Dev

src/common/config/index.js

@@ -12,6 +12,7 @@ const conf = {
     // server
     port: process.env.PORT,
     corsWhiteList: process.env.CORS_WHITELIST,
+    corsUserAgent: process.env.CORS_USERAGENT,
 
     // database
     mongoURL: process.env.MONGO_URL,

src/common/modules/express/index.js

@@ -24,14 +24,28 @@ module.exports = expressLoader = (app) => {
         next();
     });
 
+    // Content Security Policy 설정, 위 난수 활용
+    app.use((req, res, next) => {
+        res.setHeader('Content-Security-Policy', `script-src 'self' 'nonce-${res.locals.nonce}';`);
+        next();
+    });
+
     // CORS 설정
     app.use((req, res, next) => {
         cors({
             credentials: true,
             origin: (origin, callback) => {
-                if (origin === undefined || (origin && conf.corsWhiteList?.indexOf(origin) !== -1)) {
+                if (
+                    // whitelist에 있는 origin 허용
+                    (origin && conf.corsWhiteList.indexOf(origin) !== -1) ||
+                    // postman 허용
+                    (!origin &&
+                        conf.corsUserAgent.split(',').some((agent) => req.headers['user-agent'].includes(agent)))
+                ) {
                     return callback(null, true);
                 }
+
+                console.error(`Blocked CORS request from: ${origin}`);
                 callback(new Error('CORS ERROR'));
             },
         })(req, res, next);

src/routes/user/user.controller.js

@@ -103,7 +103,7 @@ exports.localLogin = async (req, res, next) => {
             const accessToken = generateAccessToken(user);
             const refreshToken = generateRefreshToken(user);
 
-            await redisClient.set(user.email, refreshToken);
+            await redisClient.set(user.email, refreshToken, 'EX', 60 * 60 * 12);
 
             res.cookie('refreshToken', refreshToken, config.cookieInRefreshTokenOptions);
 
@@ -137,9 +137,8 @@ exports.kakaoLogin = async (req, res) => {
 
         const accessToken = generateAccessToken(user);
         const refreshToken = generateRefreshToken(user);
-        console.log(user.email);
-        const re = await redisClient.set(user.email, refreshToken);
-        console.log('hh', re);
+
+        await redisClient.set(user.email, refreshToken, 'EX', 60 * 60 * 12);
         res.cookie('refreshToken', refreshToken, config.cookieInRefreshTokenOptions);
 
         sendResponse.ok(res, {
@@ -172,6 +171,9 @@ exports.refreshToken = async (req, res) => {
             const storedRefreshToken = await redisClient.get(user.email);
 
             if (storedRefreshToken !== refreshToken) {
+                console.error('Refresh token mismatch');
+                await redisClient.del(user.email);
+                res.clearCookie('refreshToken', config.cookieInRefreshTokenDeleteOptions);
                 return sendResponse.unAuthorized(res, {
                     message: ErrorMessage.REFRESH_TOKEN_MISMATCH,
                 });
@@ -188,7 +190,7 @@ exports.refreshToken = async (req, res) => {
                 email: user.email,
             });
 
-            await redisClient.set(user.email, newRefreshToken);
+            await redisClient.set(user.email, newRefreshToken, 'EX', 60 * 60 * 12);
             res.cookie('refreshToken', newRefreshToken, config.cookieInRefreshTokenOptions);
 
             sendResponse.ok(res, {