WeGo-Together · Be-HinD · Feb 28, 2026 · Feb 28, 2026 · coderabbitai · Mar 1, 2026
diff --git a/.gitignore b/.gitignore
@@ -756,4 +756,8 @@ FodyWeavers.xsd
 # Local Profile
 /src/main/resources/application-local.yml
 
-# End of https://www.toptal.com/developers/gitignore/api/java,intellij+all,intellij+iml,netbeans,macos,windows,visualstudiocode,visualstudio,gradle,groovy,linux,sonarqube,sonar,dotenv,redis,git
+# End of https://www.toptal.com/developers/gitignore/api/java,intellij+all,intellij+iml,netbeans,macos,windows,visualstudiocode,visualstudio,gradle,groovy,linux,sonarqube,sonar,dotenv,redis,git
+
+# Personal (jeonghyeon)
+/pull_request_description.md
+/.claude/
diff --git a/build.gradle b/build.gradle
@@ -37,6 +37,9 @@ dependencies {
     implementation 'com.twelvemonkeys.imageio:imageio-core:3.12.0'
     implementation 'org.sejda.imageio:webp-imageio:0.1.6'
 
+    // Email
+    implementation 'org.springframework.boot:spring-boot-starter-mail'
+
     // Auth
     implementation 'org.springframework.boot:spring-boot-starter-security'
     testImplementation 'org.springframework.security:spring-security-test'

diff --git a/src/main/java/team/wego/wegobackend/auth/application/PasswordResetEmailService.java b/src/main/java/team/wego/wegobackend/auth/application/PasswordResetEmailService.java
@@ -0,0 +1,67 @@
+package team.wego.wegobackend.auth.application;
+
+import jakarta.mail.MessagingException;
+import jakarta.mail.internet.MimeMessage;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.mail.MailException;
+import org.springframework.mail.javamail.JavaMailSender;
+import org.springframework.mail.javamail.MimeMessageHelper;
+import org.springframework.scheduling.annotation.Async;
+import org.springframework.stereotype.Service;
+import team.wego.wegobackend.common.exception.AppErrorCode;
+import team.wego.wegobackend.common.exception.AppException;
+
+@Slf4j
+@Service
+@RequiredArgsConstructor
+public class PasswordResetEmailService {
+
+    private final JavaMailSender mailSender;
+
+    /**
+     * 비밀번호 재설정 이메일을 발송합니다.
+     *
+     * @param toEmail  수신자 이메일
+     * @param resetUrl 비밀번호 재설정 페이지 전체 URL (검증값 포함)
+     */
+    @Async("mailExecutor")
+    public void sendPasswordResetEmail(String toEmail, String resetUrl) {
+        try {
+            MimeMessage message = mailSender.createMimeMessage();
+            MimeMessageHelper helper = new MimeMessageHelper(message, false, "UTF-8");
+
+            helper.setTo(toEmail);
+            helper.setSubject("[WeGo] 비밀번호 재설정 안내");
+            helper.setText(buildEmailBody(resetUrl), true);
+
+            mailSender.send(message);
+            log.info("비밀번호 재설정 이메일 발송 완료 -> {}", toEmail);
+
+        } catch (MessagingException | MailException e) {
+            log.error("비밀번호 재설정 이메일 발송 실패 -> {}", toEmail, e);
+            throw new AppException(AppErrorCode.DEPENDENCY_FAILURE);
+        }
+    }
+
+    private String buildEmailBody(String resetUrl) {
+        return """
+                <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+                    <h2 style="color: #333;">비밀번호 재설정</h2>
+                    <p>안녕하세요. WeGo입니다.</p>
+                    <p>아래 버튼을 클릭하여 비밀번호를 재설정하세요.</p>
+                    <p>
+                        <a href="%s"
+                           style="display: inline-block; padding: 12px 24px; background-color: #4F46E5;
+                                  color: white; text-decoration: none; border-radius: 6px;">
+                            비밀번호 재설정
+                        </a>
+                    </p>
+                    <p style="color: #888; font-size: 13px;">
+                        본 링크는 <strong>30분</strong> 동안만 유효합니다.<br>
+                        본인이 요청하지 않은 경우 이 이메일을 무시하셔도 됩니다.
+                    </p>
+                </div>
+                """.formatted(resetUrl);
+    }
+}
diff --git a/src/main/java/team/wego/wegobackend/auth/application/PasswordResetService.java b/src/main/java/team/wego/wegobackend/auth/application/PasswordResetService.java
@@ -0,0 +1,75 @@
+package team.wego.wegobackend.auth.application;
+
+import java.util.UUID;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import team.wego.wegobackend.auth.exception.InvalidResetTokenException;
+import team.wego.wegobackend.auth.infrastructure.redis.PasswordResetRedisRepository;
+import team.wego.wegobackend.user.domain.User;
+import team.wego.wegobackend.user.repository.UserRepository;
+
+@Slf4j
+@Service
+@RequiredArgsConstructor
+@Transactional(readOnly = true)
+public class PasswordResetService {
+
+    @Value("${password-reset.frontend-url}")
+    private String frontendUrl;
+
+    private final UserRepository userRepository;
+    private final BCryptPasswordEncoder passwordEncoder;
+    private final PasswordResetRedisRepository redisRepository;
+    private final PasswordResetEmailService emailService;
+
+    /**
+     * 비밀번호 재설정 요청.
+     * 미가입 이메일이어도 200 OK를 반환하여 이메일 열거 공격을 방지합니다.
+     */
+    public void requestPasswordReset(String email) {
+        boolean exists = userRepository.existsByEmail(email);
+        if (!exists) {
+            log.debug("비밀번호 재설정 요청: 미가입 이메일 -> {}", email);
+            return;
+        }
+
+        String token = UUID.randomUUID().toString();
+        redisRepository.save(email, token);
+
+        String resetUrl = frontendUrl + "/password-reset?validationValue=" + token;
+        emailService.sendPasswordResetEmail(email, resetUrl);
+
+        log.info("비밀번호 재설정 토큰 발급 -> email={}", email);
+    }
+
+    /**
+     * 검증값 유효성 검사. 토큰을 소비하지 않습니다. (프론트 2단계 검증 1단계)
+     */
+    public void verifyToken(String token) {
+        redisRepository.findEmailByToken(token)
+                .orElseThrow(InvalidResetTokenException::new);
+    }
+
+    /**
+     * 비밀번호 변경. 토큰 유효성 재검사 후 비밀번호 변경 및 토큰·세션 폐기.
+     */
+    @Transactional
+    public void resetPassword(String token, String newPassword) {
+        String email = redisRepository.findEmailByToken(token)
+                .orElseThrow(InvalidResetTokenException::new);
+
+        User user = userRepository.findByEmail(email)
+                .orElseThrow(InvalidResetTokenException::new);
+
+        user.updatePassword(passwordEncoder.encode(newPassword));
+        user.updateCurrentSessionid(null);
+
+        redisRepository.deleteByToken(token);
+
+        log.info("비밀번호 재설정 완료 -> email={}", email);
+    }
+}
diff --git a/.../java/team/wego/wegobackend/auth/application/dto/request/PasswordResetConfirmRequest.java b/.../java/team/wego/wegobackend/auth/application/dto/request/PasswordResetConfirmRequest.java
@@ -0,0 +1,14 @@
+package team.wego.wegobackend.auth.application.dto.request;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
+
+public record PasswordResetConfirmRequest(
+        @NotBlank(message = "토큰은 필수입니다.")
+        String token,
+
+        @NotBlank(message = "새 비밀번호는 필수입니다.")
+        @Size(min = 8, message = "비밀번호는 8자 이상이어야 합니다.")
+        String newPassword
+) {
+}
diff --git a/src/main/java/team/wego/wegobackend/auth/application/dto/request/PasswordResetRequest.java b/src/main/java/team/wego/wegobackend/auth/application/dto/request/PasswordResetRequest.java
@@ -0,0 +1,11 @@
+package team.wego.wegobackend.auth.application.dto.request;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+
+public record PasswordResetRequest(
+        @NotBlank(message = "이메일은 필수입니다.")
+        @Email(message = "올바른 이메일 형식이 아닙니다.")
+        String email
+) {
+}
diff --git a/src/main/java/team/wego/wegobackend/auth/exception/InvalidResetTokenException.java b/src/main/java/team/wego/wegobackend/auth/exception/InvalidResetTokenException.java
@@ -0,0 +1,11 @@
+package team.wego.wegobackend.auth.exception;
+
+import team.wego.wegobackend.common.exception.AppErrorCode;
+import team.wego.wegobackend.common.exception.AppException;
+
+public class InvalidResetTokenException extends AppException {
+
+    public InvalidResetTokenException() {
+        super(AppErrorCode.INVALID_RESET_TOKEN);
+    }
+}
diff --git a/...in/java/team/wego/wegobackend/auth/infrastructure/redis/PasswordResetRedisRepository.java b/...in/java/team/wego/wegobackend/auth/infrastructure/redis/PasswordResetRedisRepository.java
@@ -0,0 +1,71 @@
+package team.wego.wegobackend.auth.infrastructure.redis;
+
+import java.time.Duration;
+import java.util.Optional;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.stereotype.Repository;
+
+/**
+ * 비밀번호 재설정 토큰 Redis 저장소.
+ *
+ * <p>이중 키 구조로 "계정당 최신 토큰 1개만 유효" 정책을 구현합니다.
+ * <ul>
+ *   <li>pwreset:token:{uuid}  → email  (토큰 검증용)</li>
+ *   <li>pwreset:email:{email} → uuid   (이전 토큰 추적 및 폐기용)</li>
+ * </ul>
+ */
+@Repository
+@RequiredArgsConstructor
+public class PasswordResetRedisRepository {
+
+    private static final String TOKEN_PREFIX = "pwreset:token:";
+    private static final String EMAIL_PREFIX = "pwreset:email:";
+
+    @Value("${password-reset.token-ttl-minutes:30}")
+    private long tokenTtlMinutes;
+
+    private final StringRedisTemplate stringRedisTemplate;
+
+    /**
+     * 토큰을 저장합니다. 기존 토큰이 있으면 먼저 폐기합니다.
+     */
+    public void save(String email, String token) {
+        // 기존 토큰 폐기
+        String oldToken = stringRedisTemplate.opsForValue().get(emailKey(email));
+        if (oldToken != null) {
+            stringRedisTemplate.delete(tokenKey(oldToken));
+        }
+
+        Duration ttl = Duration.ofMinutes(tokenTtlMinutes);
+        stringRedisTemplate.opsForValue().set(tokenKey(token), email, ttl);
+        stringRedisTemplate.opsForValue().set(emailKey(email), token, ttl);
+    }
+
+    /**
+     * 토큰으로 이메일을 조회합니다.
+     */
+    public Optional<String> findEmailByToken(String token) {
+        return Optional.ofNullable(stringRedisTemplate.opsForValue().get(tokenKey(token)));
+    }
+
+    /**
+     * 사용 완료된 토큰을 폐기합니다. (토큰 키, 이메일 역방향 키 모두 삭제)
+     */
+    public void deleteByToken(String token) {
+        String email = stringRedisTemplate.opsForValue().get(tokenKey(token));
+        stringRedisTemplate.delete(tokenKey(token));
+        if (email != null) {
+            stringRedisTemplate.delete(emailKey(email));
+        }
+    }
+
+    private String tokenKey(String token) {
+        return TOKEN_PREFIX + token;
+    }
+
+    private String emailKey(String email) {
+        return EMAIL_PREFIX + email;
+    }
+}
diff --git a/src/main/java/team/wego/wegobackend/auth/presentation/AuthController.java b/src/main/java/team/wego/wegobackend/auth/presentation/AuthController.java
@@ -10,13 +10,18 @@
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 import team.wego.wegobackend.auth.application.AuthService;
+import team.wego.wegobackend.auth.application.PasswordResetService;
 import team.wego.wegobackend.auth.application.dto.request.GoogleLoginRequest;
 import team.wego.wegobackend.auth.application.dto.request.LoginRequest;
+import team.wego.wegobackend.auth.application.dto.request.PasswordResetConfirmRequest;
+import team.wego.wegobackend.auth.application.dto.request.PasswordResetRequest;
 import team.wego.wegobackend.auth.application.dto.request.SignupRequest;
 import team.wego.wegobackend.auth.application.dto.response.LoginResponse;
 import team.wego.wegobackend.auth.application.dto.response.RefreshResponse;
@@ -34,6 +39,8 @@ public class AuthController implements AuthControllerDocs {
 
     private final AuthService authService;
 
+    private final PasswordResetService passwordResetService;
+
     private final JwtTokenProvider jwtTokenProvider;
 
     /**
@@ -155,6 +162,49 @@ public ResponseEntity<ApiResponse<RefreshResponse>> refresh(
             ));
     }
 
+    /**
+     * 비밀번호 재설정 요청 — 이메일 발송
+     * 미가입 이메일이어도 200 OK 반환 (이메일 열거 공격 방지)
+     */
+    @PostMapping("/password-reset/request")
+    public ResponseEntity<ApiResponse<Void>> requestPasswordReset(
+        @Valid @RequestBody PasswordResetRequest request) {
+
+        passwordResetService.requestPasswordReset(request.email());
+
+        return ResponseEntity
+            .status(HttpStatus.OK)
+            .body(ApiResponse.success(200, true));
+    }
+
+    /**
+     * 검증값(validationValue) 유효성 검사
+     */
+    @GetMapping("/reset-verify")
+    public ResponseEntity<ApiResponse<Void>> verifyResetToken(
+        @RequestParam String validationValue) {
+
+        passwordResetService.verifyToken(validationValue);
+
+        return ResponseEntity
+            .status(HttpStatus.OK)
+            .body(ApiResponse.success(200, true));
+    }
+
+    /**
+     * 비밀번호 변경
+     */
+    @PostMapping("/password-reset")
+    public ResponseEntity<ApiResponse<Void>> resetPassword(
+        @Valid @RequestBody PasswordResetConfirmRequest request) {
+
+        passwordResetService.resetPassword(request.token(), request.newPassword());
+
+        return ResponseEntity
+            .status(HttpStatus.OK)
+            .body(ApiResponse.success(200, true));
+    }
+
     /**
      * Refresh Token HttpOnly 쿠키 생성
      */