Merge pull request #21 from dnd-side-project/fix/#20

보안이 강화된 JWT 비밀키 발급, 비밀키로 서명로직 변경
dnd-side-project · Aug 26, 2024 · 8e23da5 · 8e23da5
2 parents c404612 + b79c21a
commit 8e23da5
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/src/main/java/com/dnd/dndtravel/auth/service/JwtProvider.java b/src/main/java/com/dnd/dndtravel/auth/service/JwtProvider.java
@@ -1,36 +1,38 @@
 package com.dnd.dndtravel.auth.service;
 
 import io.jsonwebtoken.*;
+import io.jsonwebtoken.io.Decoders;
 import io.jsonwebtoken.security.Keys;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
-import java.util.Base64;
 import java.util.Date;
 
+import javax.crypto.SecretKey;
+
 @Component
 public class JwtProvider {
     private static final String CLAIM_CONTENT = "memberId";
     private final long accessTokenExpiredTime;
     private final long refreshTokenExpiredTime;
-    private final String secretKey;
+    private final SecretKey secretKey;
 
     public JwtProvider(
-        @Value("${jwt.secret-key}") String secretKey,
+        @Value("${jwt.secret-key}") String secretKeyString,
         @Value("${jwt.access-token-expired-ms}") long accessTokenExpiredTime,
         @Value("${jwt.refresh-token-expired-ms}") long refreshTokenExpiredTime
-       ) {
-        this.secretKey = secretKey;
+        ) {
         this.accessTokenExpiredTime = accessTokenExpiredTime;
         this.refreshTokenExpiredTime = refreshTokenExpiredTime;
+        this.secretKey = Keys.hmacShaKeyFor(Decoders.BASE64URL.decode(secretKeyString));
     }
 
     public String accessToken(Long memberId) {
         return Jwts.builder()
             .claim(CLAIM_CONTENT, memberId)
             .issuedAt(new Date(System.currentTimeMillis()))
             .expiration(new Date(System.currentTimeMillis() + this.accessTokenExpiredTime))
-            .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(this.secretKey)))
+            .signWith(secretKey)
             .compact();
     }
 
@@ -39,7 +41,7 @@ public String refreshToken(Long memberId) {
             .claim(CLAIM_CONTENT, memberId)
             .issuedAt(new Date(System.currentTimeMillis()))
             .expiration(new Date(System.currentTimeMillis() + this.refreshTokenExpiredTime))
-            .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(this.secretKey)))
+            .signWith(secretKey)
             .compact();
     }
 

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -7,6 +7,8 @@ spring:
     password: ${MYSQL_PASSWORD}
   jpa:
     open-in-view: false
+    hibernate:
+      ddl-auto: create # local에서만 사용할거고, prod 환경과 분리 필요
 
 social-login:
   provider: