Access Token 저장 방식 변경

2025-12-12 21:08:46 +00:00 · 2024-12-28 16:54:46 +09:00
parent 1d0c309878
commit c09a0b4aa0
10 changed files with 44 additions and 83 deletions
--- a/src/lib/hooks/callAPI.ts
+++ b/src/lib/hooks/callAPI.ts
@@ -1,48 +1,15 @@
-import { get } from "svelte/store";
-import { accessTokenStore } from "$lib/stores";
-
 const refreshToken = async () => {
-  const res = await fetch("/api/auth/refreshToken", {
-    method: "POST",
-    credentials: "same-origin",
-  });
-  if (!res.ok) {
-    accessTokenStore.set(null);
-    throw new Error("Failed to refresh token");
-  }
-
-  const data = await res.json();
-  const token = data.accessToken as string;
-
-  accessTokenStore.set(token);
-  return token;
-};
-
-const callAPIInternal = async (
-  input: RequestInfo,
-  init: RequestInit | undefined,
-  token: string | null,
-  retryIfUnauthorized = true,
-): Promise<Response> => {
-  if (!token) {
-    token = await refreshToken();
-    retryIfUnauthorized = false;
-  }
-
-  const res = await fetch(input, {
-    ...init,
-    headers: {
-      ...init?.headers,
-      Authorization: `Bearer ${token}`,
-    },
-  });
-  if (res.status === 401 && retryIfUnauthorized) {
-    return await callAPIInternal(input, init, null, false);
-  }
-
-  return res;
+  return await fetch("/api/auth/refreshToken", { method: "POST" });
 };

 export const callAPI = async (input: RequestInfo, init?: RequestInit) => {
-  return await callAPIInternal(input, init, get(accessTokenStore));
+  let res = await fetch(input, init);
+  if (res.status === 401) {
+    res = await refreshToken();
+    if (!res.ok) {
+      return res;
+    }
+    res = await fetch(input, init);
+  }
+  return res;
 };
--- a/src/lib/server/modules/auth.ts
+++ b/src/lib/server/modules/auth.ts
@@ -1,4 +1,4 @@
-import { error } from "@sveltejs/kit";
+import { error, type Cookies } from "@sveltejs/kit";
 import jwt from "jsonwebtoken";
 import env from "$lib/server/loadenv";

@@ -35,13 +35,13 @@ export const verifyToken = (token: string) => {
  }
 };

-export const authenticate = (request: Request) => {
-  const accessToken = request.headers.get("Authorization");
-  if (!accessToken?.startsWith("Bearer ")) {
-    error(401, "Access token required");
+export const authenticate = (cookies: Cookies) => {
+  const accessToken = cookies.get("accessToken");
+  if (!accessToken) {
+    error(401, "Access token not found");
  }

-  const tokenPayload = verifyToken(accessToken.slice(7));
+  const tokenPayload = verifyToken(accessToken);
  if (tokenPayload === TokenError.EXPIRED) {
    error(401, "Access token expired");
  } else if (tokenPayload === TokenError.INVALID || tokenPayload.type !== "access") {
--- a/src/lib/server/services/auth.ts
+++ b/src/lib/server/services/auth.ts
@@ -71,7 +71,7 @@ export const logout = async (refreshToken: string) => {
  await revokeRefreshToken(jti);
 };

-export const refreshToken = async (refreshToken: string) => {
+export const refreshTokens = async (refreshToken: string) => {
  const { jti: oldJti, userId, clientId } = await verifyRefreshToken(refreshToken);
  const newJti = uuidv4();

--- a/src/lib/stores/auth.ts
+++ b/src/lib/stores/auth.ts
@@ -1,3 +0,0 @@
-import { writable } from "svelte/store";
-
-export const accessTokenStore = writable<string | null>(null);
--- a/src/lib/stores/index.ts
+++ b/src/lib/stores/index.ts
@@ -1,2 +1 @@
-export * from "./auth";
 export * from "./key";
--- a/src/routes/(fullscreen)/auth/login/service.ts
+++ b/src/routes/(fullscreen)/auth/login/service.ts
@@ -1,5 +1,3 @@
-import { accessTokenStore } from "$lib/stores";
-
 export const requestLogin = async (email: string, password: string) => {
  const res = await fetch("/api/auth/login", {
    method: "POST",
@@ -8,13 +6,5 @@ export const requestLogin = async (email: string, password: string) => {
    },
    body: JSON.stringify({ email, password }),
  });
-  if (!res.ok) {
-    return false;
-  }
-
-  const data = await res.json();
-  const token = data.accessToken as string;
-
-  accessTokenStore.set(token);
-  return true;
+  return res.ok;
 };
--- a/src/routes/api/auth/login/+server.ts
+++ b/src/routes/api/auth/login/+server.ts
@@ -1,4 +1,4 @@
-import { error, json } from "@sveltejs/kit";
+import { error, text } from "@sveltejs/kit";
 import ms from "ms";
 import { z } from "zod";
 import env from "$lib/server/loadenv";
@@ -10,7 +10,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
    .object({
      email: z.string().email().nonempty(),
      password: z.string().nonempty(),
-      pubKey: z.string().nonempty().optional(),
+      pubKey: z.string().base64().nonempty().optional(),
    })
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
@@ -18,12 +18,15 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
  const { email, password, pubKey } = zodRes.data;
  const { accessToken, refreshToken } = await login(email.trim(), password.trim(), pubKey?.trim());

+  cookies.set("accessToken", accessToken, {
+    path: "/",
+    maxAge: Math.floor(ms(env.jwt.accessExp) / 1000),
+    sameSite: "strict",
+  });
  cookies.set("refreshToken", refreshToken, {
    path: "/api/auth",
    maxAge: Math.floor(ms(env.jwt.refreshExp) / 1000),
-    httpOnly: true,
-    secure: true,
    sameSite: "strict",
  });
-  return json({ accessToken });
+  return text("Logged in", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/auth/logout/+server.ts
+++ b/src/routes/api/auth/logout/+server.ts
@@ -4,8 +4,11 @@ import type { RequestHandler } from "./$types";

 export const POST: RequestHandler = async ({ cookies }) => {
  const token = cookies.get("refreshToken");
-  if (!token) error(401, "Token not found");
+  if (!token) error(401, "Refresh token not found");

  await logout(token.trim());
-  return text("Logged out");
+
+  cookies.delete("accessToken", { path: "/" });
+  cookies.delete("refreshToken", { path: "/api/auth" });
+  return text("Logged out", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/auth/refreshToken/+server.ts
+++ b/src/routes/api/auth/refreshToken/+server.ts
@@ -1,18 +1,20 @@
-import { error, json } from "@sveltejs/kit";
-import { refreshToken } from "$lib/server/services/auth";
+import { error, text } from "@sveltejs/kit";
+import { refreshTokens } from "$lib/server/services/auth";
 import type { RequestHandler } from "./$types";

 export const POST: RequestHandler = async ({ cookies }) => {
  const token = cookies.get("refreshToken");
-  if (!token) error(401, "Token not found");
+  if (!token) error(401, "Refresh token not found");

-  const { accessToken, refreshToken: newToken } = await refreshToken(token.trim());
+  const { accessToken, refreshToken } = await refreshTokens(token.trim());

-  cookies.set("refreshToken", newToken, {
-    path: "/api/auth",
-    httpOnly: true,
-    secure: true,
+  cookies.set("accessToken", accessToken, {
+    path: "/",
    sameSite: "strict",
  });
-  return json({ accessToken });
+  cookies.set("refreshToken", refreshToken, {
+    path: "/api/auth",
+    sameSite: "strict",
+  });
+  return text("Token refreshed", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/key/register/+server.ts
+++ b/src/routes/api/key/register/+server.ts
@@ -4,7 +4,7 @@ import { authenticate } from "$lib/server/modules/auth";
 import { registerPubKey } from "$lib/server/services/key";
 import type { RequestHandler } from "./$types";

-export const POST: RequestHandler = async ({ request }) => {
+export const POST: RequestHandler = async ({ request, cookies }) => {
  const zodRes = z
    .object({
      pubKey: z.string().base64().nonempty(),
@@ -12,7 +12,7 @@ export const POST: RequestHandler = async ({ request }) => {
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");

-  const { userId, clientId } = authenticate(request);
+  const { userId, clientId } = authenticate(cookies);
  if (clientId) {
    error(403, "Forbidden");
  }