[Minsu] Week8 미션

Minsu/umc10th/build.gradle

@@ -20,12 +20,16 @@ repositories {
 
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+	implementation 'org.springframework.boot:spring-boot-starter-jackson'
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	implementation 'org.springframework.boot:spring-boot-starter-validation'
 	implementation 'org.springframework.boot:spring-boot-starter-webmvc'
 	implementation 'org.springframework.boot:spring-boot-starter-validation'
 	compileOnly 'org.projectlombok:lombok'
 	runtimeOnly 'com.mysql:mysql-connector-j'
 	annotationProcessor 'org.projectlombok:lombok'
 	testImplementation 'org.springframework.boot:spring-boot-starter-data-jpa-test'
+	testImplementation 'org.springframework.security:spring-security-test'
 	testImplementation 'org.springframework.boot:spring-boot-starter-webmvc-test'
 	testRuntimeOnly 'com.h2database:h2'
 	testCompileOnly 'org.projectlombok:lombok'

Minsu/umc10th/keyword_summary/ch08.md

@@ -0,0 +1,21 @@
+## Spring Security가 무엇인가? 
+
+Spring Security는 Spring 기반 애플리케이션에서 인증과 인가를 처리하는 보안 프레임워크다.  
+요청이 Controller에 도달하기 전에 Security Filter Chain을 먼저 통과하면서 로그인 여부와 권한을 검사한다.  
+개발자는 `SecurityFilterChain`, `UserDetailsService`, `PasswordEncoder` 같은 구성 요소를 조합해 보안 흐름을 설정한다.  
+폼 로그인에서는 사용자가 입력한 이메일과 비밀번호를 기반으로 인증하고, 성공한 인증 정보는 `SecurityContext`에 저장된다.  
+
+## 인증(Authentication)vs 인가(Authorization)
+
+인증(Authentication)은 “이 사용자가 누구인가?”를 확인하는 과정이다.  
+예를 들어 이메일과 비밀번호로 로그인해서 DB에 저장된 회원인지 확인하는 흐름이 인증이다.  
+인가(Authorization)는 “인증된 사용자가 이 기능에 접근할 권한이 있는가?”를 확인하는 과정이다.  
+로그인하지 않은 사용자가 Private API에 접근하면 인증 실패로 401 응답이 나가고, 권한이 부족하면 인가 실패로 403 응답이 나간다.  
+Spring Security에서는 인증 후 생성된 `Authentication` 객체의 권한 정보를 바탕으로 인가 판단을 수행한다.  
+
+## Stateful vs Stateless
+
+Stateful은 서버가 사용자의 로그인 상태를 세션 등에 저장하는 방식이다.  
+폼 로그인은 기본적으로 Stateful 방식이며, 로그인 성공 후 서버 세션을 통해 사용자를 계속 식별한다.  
+Stateless는 서버가 로그인 상태를 저장하지 않고, 클라이언트가 매 요청마다 토큰 같은 인증 정보를 보내는 방식이다.  
+JWT 인증은 대표적인 Stateless 방식으로, 서버 확장에는 유리하지만 토큰 관리와 만료 처리가 중요하다.  

Minsu/umc10th/src/main/java/com/example/umc10th/domain/auth/controller/AuthController.java

@@ -7,6 +7,7 @@
 import com.example.umc10th.global.apiPayload.ApiResponse;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import org.springframework.web.bind.annotation.*;
 
@@ -20,7 +21,7 @@ public class AuthController {
 
     @PostMapping("/signup")
     @Operation(summary = "회원가입")
-    public ApiResponse<MemberResDTO.SignUpInfo> signUp(@RequestBody MemberReqDTO.SignUp dto) {
+    public ApiResponse<MemberResDTO.SignUpInfo> signUp(@RequestBody @Valid MemberReqDTO.SignUp dto) {
         return ApiResponse.onSuccess(MemberSuccessCode.CREATED, memberService.signUp(dto));
     }
 }

Minsu/umc10th/src/main/java/com/example/umc10th/domain/member/dto/MemberReqDTO.java

@@ -1,6 +1,9 @@
 package com.example.umc10th.domain.member.dto;
 
 import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
 
 import java.util.List;
 
@@ -13,6 +16,7 @@ public record GetInfo(
 
     public record SignUp(
             @Schema(description = "이름", example = "홍길동")
+            @NotBlank(message = "이름은 필수입니다.")
             String name,
             @Schema(description = "성별 (MALE/FEMALE)", example = "MALE")
             String gender,
@@ -21,7 +25,13 @@ public record SignUp(
             @Schema(description = "상세주소", example = "서울시 성북구 안암동")
             String detailAddress,
             @Schema(description = "이메일", example = "user@example.com")
+            @NotBlank(message = "이메일은 필수입니다.")
+            @Email(message = "이메일 형식이 올바르지 않습니다.")
             String email,
+            @Schema(description = "비밀번호", example = "password1234")
+            @NotBlank(message = "비밀번호는 필수입니다.")
+            @Size(min = 8, message = "비밀번호는 8자 이상이어야 합니다.")
+            String password,
             @Schema(description = "전화번호", example = "010-1234-5678")
             String phoneNumber,
             @Schema(description = "선호 음식 ID 목록", example = "[1, 3]")

Minsu/umc10th/src/main/java/com/example/umc10th/domain/member/entity/Member.java

@@ -31,6 +31,9 @@ public class Member extends BaseEntity {
     @Column(name = "email", nullable = false)
     private String email;
 
+    @Column(name = "password", nullable = false)
+    private String password;
+
     @Column(name = "profile_url")
     private String profileUrl;
 

Minsu/umc10th/src/main/java/com/example/umc10th/domain/member/service/MemberService.java

@@ -18,6 +18,7 @@
 import com.example.umc10th.domain.member.repository.MemberTermRepository;
 import com.example.umc10th.domain.member.repository.TermRepository;
 import lombok.RequiredArgsConstructor;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -35,6 +36,7 @@ public class MemberService {
     private final TermRepository termRepository;
     private final MemberFoodRepository memberFoodRepository;
     private final MemberTermRepository memberTermRepository;
+    private final PasswordEncoder passwordEncoder;
 
     public MemberResDTO.GetInfo getInfo(MemberReqDTO.GetInfo dto) {
         Member member = memberRepository.findById(dto.id())
@@ -58,6 +60,7 @@ public MemberResDTO.SignUpInfo signUp(MemberReqDTO.SignUp dto) {
         Member member = Member.builder()
                 .name(dto.name())
                 .email(dto.email())
+                .password(passwordEncoder.encode(dto.password()))
                 .phoneNumber(dto.phoneNumber())
                 .detailAddress(dto.detailAddress())
                 .gender(dto.gender() != null ? Gender.valueOf(dto.gender().toUpperCase()) : null)

Minsu/umc10th/src/main/java/com/example/umc10th/global/config/SecurityConfig.java

@@ -0,0 +1,62 @@
+package com.example.umc10th.global.config;
+
+import com.example.umc10th.global.security.CustomAccessDeniedHandler;
+import com.example.umc10th.global.security.CustomAuthenticationEntryPoint;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+@RequiredArgsConstructor
+public class SecurityConfig {
+
+    private static final String[] PUBLIC_URIS = {
+            "/auth/**",
+            "/login",
+            "/logout",
+            "/swagger-ui/**",
+            "/swagger-resources/**",
+            "/v3/api-docs/**"
+    };
+
+    private final CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
+    private final CustomAccessDeniedHandler customAccessDeniedHandler;
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        return http
+                .csrf(AbstractHttpConfigurer::disable)
+                .authorizeHttpRequests(requests -> requests
+                        .requestMatchers(PUBLIC_URIS).permitAll()
+                        .anyRequest().authenticated()
+                )
+                .formLogin(form -> form
+                        .usernameParameter("email")
+                        .passwordParameter("password")
+                        .defaultSuccessUrl("/swagger-ui/index.html", true)
+                        .permitAll()
+                )
+                .logout(logout -> logout
+                        .logoutUrl("/logout")
+                        .logoutSuccessUrl("/login?logout")
+                        .permitAll()
+                )
+                .exceptionHandling(exception -> exception
+                        .authenticationEntryPoint(customAuthenticationEntryPoint)
+                        .accessDeniedHandler(customAccessDeniedHandler)
+                )
+                .build();
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+}

Minsu/umc10th/src/main/java/com/example/umc10th/global/security/AuthMember.java

@@ -0,0 +1,39 @@
+package com.example.umc10th.global.security;
+
+import com.example.umc10th.domain.member.entity.Member;
+import lombok.Getter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Collection;
+import java.util.List;
+
+@Getter
+public class AuthMember implements UserDetails {
+
+    private final Long memberId;
+    private final String email;
+    private final String password;
+
+    public AuthMember(Member member) {
+        this.memberId = member.getId();
+        this.email = member.getEmail();
+        this.password = member.getPassword();
+    }
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return List.of(new SimpleGrantedAuthority("ROLE_USER"));
+    }
+
+    @Override
+    public String getPassword() {
+        return password;
+    }
+
+    @Override
+    public String getUsername() {
+        return email;
+    }
+}

Minsu/umc10th/src/main/java/com/example/umc10th/global/security/CustomAccessDeniedHandler.java

@@ -0,0 +1,27 @@
+package com.example.umc10th.global.security;
+
+import com.example.umc10th.global.apiPayload.code.GeneralErrorCode;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+@Component
+@RequiredArgsConstructor
+public class CustomAccessDeniedHandler implements AccessDeniedHandler {
+
+    private final SecurityResponseWriter securityResponseWriter;
+
+    @Override
+    public void handle(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            AccessDeniedException accessDeniedException
+    ) throws IOException {
+        securityResponseWriter.write(response, GeneralErrorCode.FORBIDDEN);
+    }
+}

Minsu/umc10th/src/main/java/com/example/umc10th/global/security/CustomAuthenticationEntryPoint.java

@@ -0,0 +1,27 @@
+package com.example.umc10th.global.security;
+
+import com.example.umc10th.global.apiPayload.code.GeneralErrorCode;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+@Component
+@RequiredArgsConstructor
+public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
+    private final SecurityResponseWriter securityResponseWriter;
+
+    @Override
+    public void commence(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            AuthenticationException authException
+    ) throws IOException {
+        securityResponseWriter.write(response, GeneralErrorCode.UNAUTHORIZED);
+    }
+}

Minsu/umc10th/src/main/java/com/example/umc10th/global/security/CustomUserDetailsService.java

@@ -0,0 +1,24 @@
+package com.example.umc10th.global.security;
+
+import com.example.umc10th.domain.member.entity.Member;
+import com.example.umc10th.domain.member.repository.MemberRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+@Service
+@RequiredArgsConstructor
+public class CustomUserDetailsService implements UserDetailsService {
+
+    private final MemberRepository memberRepository;
+
+    @Override
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+        Member member = memberRepository.findActiveByEmail(username)
+                .orElseThrow(() -> new UsernameNotFoundException("회원을 찾을 수 없습니다."));
+
+        return new AuthMember(member);
+    }
+}

Minsu/umc10th/src/main/java/com/example/umc10th/global/security/SecurityResponseWriter.java

@@ -0,0 +1,26 @@
+package com.example.umc10th.global.security;
+
+import com.example.umc10th.global.apiPayload.ApiResponse;
+import com.example.umc10th.global.apiPayload.code.BaseErrorCode;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Component;
+import tools.jackson.databind.ObjectMapper;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+@Component
+@RequiredArgsConstructor
+public class SecurityResponseWriter {
+
+    private final ObjectMapper objectMapper;
+
+    public void write(HttpServletResponse response, BaseErrorCode errorCode) throws IOException {
+        response.setStatus(errorCode.getStatus().value());
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.setCharacterEncoding(StandardCharsets.UTF_8.name());
+        objectMapper.writeValue(response.getWriter(), ApiResponse.onFailure(errorCode, null));
+    }
+}