Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BE] Fix/#426 Token CORS 재설정 #427

Merged
merged 3 commits into from
Sep 18, 2023
Merged

[BE] Fix/#426 Token CORS 재설정 #427

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
82e8bb4
fix: RefreshToken Payload 추가 및 CORS 완화
junpakPark Sep 17, 2023
da5bfc1
fix: Refresh Token Header 허용
junpakPark Sep 17, 2023
4f57027
fix: CORS 재설정 및 sameSite None
junpakPark Sep 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions backend/src/main/java/com/mapbefine/mapbefine/auth/infrastructure/JwtTokenProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,13 @@
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Date;
import java.util.UUID;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
public class JwtTokenProvider implements TokenProvider {

private static final String EMPTY = "";

private final String secretKey;
private final long accessExpirationTime;
private final long refreshExpirationTime;
Expand All @@ -41,7 +40,9 @@ public String createAccessToken(String payload) {
}

public String createRefreshToken() {
return createToken(EMPTY, refreshExpirationTime);
UUID payload = UUID.randomUUID();

return createToken(payload.toString(), refreshExpirationTime);
}

private String createToken(String payload, Long validityInMilliseconds) {
Expand Down
2 changes: 1 addition & 1 deletion backend/src/main/java/com/mapbefine/mapbefine/auth/presentation/LoginController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ private ResponseCookie createCookie(String refreshToken) {
return ResponseCookie.from("refresh-token", refreshToken)
.httpOnly(true)
.maxAge(TWO_WEEKS)
.sameSite("Lax")
.sameSite("None")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

이 설정은 어떤 건가용??
기존 코드 리뷰에서 질문을 드렸어야 하는데 죄송합니다. 자세히 못봤네요 ..

Copy link
Collaborator Author

@junpakPark junpakPark Sep 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sameSite 관련 설명입니다.

간단하게 요약하자면, SameSite 속성으로 서로 다른 도메인간의 쿠키 전송에 대한 보안을 설정하는데요.

None: 쿠키는 모든 요청에 대해 전송되며, 서드 파티 쿠키를 허용
단, 2020년 이후로는 SameSite=None 설정시 Secure 플래그도 함께 설정해야만 합니다 (쿠키는 HTTPS 연결만을 통해 전송됩니다).

Lax: Strict 설정에 일부 예외(HTTP GET method/a href/link href)를 두어 적용되는 설정입니다.
해당 설정은 사용자가 사이트간 상호 작용을 하지 않을 때 쿠키 유출을 방지하는 데 유용합니다.

Strict: 이 설정은 쿠키가 같은 사이트에서 생성된 요청을 통해서만 서버에 전송됩니다. 이는 CSRF 공격을 막는데 효과적이지만, 사용자가 서로 다른 사이트 간에 쉽게 네비게이션 할 수 없게 만들어 사용자 편의성을 저해할 수 있습니다.

.secure(true)
.path("/")
.build();
Expand Down
3 changes: 2 additions & 1 deletion backend/src/main/java/com/mapbefine/mapbefine/common/config/WebConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package com.mapbefine.mapbefine.common.config;

import static org.springframework.http.HttpHeaders.COOKIE;
import static org.springframework.http.HttpHeaders.LOCATION;
import static org.springframework.http.HttpHeaders.SET_COOKIE;

Expand All @@ -16,7 +17,7 @@ public class WebConfig implements WebMvcConfigurer {
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("http://localhost:3000", "https://mapbefine.kro.kr", "https://mapbefine.com")
.allowedHeaders("refresh-token")
.allowedHeaders(COOKIE)
.allowedMethods("*")
.allowCredentials(true)
.exposedHeaders(LOCATION, SET_COOKIE);
Expand Down
Loading