/resources/application-local.yaml b/src/main/resources/application-local.yaml
@@ -42,6 +42,8 @@ frontend:
   url: http://localhost:5173
   cookie:
     secure: false
+    same-site: none
+    http-only: true
 
 logging:
   level:
diff --git a/src/main/resources/application-prod.yaml b/src/main/resources/application-prod.yaml
@@ -40,6 +40,8 @@ frontend:
   url: ${FRONTEND_URL}
   cookie:
     secure: true
+    same-site: none
+    http-only: true
 
 logging:
   level:
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
@@ -85,6 +85,8 @@ frontend:
   url: http://localhost:5173
   cookie:
     secure: false
+    same-site: Lax      # 기본값 (로컬 개발용)
+    http-only: true
 
 logging:
   level:
