feat: refresh 토큰 저장 및 검증 테스트

Author: hyeonseong0917

infra/README.md

@@ -14,7 +14,7 @@ infra/
 
 ### clean-ecs-cluster.yaml
 
-**목적**: 테스트 환경용 ECS 클러스터 및 이중 서비스 구성
+**목적**: 테스트 환경용 ECS 클러스터 및 이중 서비스 구성 (ALB Access Logs 포함)
 
 #### 주요 구성 요소
 
@@ -39,23 +39,30 @@ infra/
 
 ##### 4. 로드 밸런서
 - **Application Load Balancer**: 인터넷 연결
+- **Access Logs**: S3 버킷 `the-first-take-ecs-log` 아래 `alb-logs/` 프리픽스로 저장
 - **Target Groups**:
   - Backend (포트 8000): `/api/*`, `/actuator/*` 경로
   - LLM (포트 6020): `/llm/*` 경로
   - Frontend (포트 80): 기본 경로
 
 ##### 5. ECS 서비스
 - **Backend Service**: Spring Boot 애플리케이션
-  - CPU: 512, Memory: 1024MB
-  - 이미지: `023182678225.dkr.ecr.ap-northeast-2.amazonaws.com/thefirsttake-backend:latest`
-- **LLM Service**: LLM 서버
   - CPU: 1024, Memory: 2048MB
-  - 이미지: `023182678225.dkr.ecr.ap-northeast-2.amazonaws.com/thefirsttake-llm:latest`
+  - 이미지: ECR 다이제스트 고정(예: `.../thefirsttake-backend@sha256:...`)
+- **LLM Service**: LLM 서버
+  - CPU: 512, Memory: 1024MB
+  - 이미지: ECR 다이제스트 고정(예: `.../thefirsttake-llm@sha256:...`)
 
-##### 6. 환경변수 및 시크릿
+##### 6. ECR 리포지토리
+- `test-thefirsttake-backend` 자동 생성 (푸시 시 이미지 스캔 활성화)
+
+##### 7. 환경변수 및 시크릿
 - **환경변수**: 데이터베이스, Redis, LLM 서버 URL 등
 - **시크릿**: 데이터베이스 패스워드, API 키 등 (Secrets Manager에서 관리)
 
+참고:
+- LLM 관련 URL은 ALB 경유 경로로 주입(`/llm/api/...`)
+
 ## 🔧 배포 방법
 
 ### 1. 사전 요구사항
@@ -93,6 +100,11 @@ aws cloudformation describe-stacks --stack-name test-ecs-cluster
 aws cloudformation describe-stacks --stack-name test-ecs-cluster --query 'Stacks[0].Outputs'
 ```
 
+주요 출력값(Outputs):
+- `LoadBalancerURL`: `http://<ALB-DNS>` 형식의 URL
+- `LoadBalancerDNS`: ALB DNS 이름
+- `BackendServiceName`, `LLMServiceName`: 서비스명
+
 ## 🔍 모니터링
 
 ### CloudWatch 로그
@@ -105,6 +117,8 @@ aws cloudformation describe-stacks --stack-name test-ecs-cluster --query 'Stacks
 - **LLM**: `/llm/api/health`
 - **Frontend**: `/`
 
+프런트엔드 타깃 그룹은 예시로 정적 타깃(IP) 1개가 설정되어 있습니다. 실제 환경에 맞게 대상 등록을 조정하세요.
+
 ## 📊 아키텍처
 
 ```

infra/clean-ecs-cluster.yaml

@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: 'Test ECS Cluster with dual services - Complete version'
+Description: 'Test ECS Cluster with dual services - Complete version with ALB Access Logs'
 
 Parameters:
   ClusterName:
@@ -157,7 +157,7 @@ Resources:
       ImageScanningConfiguration:
         ScanOnPush: true
 
-  # Load Balancer
+  # Load Balancer with Access Logs
   TestApplicationLoadBalancer:
     Type: AWS::ElasticLoadBalancingV2::LoadBalancer
     Properties:
@@ -167,6 +167,19 @@ Resources:
       Subnets: !Ref SubnetIds
       SecurityGroups:
         - !Ref TestALBSecurityGroup
+      LoadBalancerAttributes:
+        - Key: access_logs.s3.enabled
+          Value: true
+        - Key: access_logs.s3.bucket
+          Value: the-first-take-ecs-log
+        - Key: access_logs.s3.prefix
+          Value: alb-logs
+        - Key: deletion_protection.enabled
+          Value: false
+        - Key: idle_timeout.timeout_seconds
+          Value: 60
+        - Key: routing.http2.enabled
+          Value: true
       Tags:
         - Key: Environment
           Value: test
@@ -197,12 +210,12 @@ Resources:
       TargetType: ip
       HealthCheckPath: /llm/api/health
       HealthCheckProtocol: HTTP
-      HealthCheckIntervalSeconds: 300
-      HealthCheckTimeoutSeconds: 29
-      HealthyThresholdCount: 10
-      UnhealthyThresholdCount: 10
+      HealthCheckIntervalSeconds: 30
+      HealthCheckTimeoutSeconds: 5
+      HealthyThresholdCount: 2
+      UnhealthyThresholdCount: 3
       Matcher:
-        HttpCode: "200-499"
+        HttpCode: "200"
 
   TestFrontendTargetGroup:
     Type: AWS::ElasticLoadBalancingV2::TargetGroup
@@ -228,7 +241,7 @@ Resources:
     Properties:
       DefaultActions:
         - Type: forward
-          TargetGroupArn: !Ref TestBackendTargetGroup
+          TargetGroupArn: !Ref TestFrontendTargetGroup
       LoadBalancerArn: !Ref TestApplicationLoadBalancer
       Port: 80
       Protocol: HTTP
@@ -281,13 +294,13 @@ Resources:
       NetworkMode: awsvpc
       RequiresCompatibilities:
         - FARGATE
-      Cpu: 512
-      Memory: 1024
+      Cpu: 1024
+      Memory: 2048
       ExecutionRoleArn: !Ref TestECSTaskExecutionRole
       TaskRoleArn: !Ref TestECSTaskRole
       ContainerDefinitions:
         - Name: backend
-          Image: 023182678225.dkr.ecr.ap-northeast-2.amazonaws.com/thefirsttake-backend:latest
+          Image: 023182678225.dkr.ecr.ap-northeast-2.amazonaws.com/thefirsttake-backend@sha256:7a842089c04219288bea0fdf7b8ef881868317e68cad45dbda598c1d5e2cdc67
           PortMappings:
             - ContainerPort: 8000
               Protocol: tcp
@@ -355,13 +368,13 @@ Resources:
       NetworkMode: awsvpc
       RequiresCompatibilities:
         - FARGATE
-      Cpu: 1024
-      Memory: 2048
+      Cpu: 512
+      Memory: 1024
       ExecutionRoleArn: !Ref TestECSTaskExecutionRole
       TaskRoleArn: !Ref TestECSTaskRole
       ContainerDefinitions:
         - Name: llm-server
-          Image: 023182678225.dkr.ecr.ap-northeast-2.amazonaws.com/thefirsttake-llm:latest
+          Image: 023182678225.dkr.ecr.ap-northeast-2.amazonaws.com/thefirsttake-llm@sha256:717a228c58e660908aab7c57c1a0cb49d7d96cc07bba0be4fd90a4c21c17d2aa
           PortMappings:
             - ContainerPort: 6020
               Protocol: tcp
@@ -457,6 +470,7 @@ Resources:
         - Key: Service
           Value: llm
     DependsOn:
+      - TestALBListener
       - TestLLMListenerRule
 
 Outputs:

thefirsttake/src/main/java/com/thefirsttake/app/auth/controller/AuthController.java

@@ -5,6 +5,7 @@
 import com.thefirsttake.app.auth.service.JwtService;
 import com.thefirsttake.app.auth.service.KakaoAuthService;
 import com.thefirsttake.app.common.response.CommonResponse;
+import com.thefirsttake.app.auth.service.RefreshTokenService;
 import com.thefirsttake.app.common.user.entity.UserEntity;
 import com.thefirsttake.app.common.user.repository.UserEntityRepository;
 import io.micrometer.core.instrument.Counter;
@@ -30,6 +31,7 @@
 import java.net.URI;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
+import java.time.Duration;
 
 @RestController
 @RequestMapping("/api/auth")
@@ -40,6 +42,7 @@ public class AuthController {
 
     private final KakaoAuthService kakaoAuthService;
     private final JwtService jwtService;
+    private final RefreshTokenService refreshTokenService;
     private final UserEntityRepository userEntityRepository;
     private final Counter kakaoLoginSuccessCounter;
     private final Counter kakaoLoginFailureCounter;
@@ -157,6 +160,8 @@ public ResponseEntity<Void> kakaoCallback(
 
             response.addCookie(accessTokenCookie);
             // 요구사항: 일단 refresh 토큰은 쿠키에 저장하지 않음
+            // 리프레시 토큰은 Redis에 저장 (TTL 7일)
+            refreshTokenService.saveRefreshToken(String.valueOf(userEntity.getId()), jwtRefreshToken, Duration.ofDays(7));
 
             log.info("JWT 토큰 설정 완료. 액세스 토큰 길이: {}, 리프레시 토큰 생성됨(쿠키 미저장)", 
                 jwtAccessToken.length());
@@ -269,24 +274,29 @@ async function logout() {
         )
     })
     @PostMapping("/logout")
-    public ResponseEntity<CommonResponse> logout(HttpServletResponse response) {
+    public ResponseEntity<CommonResponse> logout(HttpServletRequest request, HttpServletResponse response) {
         try {
+            // 쿠키의 액세스 토큰에서 사용자 ID 추출 (만료 허용)
+            String accessToken = extractJwtFromCookies(request.getCookies());
+            if (accessToken != null) {
+                String userId = null;
+                try {
+                    userId = jwtService.getUserIdFromToken(accessToken);
+                } catch (Exception e) {
+                    userId = jwtService.getUserIdFromExpiredToken(accessToken);
+                }
+                if (userId != null) {
+                    // Redis의 리프레시 토큰 삭제
+                    refreshTokenService.deleteRefreshToken(userId);
+                }
+            }
             // 액세스 토큰 쿠키 삭제
             Cookie accessTokenCookie = new Cookie("access_token", null);
             accessTokenCookie.setMaxAge(0);
             accessTokenCookie.setPath("/");
             accessTokenCookie.setHttpOnly(true);
             accessTokenCookie.setSecure(true);
             response.addCookie(accessTokenCookie);
-            
-            // 리프레시 토큰 쿠키 삭제
-            Cookie refreshTokenCookie = new Cookie("refresh_token", null);
-            refreshTokenCookie.setMaxAge(0);
-            refreshTokenCookie.setPath("/");
-            refreshTokenCookie.setHttpOnly(true);
-            refreshTokenCookie.setSecure(true);
-            response.addCookie(refreshTokenCookie);
-            
             // 로그아웃 메트릭 증가
             logoutCounter.increment();
 
@@ -434,30 +444,47 @@ async function refreshToken() {
     @PostMapping("/refresh")
     public ResponseEntity<CommonResponse> refreshToken(HttpServletRequest request, HttpServletResponse response) {
         try {
-            // 리프레시 토큰 추출 (현재 쿠키 미사용 정책)
-            String refreshToken = null; // 쿠키에서 추출하지 않음
-            
+            // 1) 액세스 토큰(만료 가능)에서 사용자 ID 추출
+            String accessToken = extractJwtFromCookies(request.getCookies());
+            if (accessToken == null) {
+                return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+                    .body(CommonResponse.fail("액세스 토큰이 없습니다"));
+            }
+            String userId;
+            try {
+                userId = jwtService.getUserIdFromToken(accessToken);
+            } catch (Exception e) {
+                userId = jwtService.getUserIdFromExpiredToken(accessToken);
+            }
+            if (userId == null) {
+                return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+                    .body(CommonResponse.fail("사용자 식별 실패"));
+            }
+
+            // 2) Redis에서 리프레시 토큰 조회 및 검증
+            String refreshToken = refreshTokenService.getRefreshToken(userId);
             if (refreshToken == null || !jwtService.validateToken(refreshToken) || !jwtService.isRefreshToken(refreshToken)) {
                 return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
-                    .body(CommonResponse.fail("유효하지 않은 리프레시 토큰"));
+                    .body(CommonResponse.fail("리프레시 토큰이 유효하지 않습니다"));
             }
-            
-            // 사용자 ID 추출
-            String userId = jwtService.getUserIdFromToken(refreshToken);
-            
-            // 새로운 토큰 생성
+            String refreshUserId = jwtService.getUserIdFromToken(refreshToken);
+            if (!userId.equals(refreshUserId)) {
+                return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+                    .body(CommonResponse.fail("토큰 소유자 불일치"));
+            }
+
+            // 3) 새로운 액세스 토큰 발급 (토큰 회전은 추후)
             String newAccessToken = jwtService.generateAccessToken(userId);
-            String newRefreshToken = jwtService.generateRefreshToken(userId);
-            
-            // 새로운 쿠키 설정 (refresh 토큰은 쿠키에 저장하지 않음)
+
+            // 4) 액세스 토큰 쿠키 설정
             Cookie accessTokenCookie = new Cookie("access_token", newAccessToken);
             accessTokenCookie.setHttpOnly(true);
             accessTokenCookie.setSecure(true);
             accessTokenCookie.setPath("/");
             accessTokenCookie.setMaxAge(15 * 60); // 15분
 
             response.addCookie(accessTokenCookie);
-            // refresh 토큰은 서버 저장(추후 Redis) 예정, 쿠키 미저장
+            // refresh 토큰은 Redis 보관, 쿠키 미저장
 
             log.info("토큰 갱신 성공. 사용자 ID: {}", userId);
             return ResponseEntity.ok(CommonResponse.success("토큰 갱신 성공"));

thefirsttake/src/main/java/com/thefirsttake/app/auth/service/JwtService.java

@@ -106,4 +106,12 @@ public boolean isAccessToken(String token) {
     public boolean isRefreshToken(String token) {
         return "refresh".equals(getTokenType(token));
     }
+
+    public String getUserIdFromExpiredToken(String token) {
+        try {
+            return getUserIdFromToken(token);
+        } catch (ExpiredJwtException e) {
+            return e.getClaims().getSubject();
+        }
+    }
 }

thefirsttake/src/main/java/com/thefirsttake/app/auth/service/RefreshTokenService.java

@@ -0,0 +1,33 @@
+package com.thefirsttake.app.auth.service;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.stereotype.Service;
+
+import java.time.Duration;
+
+@Service
+@RequiredArgsConstructor
+public class RefreshTokenService {
+    private final StringRedisTemplate stringRedisTemplate;
+
+    private String buildKey(String userId) {
+        // Key format: {user_id}:refresh_token (per requested convention)
+        return userId + ":refresh_token";
+    }
+
+    public void saveRefreshToken(String userId, String refreshToken, Duration ttl) {
+        String key = buildKey(userId);
+        stringRedisTemplate.opsForValue().set(key, refreshToken, ttl);
+    }
+
+    public String getRefreshToken(String userId) {
+        String key = buildKey(userId);
+        return stringRedisTemplate.opsForValue().get(key);
+    }
+
+    public void deleteRefreshToken(String userId) {
+        String key = buildKey(userId);
+        stringRedisTemplate.delete(key);
+    }
+}