From a1e3374283f4930992e7a1246669037e112ff265 Mon Sep 17 00:00:00 2001 From: ThinkKat Date: Fri, 27 Feb 2026 14:43:55 +0900 Subject: [PATCH 1/2] =?UTF-8?q?fix:=20refresh=5Ftoken=20UK=20=EC=9C=84?= =?UTF-8?q?=EB=B0=98=20=EB=B0=A9=EC=A7=80=20=E2=80=94=20jti=20=EC=B6=94?= =?UTF-8?q?=EA=B0=80=20=EB=B0=8F=20=EB=A7=8C=EB=A3=8C=20=ED=86=A0=ED=81=B0?= =?UTF-8?q?=20=EC=A0=95=EB=A6=AC=20=EC=8A=A4=EC=BC=80=EC=A4=84=EB=9F=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - JwtTokenProvider: buildToken()에 jti(UUID) 추가 → 동일 사용자 동일 초 재로그인 시 토큰값 중복 불가 - RefreshTokenRepository: deleteAllExpired() JPQL 쿼리 추가 - UserCleanupScheduler: 매일 새벽 4시 만료 refresh token 일괄 삭제 job 추가 --- .../opic/practice/config/security/JwtTokenProvider.java | 2 ++ .../opic/practice/repository/RefreshTokenRepository.java | 8 ++++++++ .../opic/practice/scheduler/UserCleanupScheduler.java | 7 +++++++ 3 files changed, 17 insertions(+) diff --git a/src/main/java/me/thinkcat/opic/practice/config/security/JwtTokenProvider.java b/src/main/java/me/thinkcat/opic/practice/config/security/JwtTokenProvider.java index 2e0f007..7fe7d89 100644 --- a/src/main/java/me/thinkcat/opic/practice/config/security/JwtTokenProvider.java +++ b/src/main/java/me/thinkcat/opic/practice/config/security/JwtTokenProvider.java @@ -10,6 +10,7 @@ import javax.crypto.SecretKey; import java.nio.charset.StandardCharsets; import java.util.Date; +import java.util.UUID; @Component public class JwtTokenProvider { @@ -51,6 +52,7 @@ private String buildToken(String username, Long userId, UserRole role, long vali Date validity = new Date(now.getTime() + validityInMilliseconds); JwtBuilder builder = Jwts.builder() + .id(UUID.randomUUID().toString()) .subject(username) .claim("userId", userId) .issuedAt(now) diff --git a/src/main/java/me/thinkcat/opic/practice/repository/RefreshTokenRepository.java b/src/main/java/me/thinkcat/opic/practice/repository/RefreshTokenRepository.java index 0b6a16a..1c784e4 100644 --- a/src/main/java/me/thinkcat/opic/practice/repository/RefreshTokenRepository.java +++ b/src/main/java/me/thinkcat/opic/practice/repository/RefreshTokenRepository.java @@ -2,8 +2,12 @@ import me.thinkcat.opic.practice.entity.RefreshToken; import org.springframework.data.jpa.repository.JpaRepository; +import org.springframework.data.jpa.repository.Modifying; +import org.springframework.data.jpa.repository.Query; +import org.springframework.data.repository.query.Param; import org.springframework.stereotype.Repository; +import java.time.LocalDateTime; import java.util.Optional; @Repository @@ -14,4 +18,8 @@ public interface RefreshTokenRepository extends JpaRepository Date: Fri, 27 Feb 2026 14:54:54 +0900 Subject: [PATCH 2/2] =?UTF-8?q?test:=20jti=20=EC=A4=91=EB=B3=B5=20?= =?UTF-8?q?=EB=B0=A9=EC=A7=80=20=EB=8B=A8=EC=9C=84=20=ED=85=8C=EC=8A=A4?= =?UTF-8?q?=ED=8A=B8=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - JwtTokenProviderTest: 동일 파라미터 연속 호출 시 서로 다른 토큰 반환, 100회 호출 중복 없음 - UserServiceTest: 동일 사용자 연속 두 번 로그인 시 서로 다른 refreshToken 반환 --- .../config/security/JwtTokenProviderTest.java | 42 +++++++++++++++++++ .../practice/service/UserServiceTest.java | 23 ++++++++++ 2 files changed, 65 insertions(+) create mode 100644 src/test/java/me/thinkcat/opic/practice/config/security/JwtTokenProviderTest.java diff --git a/src/test/java/me/thinkcat/opic/practice/config/security/JwtTokenProviderTest.java b/src/test/java/me/thinkcat/opic/practice/config/security/JwtTokenProviderTest.java new file mode 100644 index 0000000..26c4f38 --- /dev/null +++ b/src/test/java/me/thinkcat/opic/practice/config/security/JwtTokenProviderTest.java @@ -0,0 +1,42 @@ +package me.thinkcat.opic.practice.config.security; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.test.util.ReflectionTestUtils; + +import java.util.HashSet; +import java.util.Set; + +import static org.assertj.core.api.Assertions.assertThat; + +class JwtTokenProviderTest { + + private JwtTokenProvider jwtTokenProvider; + + @BeforeEach + void setUp() { + jwtTokenProvider = new JwtTokenProvider(); + ReflectionTestUtils.setField(jwtTokenProvider, "secretKey", "testsecretkeyfortestingpurposesonly12345678"); + ReflectionTestUtils.setField(jwtTokenProvider, "accessTokenValidity", 3600000L); + ReflectionTestUtils.setField(jwtTokenProvider, "refreshTokenValidity", 1209600000L); + jwtTokenProvider.init(); + } + + @Test + void 동일_사용자_동일_시점에_generateRefreshToken_연속_호출시_서로다른_토큰_반환() { + String token1 = jwtTokenProvider.generateRefreshToken("user", 1L); + String token2 = jwtTokenProvider.generateRefreshToken("user", 1L); + + assertThat(token1).isNotEqualTo(token2); + } + + @Test + void generateRefreshToken_100회_호출시_모두_고유한_토큰_반환() { + Set tokens = new HashSet<>(); + for (int i = 0; i < 100; i++) { + tokens.add(jwtTokenProvider.generateRefreshToken("user", 1L)); + } + + assertThat(tokens).hasSize(100); + } +} diff --git a/src/test/java/me/thinkcat/opic/practice/service/UserServiceTest.java b/src/test/java/me/thinkcat/opic/practice/service/UserServiceTest.java index b0733ea..f1a3259 100644 --- a/src/test/java/me/thinkcat/opic/practice/service/UserServiceTest.java +++ b/src/test/java/me/thinkcat/opic/practice/service/UserServiceTest.java @@ -1,8 +1,11 @@ package me.thinkcat.opic.practice.service; import me.thinkcat.opic.practice.config.security.JwtTokenProvider; +import me.thinkcat.opic.practice.dto.request.LoginRequest; import me.thinkcat.opic.practice.dto.request.UserRegisterRequest; +import me.thinkcat.opic.practice.dto.response.TokenResponse; import me.thinkcat.opic.practice.dto.response.UserResponse; +import me.thinkcat.opic.practice.entity.RefreshToken; import me.thinkcat.opic.practice.entity.User; import me.thinkcat.opic.practice.exception.ValidationException; import me.thinkcat.opic.practice.repository.UserRepository; @@ -17,6 +20,7 @@ import org.springframework.security.crypto.password.PasswordEncoder; import java.time.LocalDateTime; +import java.util.Optional; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; @@ -62,6 +66,25 @@ class UserServiceTest { assertThat(response.getUsername()).isEqualTo("user"); } + @Test + void 동일_사용자_연속_두번_로그인시_서로다른_refreshToken_반환() { + User user = User.builder().id(1L).username("user").build(); + RefreshToken firstToken = RefreshToken.builder().token("refresh-token-aaa").build(); + RefreshToken secondToken = RefreshToken.builder().token("refresh-token-bbb").build(); + + given(userRepository.findByUsername("user")).willReturn(Optional.of(user)); + given(jwtTokenProvider.generateAccessToken(any(), any(), any())).willReturn("access-token"); + given(jwtTokenProvider.getAccessTokenValidityInSeconds()).willReturn(3600L); + given(refreshTokenService.createRefreshToken(user)) + .willReturn(firstToken) + .willReturn(secondToken); + + TokenResponse response1 = userService.login(new LoginRequest("user", "Password1@")); + TokenResponse response2 = userService.login(new LoginRequest("user", "Password1@")); + + assertThat(response1.getRefreshToken()).isNotEqualTo(response2.getRefreshToken()); + } + @ParameterizedTest @ValueSource(strings = { "notanemail",