Access Token 저장 방식 변경

2025-12-16 06:58:46 +00:00 · 2024-12-28 16:54:46 +09:00
parent 1d0c309878
commit c09a0b4aa0
10 changed files with 44 additions and 83 deletions
--- a/src/routes/(fullscreen)/auth/login/service.ts
+++ b/src/routes/(fullscreen)/auth/login/service.ts
@@ -1,5 +1,3 @@
-import { accessTokenStore } from "$lib/stores";
-
 export const requestLogin = async (email: string, password: string) => {
  const res = await fetch("/api/auth/login", {
    method: "POST",
@@ -8,13 +6,5 @@ export const requestLogin = async (email: string, password: string) => {
    },
    body: JSON.stringify({ email, password }),
  });
-  if (!res.ok) {
-    return false;
-  }
-
-  const data = await res.json();
-  const token = data.accessToken as string;
-
-  accessTokenStore.set(token);
-  return true;
+  return res.ok;
 };
--- a/src/routes/api/auth/login/+server.ts
+++ b/src/routes/api/auth/login/+server.ts
@@ -1,4 +1,4 @@
-import { error, json } from "@sveltejs/kit";
+import { error, text } from "@sveltejs/kit";
 import ms from "ms";
 import { z } from "zod";
 import env from "$lib/server/loadenv";
@@ -10,7 +10,7 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
    .object({
      email: z.string().email().nonempty(),
      password: z.string().nonempty(),
-      pubKey: z.string().nonempty().optional(),
+      pubKey: z.string().base64().nonempty().optional(),
    })
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
@@ -18,12 +18,15 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
  const { email, password, pubKey } = zodRes.data;
  const { accessToken, refreshToken } = await login(email.trim(), password.trim(), pubKey?.trim());

+  cookies.set("accessToken", accessToken, {
+    path: "/",
+    maxAge: Math.floor(ms(env.jwt.accessExp) / 1000),
+    sameSite: "strict",
+  });
  cookies.set("refreshToken", refreshToken, {
    path: "/api/auth",
    maxAge: Math.floor(ms(env.jwt.refreshExp) / 1000),
-    httpOnly: true,
-    secure: true,
    sameSite: "strict",
  });
-  return json({ accessToken });
+  return text("Logged in", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/auth/logout/+server.ts
+++ b/src/routes/api/auth/logout/+server.ts
@@ -4,8 +4,11 @@ import type { RequestHandler } from "./$types";

 export const POST: RequestHandler = async ({ cookies }) => {
  const token = cookies.get("refreshToken");
-  if (!token) error(401, "Token not found");
+  if (!token) error(401, "Refresh token not found");

  await logout(token.trim());
-  return text("Logged out");
+
+  cookies.delete("accessToken", { path: "/" });
+  cookies.delete("refreshToken", { path: "/api/auth" });
+  return text("Logged out", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/auth/refreshToken/+server.ts
+++ b/src/routes/api/auth/refreshToken/+server.ts
@@ -1,18 +1,20 @@
-import { error, json } from "@sveltejs/kit";
-import { refreshToken } from "$lib/server/services/auth";
+import { error, text } from "@sveltejs/kit";
+import { refreshTokens } from "$lib/server/services/auth";
 import type { RequestHandler } from "./$types";

 export const POST: RequestHandler = async ({ cookies }) => {
  const token = cookies.get("refreshToken");
-  if (!token) error(401, "Token not found");
+  if (!token) error(401, "Refresh token not found");

-  const { accessToken, refreshToken: newToken } = await refreshToken(token.trim());
+  const { accessToken, refreshToken } = await refreshTokens(token.trim());

-  cookies.set("refreshToken", newToken, {
-    path: "/api/auth",
-    httpOnly: true,
-    secure: true,
+  cookies.set("accessToken", accessToken, {
+    path: "/",
    sameSite: "strict",
  });
-  return json({ accessToken });
+  cookies.set("refreshToken", refreshToken, {
+    path: "/api/auth",
+    sameSite: "strict",
+  });
+  return text("Token refreshed", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/key/register/+server.ts
+++ b/src/routes/api/key/register/+server.ts
@@ -4,7 +4,7 @@ import { authenticate } from "$lib/server/modules/auth";
 import { registerPubKey } from "$lib/server/services/key";
 import type { RequestHandler } from "./$types";

-export const POST: RequestHandler = async ({ request }) => {
+export const POST: RequestHandler = async ({ request, cookies }) => {
  const zodRes = z
    .object({
      pubKey: z.string().base64().nonempty(),
@@ -12,7 +12,7 @@ export const POST: RequestHandler = async ({ request }) => {
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");

-  const { userId, clientId } = authenticate(request);
+  const { userId, clientId } = authenticate(cookies);
  if (clientId) {
    error(403, "Forbidden");
  }