[feat] 로그인 완료 후 회원 정보 조회시 Access · RefreshToken 반환 #98
Merged
LEEDONGH00N merged 7 commits intowith-travel:developfrom Aug 3, 2025
Merged
[feat] 로그인 완료 후 회원 정보 조회시 Access · RefreshToken 반환 #98LEEDONGH00N merged 7 commits intowith-travel:developfrom
LEEDONGH00N merged 7 commits intowith-travel:developfrom
Conversation
iamseojin
changed the title
LEEDONGH00N
reviewed
Aug 3, 2025
Comment on lines
+74
to
+80
| ResponseCookie cookie = ResponseCookie.from(jwtProperties.getRefreshCookieName(), refreshToken) | ||
| .httpOnly(true) | ||
| .secure(true) | ||
| .path("/") | ||
| .maxAge(Duration.ofDays(jwtProperties.getRefreshTokenExpireDays())) | ||
| .build(); | ||
| response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString()); |
Contributor
There was a problem hiding this comment.
쿠키 설정 없이 문자열만 있으면 될 것 같습니다.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements token-based authentication after login completion by modifying the /signup/register endpoint to return both AccessToken and RefreshToken along with member information. The RefreshToken is securely delivered as an HttpOnly cookie to prevent XSS attacks, while the AccessToken is included in the response body for frontend use.
- Added token generation and cookie handling functionality to the signup flow
- Modified the member signup endpoint to return tokens along with member data
- Enhanced JWT configuration with expiration settings and cookie configuration
Reviewed Changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| TokenService.java | Added issueTokenPair method to generate access/refresh tokens and set HttpOnly cookie |
| AuthTokenResponse.java | New DTO class to hold access and refresh token pair |
| JwtProperties.java | Added JWT expiration configuration and refresh cookie name property |
| MemberSignupTokenResponse.java | New response DTO combining member signup data with authentication tokens |
| MemberSignupController.java | Modified GET endpoint to return tokens along with member information |
src/main/java/com/arom/with_travel/domain/member/dto/MemberSignupTokenResponse.java
Outdated
Show resolved
Hide resolved
| .build(); | ||
| response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString()); | ||
|
|
||
| return new AuthTokenResponse(accessToken, refreshToken); |
There was a problem hiding this comment.
The refresh token is being returned in the response body, which contradicts the security goal stated in the PR description. Since the refresh token is already set as an HttpOnly cookie, it should not be included in the response body to maintain security.
Suggested change
| return new AuthTokenResponse(accessToken, refreshToken); | |
| return new AuthTokenResponse(accessToken); |
src/main/java/com/arom/with_travel/global/jwt/dto/response/AuthTokenResponse.java
Outdated
Show resolved
Hide resolved
src/main/java/com/arom/with_travel/domain/member/dto/MemberSignupTokenResponse.java
Outdated
Show resolved
Hide resolved
…nupTokenResponse.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
이슈
구현 기능
로그인 직후 /signup/register 엔드포인트에서 AccessToken과 RefreshToken을 회원 정보와 함께 반환하도록 동작 수정
프론트에서 로그인처리에 사용할 수 있도록 로그인 직후
AccessToken을 발급하여 회원 정보와 함께response body에 포함하여 반환합니다.RefreshToken은 AccessToken보다 유효기간이 길어
탈취로 인한 보안 위험이 존재합니다.따라서 브라우저의 JavaScript에서 접근이 불가능한
HttpOnly 쿠키로 전달하도록 변경하여 XSS 공격을 대비하였습니다.