Fix: OAuth2 state는 더 이상 쿠키에 저장하지 않고 Redis에 짧은 TTL로 저장하도록 변경

- 브라우저의 서드파티 쿠키 차단으로 인한 authorization_request_not_found가 반복되는 문제를 제거

Author: devbattery

src/main/java/wonjun/stiky/auth/config/HttpCookieOAuth2AuthorizationRequestRepository.java

@@ -23,7 +23,7 @@ public class OAuth2SuccessHandler extends SimpleUrlAuthenticationSuccessHandler
 
     private final JwtTokenProvider jwtTokenProvider;
     private final RedisTemplate<String, Object> redisTemplate;
-    private final HttpCookieOAuth2AuthorizationRequestRepository authorizationRequestRepository;
+    private final RedisOAuth2AuthorizationRequestRepository authorizationRequestRepository;
 
     @Value("${openapi.client-url}")
     private String url;

src/main/java/wonjun/stiky/auth/config/OAuth2SuccessHandler.java

@@ -0,0 +1,96 @@
+package wonjun.stiky.auth.config;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.util.Base64;
+import java.util.Objects;
+import java.util.concurrent.TimeUnit;
+import lombok.RequiredArgsConstructor;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.stereotype.Component;
+import org.springframework.util.SerializationUtils;
+
+@Component
+@RequiredArgsConstructor
+public class RedisOAuth2AuthorizationRequestRepository implements
+        AuthorizationRequestRepository<OAuth2AuthorizationRequest> {
+
+    private static final String KEY_PREFIX = "OAUTH2_AUTH_REQUEST:";
+    private static final long EXPIRE_SECONDS = 180;
+
+    private final RedisTemplate<String, Object> redisTemplate;
+
+    @Override
+    public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
+        return findAuthorizationRequest(stateFrom(request));
+    }
+
+    @Override
+    public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest, HttpServletRequest request,
+                                         HttpServletResponse response) {
+        if (authorizationRequest == null) {
+            removeAuthorizationRequest(request, response);
+            return;
+        }
+
+        String state = authorizationRequest.getState();
+        if (state == null) {
+            return;
+        }
+
+        redisTemplate.opsForValue()
+                .set(buildKey(state), serialize(authorizationRequest), EXPIRE_SECONDS, TimeUnit.SECONDS);
+    }
+
+    @Override
+    public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request,
+                                                                 HttpServletResponse response) {
+        String state = stateFrom(request);
+        if (state == null) {
+            return null;
+        }
+
+        String key = buildKey(state);
+        Object serialized = redisTemplate.opsForValue().get(key);
+        redisTemplate.delete(key);
+        return deserialize(serialized);
+    }
+
+    private OAuth2AuthorizationRequest findAuthorizationRequest(String state) {
+        if (state == null) {
+            return null;
+        }
+
+        Object serialized = redisTemplate.opsForValue().get(buildKey(state));
+        return deserialize(serialized);
+    }
+
+    private String stateFrom(HttpServletRequest request) {
+        if (request == null) {
+            return null;
+        }
+        return request.getParameter(OAuth2ParameterNames.STATE);
+    }
+
+    private String buildKey(String state) {
+        return KEY_PREFIX + state;
+    }
+
+    private String serialize(OAuth2AuthorizationRequest authorizationRequest) {
+        byte[] bytes = Objects.requireNonNull(SerializationUtils.serialize(authorizationRequest));
+        return Base64.getEncoder().encodeToString(bytes);
+    }
+
+    private OAuth2AuthorizationRequest deserialize(Object serialized) {
+        if (!(serialized instanceof String value)) {
+            return null;
+        }
+
+        byte[] bytes = Base64.getDecoder().decode(value);
+        return (OAuth2AuthorizationRequest) SerializationUtils.deserialize(bytes);
+    }
+
+}

src/main/java/wonjun/stiky/auth/config/RedisOAuth2AuthorizationRequestRepository.java

@@ -19,7 +19,7 @@
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import wonjun.stiky.auth.config.CustomOAuth2UserService;
 import wonjun.stiky.auth.config.CustomUserDetailsService;
-import wonjun.stiky.auth.config.HttpCookieOAuth2AuthorizationRequestRepository;
+import wonjun.stiky.auth.config.RedisOAuth2AuthorizationRequestRepository;
 import wonjun.stiky.auth.config.JwtAuthenticationFilter;
 import wonjun.stiky.auth.config.JwtTokenProvider;
 import wonjun.stiky.auth.config.OAuth2SuccessHandler;
@@ -32,7 +32,7 @@ public class SecurityConfig {
     private final CustomOAuth2UserService customOAuth2UserService;
     private final CustomUserDetailsService customUserDetailsService;
     private final OAuth2SuccessHandler oAuth2SuccessHandler;
-    private final HttpCookieOAuth2AuthorizationRequestRepository authorizationRequestRepository;
+    private final RedisOAuth2AuthorizationRequestRepository authorizationRequestRepository;
     private final JwtTokenProvider jwtTokenProvider;
 
     @Value("${cors.allowed-origins}")