chore(auth): Cookie secure 비활성화

snack-game · Nov 19, 2024 · ec8c2fc · ec8c2fc
1 parent 63c465a
commit ec8c2fc
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 4 deletions.
diff --git a/src/main/java/com/snackgame/server/auth/oauth/config/OAuthConfig.java b/src/main/java/com/snackgame/server/auth/oauth/config/OAuthConfig.java
@@ -1,5 +1,7 @@
 package com.snackgame.server.auth.oauth.config;
 
+import java.net.URI;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
@@ -9,6 +11,9 @@
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter;
+import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
 
 import com.snackgame.server.auth.oauth.OAuthFailureHandler;
 import com.snackgame.server.auth.oauth.OAuthSuccessHandler;
@@ -32,7 +37,11 @@ public SecurityFilterChain oAuth2FilterChain(HttpSecurity http) throws Exception
         http.removeConfigurer(DefaultLoginPageConfigurer.class);
         return http
                 .csrf().disable()
-                .headers(configurer -> configurer.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
+                .headers(configurer -> configurer.frameOptions(
+                        frameOptionsConfig -> frameOptionsConfig.disable().addHeaderWriter(
+                                new ContentSecurityPolicyHeaderWriter(
+                                        "frame-ancestors 'self' https://dev.vingle.kr https://dev.snackga.me;")
+                        )))
                 .addFilterBefore(
                         new SessionOAuthRequestStoringFilter(),
                         OAuth2AuthorizationRequestRedirectFilter.class

diff --git a/src/main/java/com/snackgame/server/auth/token/support/TokenToCookies.java b/src/main/java/com/snackgame/server/auth/token/support/TokenToCookies.java
@@ -1,5 +1,9 @@
 package com.snackgame.server.auth.token.support;
 
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseCookie;
 import org.springframework.stereotype.Component;
 
@@ -9,25 +13,40 @@
 import lombok.RequiredArgsConstructor;
 
 @Component
-@RequiredArgsConstructor
 public class TokenToCookies {
 
     private static final String EMPTY = "";
     private static final String SAME_SITE_OPTION = "None";
 
     private final JwtProvider accessTokenProvider;
     private final JwtProvider refreshTokenProvider;
+    private final String environment;
+
+    public TokenToCookies(
+            JwtProvider accessTokenProvider,
+            JwtProvider refreshTokenProvider,
+            @Value("${spring.profiles.active}")
+            String environment
+    ) {
+        this.accessTokenProvider = accessTokenProvider;
+        this.refreshTokenProvider = refreshTokenProvider;
+        this.environment = environment;
+    }
 
     public String[] from(TokensDto tokens) {
-        return new String[] {
+        List<String> cookies = new ArrayList<>(List.of(
                 baseCookieFrom(accessTokenProvider.getCanonicalName(), tokens.getAccessToken())
                         .path("/")
                         .build().toString(),
                 baseCookieFrom(refreshTokenProvider.getCanonicalName(), tokens.getRefreshToken())
                         .path("/tokens/me")
                         .build()
                         .toString()
-        };
+        ));
+        if (environment.equals("dev")) {
+
+        }
+        return cookies.toArray(new String[0]);
     }
 
     public String[] empty() {

diff --git a/src/main/java/com/snackgame/server/config/WebMvcConfig.java b/src/main/java/com/snackgame/server/config/WebMvcConfig.java
@@ -39,6 +39,8 @@ public void addCorsMappings(CorsRegistry registry) {
                         "https://dev." + HOST_NAME,
                         "https://dev-api." + HOST_NAME,
                         "https://*snack-game.vercel.app",
+                        "https://dev.vingle.kr",
+                        "https://vingle.kr",
                         "http://localhost:[*]"
                 )
                 .allowedMethods("GET", "POST", "DELETE", "PUT", "PATCH")