Refactor/jira kan 71 token 쿠키 저장 및 redis aof rdb 고려

build.gradle

@@ -80,6 +80,7 @@ dependencies {
     implementation 'io.projectreactor.netty:reactor-netty:1.1.22'                   // Reactor Netty 의존성
     implementation 'com.fasterxml.jackson.core:jackson-databind'                    // JSON 파싱을 위한 의존성
     implementation 'com.google.code.gson:gson:2.10.1'                               // JSON 데이터를 다룰 수 있는 클래스
+    implementation 'io.netty:netty-resolver-dns-native-macos:4.1.68.Final:osx-aarch_64'      // MacOS에서 DNS 관련 네이티브 라이브러리
 }
 
 tasks.named('test') {

docker-compose.yml

@@ -13,7 +13,16 @@ services:
       - "6379:6379"
     volumes:
       - redis-data:/data
-    command: [ "redis-server", "--appendonly", "yes" ]
+    command: [
+      "redis-server",
+      "--save", "900 1",            # 900초(15분)마다 최소 1개 이상의 변경이 있으면 스냅샷 저장
+      "--save", "300 10",           # 300초(5분)마다 최소 10개 이상의 변경이 있으면 저장
+      "--save", "60 1000",          # 60초마다 최소 1000개의 변경사항이 있으면 저장
+      "--appendonly", "yes",        # AOF 활성화
+      "--appendfsync", "everysec", # 1초마다 디스크에 기록
+      "--auto-aof-rewrite-percentage", "100",  # AOF 크기가 100% 커지면 리라이트
+      "--auto-aof-rewrite-min-size", "64mb"   # AOF 크기가 최소 64MB일 때 리라이트
+    ]
 
   # 🔹 PostgreSQL (Spring Boot가 사용하는 DB)
   postgres:

src/main/java/bumblebee/xchangepass/domain/refresh/controller/RefreshTokenController.java

@@ -1,20 +1,22 @@
 package bumblebee.xchangepass.domain.refresh.controller;
 
-import bumblebee.xchangepass.domain.refresh.dto.RefreshTokenRequest;
 import bumblebee.xchangepass.domain.refresh.service.RefreshTokenService;
+import bumblebee.xchangepass.domain.refresh.dto.RefreshTokenResponse;
+import bumblebee.xchangepass.global.error.ErrorCode;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.ExampleObject;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
-import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseCookie;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.ErrorResponse;
+import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -43,8 +45,20 @@ public class RefreshTokenController {
     })
     @ResponseStatus(HttpStatus.OK)
     @PostMapping("/token-refresh")
-    public void tokenRefresh(@RequestBody @Valid RefreshTokenRequest request) {
-        refreshTokenService.refreshToken(request.refreshToken());
+    public ResponseEntity<RefreshTokenResponse> tokenRefresh(@CookieValue(value = "refreshToken", required = false) String refreshToken) {
+        // refreshToken이 없다면 예외 처리
+        if (refreshToken == null) {
+            throw ErrorCode.REFRESH_TOKEN_INVALID.commonException();
+        }
+
+        // 새 토큰 재발급
+        RefreshTokenResponse response = refreshTokenService.refreshToken(refreshToken);
+
+        ResponseCookie refreshCookie = refreshTokenService.saveRefreshToken(response);
+
+        return ResponseEntity.ok()
+                .header("Set-Cookie", refreshCookie.toString())
+                .build();
     }
 
 }

src/main/java/bumblebee/xchangepass/domain/refresh/repository/RefreshTokenRepository.java

@@ -51,4 +51,9 @@ public boolean isValidRefreshToken(Long userId, String refreshToken) {
         String storedToken = (String) jsonRedisTemplate.opsForValue().get("refresh_token:" + userId);
         return storedToken != null && storedToken.equals(refreshToken);
     }
+
+    public String getRefreshToken(Long userId) {
+        String key = "refresh_token:" + userId;
+        return (String) jsonRedisTemplate.opsForValue().get(key);
+    }
 }

src/main/java/bumblebee/xchangepass/domain/refresh/service/RefreshTokenService.java

@@ -5,6 +5,7 @@
 import bumblebee.xchangepass.global.security.jwt.JwtProvider;
 import bumblebee.xchangepass.domain.refresh.dto.RefreshTokenResponse;
 import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseCookie;
 import org.springframework.stereotype.Service;
 
 @Service
@@ -27,10 +28,18 @@ public RefreshTokenResponse refreshToken(final String refreshToken) {
         // Redis에서 사용자 ID 조회
         Long userId = refreshTokenRepository.getUserIdFromRefreshToken(refreshToken);
 
+        // Redis에 저장된 토큰과 비교 → 재사용 감지
+        String storedToken = refreshTokenRepository.getRefreshToken(userId);
+
+        if (storedToken == null || !storedToken.equals(refreshToken)) {
+            // 이미 사용된 토큰 or 위조된 토큰 → 재사용 시도
+            refreshTokenRepository.deleteRefreshToken(userId); // Redis 강제 삭제
+
+            throw ErrorCode.REFRESH_TOKEN_INVALID.commonException();
+        }
+
         // 새로운 Access Token 생성
         String newAccessToken = jwtProvider.generateAccessToken(userId);
-
-        // 새로운 Refresh Token 생성 후 Redis에 저장 (기존 것은 자동 삭제됨)
         String newRefreshToken = jwtProvider.generateRefreshToken(userId);
         refreshTokenRepository.saveRefreshToken(newRefreshToken, userId);
 
@@ -40,6 +49,16 @@ public RefreshTokenResponse refreshToken(final String refreshToken) {
                 .build();
     }
 
+    public ResponseCookie saveRefreshToken(RefreshTokenResponse response) {
+        return ResponseCookie.from("refreshToken", response.refreshToken())
+                .httpOnly(true)
+                .secure(true)
+                .path("/")
+                .maxAge(60 * 60 * 24 * 7)
+                .sameSite("Strict")
+                .build();
+    }
+
     /**
      * refresh token 검증
      *

src/main/java/bumblebee/xchangepass/domain/user/login/LoginController.java

@@ -1,7 +1,7 @@
 package bumblebee.xchangepass.domain.user.login;
 
+import bumblebee.xchangepass.domain.refresh.dto.RefreshTokenResponse;
 import bumblebee.xchangepass.domain.user.login.dto.request.LoginRequest;
-import bumblebee.xchangepass.domain.user.login.dto.response.LoginResponse;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.media.ExampleObject;
@@ -11,10 +11,14 @@
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseCookie;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.ErrorResponse;
 import org.springframework.web.bind.annotation.*;
 
+@Slf4j
 @RestController
 @RequiredArgsConstructor
 @Tag(name = "Login", description = "Login API")
@@ -40,8 +44,16 @@ public class LoginController {
     })
     @ResponseStatus(HttpStatus.OK)
     @PostMapping("/login")
-    public LoginResponse memberLogin(@RequestBody @Valid LoginRequest loginRequest) {
-        return loginService.login(loginRequest);
+    public ResponseEntity<RefreshTokenResponse> memberLogin(@RequestBody @Valid LoginRequest loginRequest) {
+        RefreshTokenResponse response = loginService.login(loginRequest);
+
+        ResponseCookie accessCookie = loginService.saveAccessToken(response.accessToken());
+        ResponseCookie refreshCookie = loginService.saveRefreshToken(response);
+
+        return ResponseEntity.ok()
+                .header("Set-Cookie", accessCookie.toString())
+                .header("Set-Cookie", refreshCookie.toString())
+                .build();
     }
 
     @Operation(summary = "로그아웃", description = "로그아웃합니다.")
@@ -55,8 +67,20 @@ public LoginResponse memberLogin(@RequestBody @Valid LoginRequest loginRequest)
     })
     @ResponseStatus(HttpStatus.OK)
     @PostMapping("/logout")
-    public void logout(@RequestHeader("Authorization") String refreshToken) {
+    public ResponseEntity<RefreshTokenResponse> logout(@RequestHeader("Authorization") String refreshToken) {
+        if (refreshToken.startsWith("Bearer ")) {
+            refreshToken = refreshToken.substring(7);
+        }
+
         // Refresh Token 삭제
         loginService.logout(refreshToken);
+
+        ResponseCookie expiredRefresh = loginService.deleteRefreshToken();
+        ResponseCookie expiredAccess = loginService.deleteAccessToken();
+
+        return ResponseEntity.ok()
+                .header("Set-Cookie", expiredRefresh.toString())
+                .header("Set-Cookie", expiredAccess.toString())
+                .build();
     }
 }

src/main/java/bumblebee/xchangepass/domain/user/login/LoginService.java

@@ -1,13 +1,14 @@
 package bumblebee.xchangepass.domain.user.login;
 
+import bumblebee.xchangepass.domain.refresh.dto.RefreshTokenResponse;
+import bumblebee.xchangepass.domain.refresh.repository.RefreshTokenRepository;
 import bumblebee.xchangepass.domain.user.login.dto.response.UserLoginResponse;
 import bumblebee.xchangepass.domain.user.service.UserService;
 import bumblebee.xchangepass.global.error.ErrorCode;
 import bumblebee.xchangepass.global.security.jwt.JwtProvider;
 import bumblebee.xchangepass.domain.user.login.dto.request.LoginRequest;
-import bumblebee.xchangepass.domain.user.login.dto.response.LoginResponse;
-import bumblebee.xchangepass.domain.refresh.repository.RefreshTokenRepository;
 import lombok.RequiredArgsConstructor;
+import org.springframework.http.ResponseCookie;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -25,7 +26,7 @@ public class LoginService{
     private final RefreshTokenRepository refreshTokenRepository;
 
     @Transactional
-    public LoginResponse login(final LoginRequest request) {
+    public RefreshTokenResponse login(final LoginRequest request) {
         // 사용자 정보 조회
         UserLoginResponse userInfo = userService.readUserByUserEmail(request.userEmail());
 
@@ -40,12 +41,33 @@ public LoginResponse login(final LoginRequest request) {
         String refreshToken = jwtProvider.generateRefreshToken(userInfo.userId());
         refreshTokenRepository.saveRefreshToken(refreshToken, userInfo.userId());
 
-        return LoginResponse.builder()
+        return RefreshTokenResponse.builder()
                 .accessToken(accessToken)
                 .refreshToken(refreshToken)
                 .build();
     }
 
+    public ResponseCookie saveAccessToken(String accessToken) {
+        return ResponseCookie.from("accessToken", accessToken)
+                .httpOnly(true)
+                .secure(true)
+                .path("/")
+                .maxAge(60 * 15)  // 15분
+                .sameSite("Strict")
+                .build();
+    }
+
+    public ResponseCookie saveRefreshToken(RefreshTokenResponse response) {
+        // 쿠키 설정
+        return ResponseCookie.from("refreshToken", response.refreshToken())
+                .httpOnly(true)
+                .secure(true)
+                .path("/")
+                .maxAge(60 * 60 * 24 * 7) // 7일
+                .sameSite("Strict")
+                .build();
+    }
+
     public void logout(String refreshToken) {
         // "Bearer " 접두사 제거
         if (refreshToken.startsWith("Bearer ")) {
@@ -55,4 +77,25 @@ public void logout(String refreshToken) {
         Long userId = refreshTokenRepository.getUserIdFromRefreshToken(refreshToken);
         refreshTokenRepository.deleteRefreshToken(userId);
     }
+
+    public ResponseCookie deleteAccessToken() {
+        return ResponseCookie.from("accessToken", "")
+                .httpOnly(true)
+                .secure(true)
+                .path("/")
+                .maxAge(0)  // 즉시 만료
+                .sameSite("Strict")
+                .build();
+    }
+
+
+    public ResponseCookie deleteRefreshToken() {
+        return ResponseCookie.from("refreshToken", "")
+                .httpOnly(true)
+                .secure(true)
+                .path("/")
+                .maxAge(0)  // 쿠키 만료
+                .sameSite("Strict")
+                .build();
+    }
 }

src/main/java/bumblebee/xchangepass/domain/wallet/balance/service/WalletBalanceService.java

@@ -2,6 +2,8 @@
 
 import bumblebee.xchangepass.domain.wallet.balance.entity.WalletBalance;
 import bumblebee.xchangepass.domain.wallet.balance.repository.WalletBalanceRepository;
+import bumblebee.xchangepass.domain.wallet.fraud.service.FraudDetectEvent;
+import bumblebee.xchangepass.domain.wallet.fraud.service.FraudDetectionService;
 import bumblebee.xchangepass.domain.wallet.transaction.entity.WalletTransactionType;
 import bumblebee.xchangepass.domain.wallet.transaction.service.WalletTransactionService;
 import bumblebee.xchangepass.domain.wallet.wallet.entity.Wallet;
@@ -11,6 +13,7 @@
 import org.springframework.transaction.annotation.Transactional;
 
 import java.math.BigDecimal;
+import java.time.LocalDateTime;
 import java.util.Currency;
 import java.util.List;
 
@@ -20,6 +23,7 @@ public class WalletBalanceService {
 
     private final WalletBalanceRepository balanceRepository;
     private final WalletTransactionService transactionService;
+    private final FraudDetectionService fraudDetectionService;
 
     public void createBalance(Wallet wallet, Currency currency) {
         if (balanceRepository.existsByCurrency(wallet.getWalletId(), currency)) {
@@ -75,6 +79,13 @@ public void withdrawBalance(WalletBalance balance, BigDecimal amount) {
     }
 
     public void transferBalance(WalletBalance fromBalance, WalletBalance toBalance, BigDecimal amount) {
+        fraudDetectionService.detect(new FraudDetectEvent(
+                fromBalance.getWallet().getUser().getUserId(),
+                amount,
+                LocalDateTime.now(),
+                null
+        ));
+
         fromBalance.subtractBalance(amount);
         toBalance.addBalance(amount);
         balanceRepository.save(fromBalance);

src/main/java/bumblebee/xchangepass/domain/wallet/fraud/service/FraudDetectEvent.java

@@ -0,0 +1,11 @@
+package bumblebee.xchangepass.domain.wallet.fraud.service;
+
+import java.math.BigDecimal;
+import java.time.LocalDateTime;
+
+public record FraudDetectEvent(
+        Long userId,
+        BigDecimal amount,
+        LocalDateTime timestamp,
+        String detail
+) {}

src/main/java/bumblebee/xchangepass/domain/wallet/fraud/service/FraudDetectionService.java

@@ -0,0 +1,30 @@
+package bumblebee.xchangepass.domain.wallet.fraud.service;
+
+import bumblebee.xchangepass.domain.wallet.transaction.consumer.SlackNotifier;
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Service;
+
+@Service
+@RequiredArgsConstructor
+public class FraudDetectionService {
+
+    private final RedisFraudStorageService redisFraudStorage;
+    private final FraudRuleEvaluator ruleEvaluator;
+    private final SlackNotifier slackNotifier;
+
+    public void detect(FraudDetectEvent event) {
+        redisFraudStorage.store(event.userId(), event.amount());
+
+        boolean isFraud = ruleEvaluator.isSuspicious(event.userId(), event.amount());
+
+        if (isFraud) {
+            String reason = ruleEvaluator.getLastDetectedReason();
+            slackNotifier.notifyFraud(new FraudDetectEvent(
+                    event.userId(),
+                    event.amount(),
+                    event.timestamp(),
+                    reason
+            ));
+        }
+    }
+}