refactor: 리프레시 토큰을 통한 사용자 인증 시도 방지

리프레시 토큰의 sub 클레임을 생략하여 리프레시 토큰을 통한 사용자 인증 시도를 방지
alzzaipo · Dec 15, 2023 · 5f99920 · 5f99920
1 parent 0bc7b38
commit 5f99920
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 16 deletions.
diff --git a/src/main/java/com/alzzaipo/common/config/JwtFilter.java b/src/main/java/com/alzzaipo/common/config/JwtFilter.java
@@ -6,8 +6,6 @@
 import com.alzzaipo.common.jwt.JwtUtil;
 import com.alzzaipo.member.adapter.out.persistence.member.MemberJpaEntity;
 import com.alzzaipo.member.adapter.out.persistence.member.MemberRepository;
-import io.jsonwebtoken.ExpiredJwtException;
-import io.jsonwebtoken.security.SignatureException;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -44,7 +42,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		String token = resolveTokenFromAuthorizationHeader(request);
 		if (token == null) {
 			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-			response.getWriter().write("Token Not Found");
+			response.getWriter().write("Missing Token");
 			filterChain.doFilter(request, response);
 			return;
 		}
@@ -58,19 +56,10 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 			SecurityContextHolder.getContext().setAuthentication(authentication);
 
 			filterChain.doFilter(request, response);
-		} catch (ExpiredJwtException e) {
-			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-			response.getWriter().write("Token has been expired");
-		} catch (SignatureException | BadCredentialsException e) {
-			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-			response.getWriter().write("Invalid Token");
-		} catch (UsernameNotFoundException e) {
-			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-			response.getWriter().write("User Not Found");
 		} catch (Exception e) {
 			logger.error(e.getMessage());
-			response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
-			response.getWriter().write("Authentication Error");
+			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+			response.getWriter().write("Invalid Token");
 		}
 	}
 

diff --git a/src/main/java/com/alzzaipo/common/jwt/JwtUtil.java b/src/main/java/com/alzzaipo/common/jwt/JwtUtil.java
@@ -24,7 +24,7 @@ private JwtUtil(JwtProperties jwtProperties) {
 
 	public static TokenInfo createToken(Uid memberId, LoginType loginType) {
 		String accessToken = generateToken(memberId, loginType, jwtProperties.getAccessTokenExpirationTimeMillis());
-		String refreshToken = generateToken(memberId, loginType, jwtProperties.getRefreshTokenExpirationTimeMillis());
+		String refreshToken = generateToken(null, loginType, jwtProperties.getRefreshTokenExpirationTimeMillis());
 		return new TokenInfo(accessToken, refreshToken);
 	}
 
@@ -48,8 +48,10 @@ public static boolean validate(String token) {
 
 	private static String generateToken(Uid memberId, LoginType loginType, long expirationTimeMillis) {
 		Claims claims = Jwts.claims();
-		claims.setSubject(memberId.toString());
 		claims.put("loginType", loginType.name());
+		if(memberId != null) {
+			claims.setSubject(memberId.toString());
+		}
 
 		return Jwts.builder()
 			.setClaims(claims)