Token Refresh/Upgrade와 관련된 DB 제약 위반 수정

2025-12-12 21:08:46 +00:00 · 2024-12-31 05:00:03 +09:00
parent 08a23b61b2
commit 0f87975040
3 changed files with 48 additions and 23 deletions
--- a/src/lib/modules/crypto.ts
+++ b/src/lib/modules/crypto.ts
@@ -36,7 +36,7 @@ export const generateRSASigKeyPair = async () => {
  return keyPair;
 };

-export const makeRSAKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
+export const makeRSAEncKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
  const { format, key: exportedKey } = await exportRSAKey(key, type);
  return await window.crypto.subtle.importKey(
    format,
@@ -50,6 +50,20 @@ export const makeRSAKeyNonextractable = async (key: CryptoKey, type: RSAKeyType)
  );
 };

+export const makeRSASigKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
+  const { format, key: exportedKey } = await exportRSAKey(key, type);
+  return await window.crypto.subtle.importKey(
+    format,
+    exportedKey,
+    {
+      name: "RSA-PSS",
+      hash: "SHA-256",
+    } satisfies RsaHashedImportParams,
+    false,
+    [type === "public" ? "verify" : "sign"],
+  );
+};
+
 const exportRSAKey = async (key: CryptoKey, type: RSAKeyType) => {
  const format = type === "public" ? ("spki" as const) : ("pkcs8" as const);
  return {
--- a/src/lib/server/db/token.ts
+++ b/src/lib/server/db/token.ts
@@ -38,15 +38,20 @@ export const getRefreshToken = async (tokenId: string) => {
 };

 export const rotateRefreshToken = async (oldTokenId: string, newTokenId: string) => {
-  const res = await db
-    .update(refreshToken)
-    .set({
-      id: newTokenId,
-      expiresAt: expiresAt(),
-    })
-    .where(eq(refreshToken.id, oldTokenId))
-    .execute();
-  return res.changes > 0;
+  return await db.transaction(async (tx) => {
+    await tx
+      .delete(tokenUpgradeChallenge)
+      .where(eq(tokenUpgradeChallenge.refreshTokenId, oldTokenId));
+    const res = await db
+      .update(refreshToken)
+      .set({
+        id: newTokenId,
+        expiresAt: expiresAt(),
+      })
+      .where(eq(refreshToken.id, oldTokenId))
+      .execute();
+    return res.changes > 0;
+  });
 };

 export const upgradeRefreshToken = async (
@@ -54,16 +59,21 @@ export const upgradeRefreshToken = async (
  newTokenId: string,
  clientId: number,
 ) => {
-  const res = await db
-    .update(refreshToken)
-    .set({
-      id: newTokenId,
-      clientId,
-      expiresAt: expiresAt(),
-    })
-    .where(eq(refreshToken.id, oldTokenId))
-    .execute();
-  return res.changes > 0;
+  return await db.transaction(async (tx) => {
+    await tx
+      .delete(tokenUpgradeChallenge)
+      .where(eq(tokenUpgradeChallenge.refreshTokenId, oldTokenId));
+    const res = await tx
+      .update(refreshToken)
+      .set({
+        id: newTokenId,
+        clientId,
+        expiresAt: expiresAt(),
+      })
+      .where(eq(refreshToken.id, oldTokenId))
+      .execute();
+    return res.changes > 0;
+  });
 };

 export const revokeRefreshToken = async (tokenId: string) => {
--- a/src/routes/(fullscreen)/key/generate/service.ts
+++ b/src/routes/(fullscreen)/key/generate/service.ts
@@ -1,7 +1,8 @@
 import {
  generateRSAEncKeyPair,
  generateRSASigKeyPair,
-  makeRSAKeyNonextractable,
+  makeRSAEncKeyNonextractable,
+  makeRSASigKeyNonextractable,
  exportRSAKeyToBase64,
  generateAESKey,
  makeAESKeyNonextractable,
@@ -16,11 +17,11 @@ export const generateKeyPairs = async () => {
  keyPairsStore.set({
    encKeyPair: {
      publicKey: encKeyPair.publicKey,
-      privateKey: await makeRSAKeyNonextractable(encKeyPair.privateKey, "private"),
+      privateKey: await makeRSAEncKeyNonextractable(encKeyPair.privateKey, "private"),
    },
    sigKeyPair: {
      publicKey: sigKeyPair.publicKey,
-      privateKey: await makeRSAKeyNonextractable(sigKeyPair.privateKey, "private"),
+      privateKey: await makeRSASigKeyNonextractable(sigKeyPair.privateKey, "private"),
    },
  });