Token Refresh/Upgrade와 관련된 DB 제약 위반 수정

src/lib/modules/crypto.ts

@@ -36,7 +36,7 @@ export const generateRSASigKeyPair = async () => {
   return keyPair;
 };
 
-export const makeRSAKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
+export const makeRSAEncKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
   const { format, key: exportedKey } = await exportRSAKey(key, type);
   return await window.crypto.subtle.importKey(
     format,
@@ -50,6 +50,20 @@ export const makeRSAKeyNonextractable = async (key: CryptoKey, type: RSAKeyType)
   );
 };
 
+export const makeRSASigKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
+  const { format, key: exportedKey } = await exportRSAKey(key, type);
+  return await window.crypto.subtle.importKey(
+    format,
+    exportedKey,
+    {
+      name: "RSA-PSS",
+      hash: "SHA-256",
+    } satisfies RsaHashedImportParams,
+    false,
+    [type === "public" ? "verify" : "sign"],
+  );
+};
+
 const exportRSAKey = async (key: CryptoKey, type: RSAKeyType) => {
   const format = type === "public" ? ("spki" as const) : ("pkcs8" as const);
   return {

src/lib/server/db/token.ts

@@ -38,6 +38,10 @@ export const getRefreshToken = async (tokenId: string) => {
 };
 
 export const rotateRefreshToken = async (oldTokenId: string, newTokenId: string) => {
+  return await db.transaction(async (tx) => {
+    await tx
+      .delete(tokenUpgradeChallenge)
+      .where(eq(tokenUpgradeChallenge.refreshTokenId, oldTokenId));
     const res = await db
       .update(refreshToken)
       .set({
@@ -47,6 +51,7 @@ export const rotateRefreshToken = async (oldTokenId: string, newTokenId: string)
       .where(eq(refreshToken.id, oldTokenId))
       .execute();
     return res.changes > 0;
+  });
 };
 
 export const upgradeRefreshToken = async (
@@ -54,7 +59,11 @@ export const upgradeRefreshToken = async (
   newTokenId: string,
   clientId: number,
 ) => {
-  const res = await db
+  return await db.transaction(async (tx) => {
+    await tx
+      .delete(tokenUpgradeChallenge)
+      .where(eq(tokenUpgradeChallenge.refreshTokenId, oldTokenId));
+    const res = await tx
       .update(refreshToken)
       .set({
         id: newTokenId,
@@ -64,6 +73,7 @@ export const upgradeRefreshToken = async (
       .where(eq(refreshToken.id, oldTokenId))
       .execute();
     return res.changes > 0;
+  });
 };
 
 export const revokeRefreshToken = async (tokenId: string) => {

src/routes/(fullscreen)/key/generate/service.ts

@@ -1,7 +1,8 @@
 import {
   generateRSAEncKeyPair,
   generateRSASigKeyPair,
-  makeRSAKeyNonextractable,
+  makeRSAEncKeyNonextractable,
+  makeRSASigKeyNonextractable,
   exportRSAKeyToBase64,
   generateAESKey,
   makeAESKeyNonextractable,
@@ -16,11 +17,11 @@ export const generateKeyPairs = async () => {
   keyPairsStore.set({
     encKeyPair: {
       publicKey: encKeyPair.publicKey,
-      privateKey: await makeRSAKeyNonextractable(encKeyPair.privateKey, "private"),
+      privateKey: await makeRSAEncKeyNonextractable(encKeyPair.privateKey, "private"),
     },
     sigKeyPair: {
       publicKey: sigKeyPair.publicKey,
-      privateKey: await makeRSAKeyNonextractable(sigKeyPair.privateKey, "private"),
+      privateKey: await makeRSASigKeyNonextractable(sigKeyPair.privateKey, "private"),
     },
   });