🐛 Fix : jwt 인증 흐름 수정 (#191)

Briefing-Api/src/main/java/com/example/briefingapi/security/config/SecurityConfig.java

@@ -36,7 +36,7 @@
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
-@EnableWebSecurity
+@EnableWebSecurity(debug = true)
 @RequiredArgsConstructor
 @Configuration
 public class SecurityConfig {
@@ -62,6 +62,12 @@ public class SecurityConfig {
     @Value("${swagger.login.password}")
     private String swaggerPass;
 
+    private static final String[] JWT_WHITE_LIST ={
+            "/pushs","/members/auth","/v2/members/auth",
+            "briefings", "/v2/briefings","/chattings",
+            "/briefings/temp"
+    };
+
     @Bean
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
@@ -77,13 +83,11 @@ public WebSecurityCustomizer webSecurityCustomizer() {
         return (web) ->
                 web.ignoring()
                         .requestMatchers(
-                                "",
-                                "/",
+                                "","/",
                                 "/schedule",
                                 "/v3/api-docs",
                                 "/v3/api-docs/**",
-                                "/docs/**","/fcms/**","/members/auth/**","/v2/members/auth/**",
-                                "/briefings/temp");
+                                "/docs/**");
     }
 
     @Bean
@@ -147,7 +151,7 @@ public SecurityFilterChain JwtFilterChain(HttpSecurity http) throws Exception {
                                         .authenticationEntryPoint(jwtAuthenticationEntryPoint)
                                         .accessDeniedHandler(jwtAccessDeniedHandler))
                 .addFilterBefore(
-                        new JwtRequestFilter(tokenProvider),
+                        new JwtRequestFilter(tokenProvider,JWT_WHITE_LIST),
                         UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(jwtAuthenticationExceptionHandler, JwtRequestFilter.class)
                 .build();

Briefing-Api/src/main/java/com/example/briefingapi/security/filter/JwtRequestFilter.java

@@ -1,6 +1,7 @@
 package com.example.briefingapi.security.filter;
 
 import java.io.IOException;
+import java.util.Arrays;
 
 import com.example.briefingapi.security.provider.TokenProvider;
 import jakarta.servlet.FilterChain;
@@ -22,6 +23,7 @@
 public class JwtRequestFilter extends OncePerRequestFilter {
     private final TokenProvider tokenProvider;
 
+    private final String[] whiteList;
     @Override
     protected void doFilterInternal(
             HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
@@ -39,4 +41,17 @@ protected void doFilterInternal(
         }
         filterChain.doFilter(httpServletRequest, response);
     }
+
+    /**
+     * 필터를 무시할 대상 지정
+     * @param request current HTTP request
+     * @return 화이트 리스트 포함 여부
+     * @throws ServletException
+     */
+
+    @Override
+    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
+        String path = request.getRequestURI();
+        return Arrays.stream(whiteList).anyMatch(path::startsWith);
+    }
 }

Briefing-Api/src/main/java/com/example/briefingapi/security/handler/annotation/AuthUserArgumentResolver.java

@@ -6,6 +6,9 @@
 import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.core.MethodParameter;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.support.WebDataBinderFactory;

Briefing-Api/src/main/resources/application.yml

@@ -24,6 +24,9 @@ fcm:
   topic:
     daily-push : dailyPush
 ---
+logging:
+  level:
+    org.springframework.security.web.FilterChainProxy: DEBUG
 spring:
   config:
     activate:
@@ -66,7 +69,7 @@ jwt:
   # dev server
   secret: ${JWT_SECRET}
   authorities-key: authoritiesKey
-  access-token-validity-in-seconds: 1200000
+  access-token-validity-in-seconds: 3000
   refresh-token-validity-in-seconds: 1210000000 # 14 d
 
 openai: