[Feature] SpringSecurity 및 소셜로그인 구현

.env.example

@@ -5,6 +5,17 @@ DB_NAME=cherrish
 DB_USERNAME=postgres
 DB_PASSWORD=postgres
 
+# Redis Configuration (로컬 개발 환경 - 인증 없음)
+REDIS_HOST=localhost
+REDIS_PORT=6379
+REDIS_PASSWORD=
+
+# JWT Configuration (Base64-encoded 32+ bytes; e.g., openssl rand -base64 32)
+JWT_SECRET_KEY=MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDE=
+
+# Social Login Configuration
+APPLE_CLIENT_ID=your-apple-bundle-id
+
 # OpenAI Configuration
 OPENAI_API_KEY=sk-proj-your-api-key-here
 OPENAI_MODEL=gpt-3.5-turbo

build.gradle

@@ -42,6 +42,17 @@ dependencies {
 	annotationProcessor "jakarta.annotation:jakarta.annotation-api"
 	annotationProcessor "jakarta.persistence:jakarta.persistence-api"
 
+	// Spring Security
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+
+	// JWT
+	implementation 'io.jsonwebtoken:jjwt-api:0.12.7'
+	runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.12.7'
+	runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.12.7'
+
+	// Redis
+	implementation 'org.springframework.boot:spring-boot-starter-data-redis'
+
 	//swagger
 	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.14'
 	implementation 'io.swagger.core.v3:swagger-annotations-jakarta:2.2.41'

docker-compose.local.yml

@@ -16,5 +16,19 @@ services:
       timeout: 5s
       retries: 5
 
+  redis:
+    image: redis:7-alpine
+    container_name: cherrish-redis
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
 volumes:
   postgres_data:
+  redis_data:

scripts/deploy-dev.sh

@@ -32,6 +32,11 @@ OPENAI_API_KEY=$(aws ssm get-parameter --name "/cherrish/OPENAI_API_KEY" --regio
 OPENAI_MODEL=$(aws ssm get-parameter --name "/cherrish/OPENAI_MODEL" --region "${AWS_REGION}" --query "Parameter.Value" --output text)
 SERVER_URL=$(aws ssm get-parameter --name "/cherrish/SERVER_URL" --region "${AWS_REGION}" --query "Parameter.Value" --output text)
 DISCORD_ERROR_WEBHOOK_URL=$(aws ssm get-parameter --name "/cherrish/DISCORD_ERROR_WEBHOOK_URL" --region "${AWS_REGION}" --with-decryption --query "Parameter.Value" --output text)
+REDIS_HOST=$(aws ssm get-parameter --name "/cherrish/REDIS_HOST" --region "${AWS_REGION}" --query "Parameter.Value" --output text)
+REDIS_PORT=$(aws ssm get-parameter --name "/cherrish/REDIS_PORT" --region "${AWS_REGION}" --query "Parameter.Value" --output text)
+REDIS_PASSWORD=$(aws ssm get-parameter --name "/cherrish/REDIS_PASSWORD" --region "${AWS_REGION}" --with-decryption --query "Parameter.Value" --output text)
+JWT_SECRET_KEY=$(aws ssm get-parameter --name "/cherrish/JWT_SECRET_KEY" --region "${AWS_REGION}" --with-decryption --query "Parameter.Value" --output text)
+APPLE_CLIENT_ID=$(aws ssm get-parameter --name "/cherrish/APPLE_CLIENT_ID" --region "${AWS_REGION}" --query "Parameter.Value" --output text)
 
 # Stop and remove existing container
 echo "Stopping existing container..."
@@ -53,6 +58,11 @@ docker run -d \
   -e OPENAI_MODEL="${OPENAI_MODEL}" \
   -e SERVER_URL="${SERVER_URL}" \
   -e DISCORD_ERROR_WEBHOOK_URL="${DISCORD_ERROR_WEBHOOK_URL}" \
+  -e REDIS_HOST="${REDIS_HOST}" \
+  -e REDIS_PORT="${REDIS_PORT}" \
+  -e REDIS_PASSWORD="${REDIS_PASSWORD}" \
+  -e JWT_SECRET_KEY="${JWT_SECRET_KEY}" \
+  -e APPLE_CLIENT_ID="${APPLE_CLIENT_ID}" \
   "${IMAGE}"
 
 # Cleanup old images

src/main/java/com/sopt/cherrish/domain/auth/application/service/AuthService.java

@@ -0,0 +1,164 @@
+package com.sopt.cherrish.domain.auth.application.service;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.Optional;
+
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.sopt.cherrish.domain.auth.domain.repository.AccessTokenBlacklistRepository;
+import com.sopt.cherrish.domain.auth.domain.repository.RefreshTokenRepository;
+import com.sopt.cherrish.domain.auth.exception.AuthErrorCode;
+import com.sopt.cherrish.domain.auth.exception.AuthException;
+import com.sopt.cherrish.domain.auth.infrastructure.jwt.JwtTokenProvider;
+import com.sopt.cherrish.domain.auth.infrastructure.social.SocialUserInfo;
+import com.sopt.cherrish.domain.auth.presentation.dto.request.SocialLoginRequestDto;
+import com.sopt.cherrish.domain.auth.presentation.dto.request.TokenRefreshRequestDto;
+import com.sopt.cherrish.domain.auth.presentation.dto.response.LoginResponseDto;
+import com.sopt.cherrish.domain.auth.presentation.dto.response.TokenResponseDto;
+import com.sopt.cherrish.domain.user.domain.model.User;
+import com.sopt.cherrish.domain.user.domain.repository.UserRepository;
+
+import lombok.RequiredArgsConstructor;
+
+/**
+ * 인증 관련 비즈니스 로직을 처리하는 서비스.
+ *
+ * <p>소셜 로그인, 토큰 재발급, 로그아웃 기능을 제공합니다.</p>
+ */
+@Service
+@RequiredArgsConstructor
+@Transactional(readOnly = true)
+public class AuthService {
+
+	private static final String DEFAULT_NAME = "사용자";
+	private static final int DEFAULT_AGE = 0;
+
+	private final SocialLoginService socialLoginService;
+	private final UserRepository userRepository;
+	private final JwtTokenProvider jwtTokenProvider;
+	private final RefreshTokenRepository refreshTokenRepository;
+	private final AccessTokenBlacklistRepository accessTokenBlacklistRepository;
+
+	/**
+	 * 소셜 로그인을 처리합니다.
+	 *
+	 * <p>소셜 토큰을 검증하고, 신규 사용자인 경우 회원가입을 진행합니다.
+	 * 이후 Access Token과 Refresh Token을 발급합니다.</p>
+	 *
+	 * @param request 소셜 로그인 요청 (provider, token)
+	 * @return 로그인 응답 (userId, isNewUser, accessToken, refreshToken)
+	 * @throws AuthException 소셜 토큰이 유효하지 않은 경우
+	 */
+	@Transactional
+	public LoginResponseDto login(SocialLoginRequestDto request) {
+		SocialUserInfo socialUserInfo = socialLoginService.authenticate(
+			request.provider(),
+			request.token()
+		);
+
+		Optional<User> existingUser = userRepository.findBySocialProviderAndSocialId(
+			request.provider(),
+			socialUserInfo.socialId()
+		);
+
+		boolean isNewUser = existingUser.isEmpty();
+		User user;
+
+		if (isNewUser) {
+			user = User.builder()
+				.name(DEFAULT_NAME)
+				.age(DEFAULT_AGE)
+				.socialProvider(request.provider())
+				.socialId(socialUserInfo.socialId())
+				.email(socialUserInfo.email())
+				.build();
+			user = userRepository.save(user);
+		} else {
+			user = existingUser.get();
+		}
+
+		TokenResponseDto tokens = issueTokenPair(user.getId());
+
+		return new LoginResponseDto(user.getId(), isNewUser, tokens.accessToken(), tokens.refreshToken());
+	}
+
+	/**
+	 * Refresh Token으로 새로운 토큰 쌍을 발급합니다.
+	 *
+	 * <p>Refresh Token Rotation(RTR) 방식을 적용하여 재발급시 새로운 Refresh Token도 함께 발급합니다.</p>
+	 *
+	 * @param request 토큰 재발급 요청 (refreshToken)
+	 * @return 새로운 Access Token과 Refresh Token
+	 * @throws AuthException Refresh Token이 유효하지 않거나 만료된 경우
+	 */
+	@Transactional
+	public TokenResponseDto refresh(TokenRefreshRequestDto request) {
+		String refreshToken = request.refreshToken();
+
+		jwtTokenProvider.validateToken(refreshToken);
+
+		if (!jwtTokenProvider.isRefreshToken(refreshToken)) {
+			throw new AuthException(AuthErrorCode.INVALID_REFRESH_TOKEN);
+		}
+
+		Long userId = jwtTokenProvider.getUserId(refreshToken);
+
+		if (!userRepository.existsById(userId)) {
+			throw new AuthException(AuthErrorCode.USER_NOT_FOUND);
+		}
+
+		String storedToken = refreshTokenRepository.findByUserId(userId)
+			.orElseThrow(() -> new AuthException(AuthErrorCode.REFRESH_TOKEN_NOT_FOUND));
+
+		if (!constantTimeEquals(storedToken, refreshToken)) {
+			throw new AuthException(AuthErrorCode.INVALID_REFRESH_TOKEN);
+		}
+
+		return issueTokenPair(userId);
+	}
+
+	/**
+	 * 로그아웃을 처리합니다.
+	 *
+	 * <p>Redis에 저장된 Refresh Token을 삭제하고, Access Token을 블랙리스트에 추가하여
+	 * 해당 토큰들로 더 이상 인증이 불가능하게 합니다.</p>
+	 *
+	 * @param userId 로그아웃할 사용자 ID
+	 * @param authorizationHeader Authorization 헤더 값 (Bearer 토큰)
+	 */
+	@Transactional
+	public void logout(Long userId, String authorizationHeader) {
+		refreshTokenRepository.deleteByUserId(userId);
+
+		String accessToken = jwtTokenProvider.extractToken(authorizationHeader);
+		if (accessToken != null) {
+			long remainingExpiration = jwtTokenProvider.getRemainingExpiration(accessToken);
+			accessTokenBlacklistRepository.add(accessToken, remainingExpiration);
+		}
+	}
+
+	private TokenResponseDto issueTokenPair(Long userId) {
+		String accessToken = jwtTokenProvider.createAccessToken(userId);
+		String refreshToken = jwtTokenProvider.createRefreshToken(userId);
+
+		refreshTokenRepository.save(
+			userId,
+			refreshToken,
+			jwtTokenProvider.getRefreshTokenExpiration()
+		);
+
+		return new TokenResponseDto(accessToken, refreshToken);
+	}
+
+	private boolean constantTimeEquals(String a, String b) {
+		if (a == null || b == null) {
+			return false;
+		}
+		return MessageDigest.isEqual(
+			a.getBytes(StandardCharsets.UTF_8),
+			b.getBytes(StandardCharsets.UTF_8)
+		);
+	}
+}

src/main/java/com/sopt/cherrish/domain/auth/application/service/SocialLoginService.java

@@ -0,0 +1,38 @@
+package com.sopt.cherrish.domain.auth.application.service;
+
+import org.springframework.stereotype.Service;
+
+import com.sopt.cherrish.domain.auth.domain.model.SocialProvider;
+import com.sopt.cherrish.domain.auth.infrastructure.social.AppleAuthClient;
+import com.sopt.cherrish.domain.auth.infrastructure.social.KakaoAuthClient;
+import com.sopt.cherrish.domain.auth.infrastructure.social.SocialUserInfo;
+
+import lombok.RequiredArgsConstructor;
+
+/**
+ * 소셜 로그인 인증을 처리하는 서비스.
+ *
+ * <p>소셜 플랫폼에 따라 적절한 인증 클라이언트를 선택하여 토큰을 검증합니다.</p>
+ */
+@Service
+@RequiredArgsConstructor
+public class SocialLoginService {
+
+	private final KakaoAuthClient kakaoAuthClient;
+	private final AppleAuthClient appleAuthClient;
+
+	/**
+	 * 소셜 토큰을 검증하고 사용자 정보를 반환합니다.
+	 *
+	 * @param provider 소셜 플랫폼 (KAKAO, APPLE)
+	 * @param token 소셜 플랫폼에서 발급한 토큰
+	 * @return 소셜 사용자 정보
+	 * @throws com.sopt.cherrish.domain.auth.exception.AuthException 토큰이 유효하지 않은 경우
+	 */
+	public SocialUserInfo authenticate(SocialProvider provider, String token) {
+		return switch (provider) {
+			case KAKAO -> kakaoAuthClient.getUserInfo(token);
+			case APPLE -> appleAuthClient.getUserInfo(token);
+		};
+	}
+}

src/main/java/com/sopt/cherrish/domain/auth/domain/model/SocialProvider.java

@@ -0,0 +1,6 @@
+package com.sopt.cherrish.domain.auth.domain.model;
+
+public enum SocialProvider {
+	KAKAO,
+	APPLE
+}

src/main/java/com/sopt/cherrish/domain/auth/domain/repository/AccessTokenBlacklistRepository.java

@@ -0,0 +1,50 @@
+package com.sopt.cherrish.domain.auth.domain.repository;
+
+import java.util.concurrent.TimeUnit;
+
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.stereotype.Repository;
+
+import lombok.RequiredArgsConstructor;
+
+/**
+ * Access Token 블랙리스트를 Redis에 관리하는 저장소.
+ *
+ * <p>로그아웃된 Access Token을 저장하여 만료 전까지 재사용을 방지합니다.
+ * TTL은 토큰의 남은 만료 시간으로 설정되어 자동으로 정리됩니다.</p>
+ */
+@Repository
+@RequiredArgsConstructor
+public class AccessTokenBlacklistRepository {
+
+	private static final String KEY_PREFIX = "blacklist:";
+
+	private final RedisTemplate<String, String> redisTemplate;
+
+	/**
+	 * Access Token을 블랙리스트에 추가합니다.
+	 *
+	 * @param token 블랙리스트에 추가할 Access Token
+	 * @param expirationMillis 토큰의 남은 만료 시간 (밀리초)
+	 */
+	public void add(String token, long expirationMillis) {
+		if (expirationMillis <= 0) {
+			return;
+		}
+		String key = KEY_PREFIX + token;
+		redisTemplate.opsForValue().set(key, "blacklisted", expirationMillis, TimeUnit.MILLISECONDS);
+	}
+
+	/**
+	 * Access Token이 블랙리스트에 있는지 확인합니다.
+	 *
+	 * <p>Redis 연결 문제 등으로 null이 반환될 수 있으므로 null-safe 비교를 수행합니다.</p>
+	 *
+	 * @param token 확인할 Access Token
+	 * @return 블랙리스트에 있으면 true, 없거나 확인 불가 시 false
+	 */
+	public boolean isBlacklisted(String token) {
+		String key = KEY_PREFIX + token;
+		return Boolean.TRUE.equals(redisTemplate.hasKey(key));
+	}
+}