Feat: 회원탈퇴 구현

build.gradle.kts

@@ -31,6 +31,8 @@ dependencies {
     implementation(libs.jetbrains.annotations)
     implementation(libs.springdoc)
 
+    implementation(libs.bcpkix)
+
     // JWT
     implementation(libs.jjwt.api)
     runtimeOnly(libs.jjwt.impl)

gradle/libs.versions.toml

@@ -18,6 +18,8 @@ spring-boot-devtools = { group = "org.springframework.boot", name = "spring-boot
 spring-boot-starter-test = { group = "org.springframework.boot", name = "spring-boot-starter-test", version.ref = "spring-boot" }
 spring-boot-testcontainers = { group = "org.springframework.boot", name = "spring-boot-testcontainers", version.ref = "spring-boot" }
 
+bcpkix = {group= "org.bouncycastle", name = "bcpkix-jdk18on", version = "1.78.1" }
+
 lombok = { group = "org.projectlombok", name = "lombok", version = "1.18.34" }
 dotenv = { group = "me.paulschwarz", name = "spring-dotenv", version = "4.0.0" }
 jetbrains-annotations = { group = "org.jetbrains", name = "annotations", version = "24.1.0" }

src/main/java/com/dnd/runus/auth/oidc/provider/OidcProvider.java

@@ -17,6 +17,10 @@ public interface OidcProvider {
 
     Claims getClaimsBy(String idToken);
 
+    String getAccessToken(String code);
+
+    void revoke(String accessToken);
+
     default Map<String, String> parseHeaders(String token) {
         String header = token.split("\\.")[0];
 

src/main/java/com/dnd/runus/auth/oidc/provider/OidcProviderFactory.java

@@ -23,12 +23,24 @@ public OidcProviderFactory(List<OidcProvider> providers) {
     }
 
     public Claims getClaims(SocialType socialType, String idToken) {
+        return getOidcProviderBy(socialType).getClaimsBy(idToken);
+    }
+
+    public String getAccessToken(SocialType socialType, String code) {
+        return getOidcProviderBy(socialType).getAccessToken(code);
+    }
+
+    public void revoke(SocialType socialType, String accessToken) {
+        getOidcProviderBy(socialType).revoke(accessToken);
+    }
+
+    private OidcProvider getOidcProviderBy(SocialType socialType) {
         OidcProvider oidcProvider = authProviderMap.get(socialType);
 
         if (isNull(oidcProvider)) {
             throw new BusinessException(ErrorType.UNSUPPORTED_SOCIAL_TYPE, socialType.getValue());
         }
 
-        return oidcProvider.getClaimsBy(idToken);
+        return oidcProvider;
     }
 }

src/main/java/com/dnd/runus/auth/oidc/provider/impl/AppleAuthProvider.java

@@ -3,19 +3,38 @@
 import com.dnd.runus.auth.exception.AuthException;
 import com.dnd.runus.auth.oidc.provider.OidcProvider;
 import com.dnd.runus.auth.oidc.provider.PublicKeyProvider;
+import com.dnd.runus.client.vo.AppleAuthRevokeRequest;
+import com.dnd.runus.client.vo.AppleAuthTokenRequest;
 import com.dnd.runus.client.vo.OidcPublicKeyList;
 import com.dnd.runus.client.web.AppleAuthClient;
 import com.dnd.runus.global.constant.SocialType;
+import com.dnd.runus.global.exception.BusinessException;
 import com.dnd.runus.global.exception.type.ErrorType;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.Jwts.SIG;
 import io.jsonwebtoken.MalformedJwtException;
 import io.jsonwebtoken.security.SignatureException;
 import lombok.RequiredArgsConstructor;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.io.ClassPathResource;
 import org.springframework.stereotype.Component;
+import org.springframework.web.client.HttpClientErrorException;
 
+import java.io.IOException;
+import java.io.Reader;
+import java.io.StringReader;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.util.Date;
 
 @Component
 @RequiredArgsConstructor
@@ -24,6 +43,15 @@ public class AppleAuthProvider implements OidcProvider {
     private final AppleAuthClient appleAuthClient;
     private final PublicKeyProvider publicKeyProvider;
 
+    @Value("${oauth.apple.key_id}")
+    private String keyId;
+
+    @Value("${oauth.apple.team_id}")
+    private String teamId;
+
+    @Value("${oauth.apple.client_id}")
+    private String clientId;
+
     @Override
     public SocialType getSocialType() {
         return SocialType.APPLE;
@@ -39,6 +67,36 @@ public Claims getClaimsBy(String identityToken) {
         return parseClaims(identityToken, publicKey);
     }
 
+    @Override
+    public String getAccessToken(String code) {
+        try {
+            return appleAuthClient
+                    .getAccessAppleToken(AppleAuthTokenRequest.builder()
+                            .client_secret(createClientSecret())
+                            .client_id(clientId)
+                            .code(code)
+                            .grant_type("authorization_code")
+                            .build())
+                    .access_token();
+        } catch (HttpClientErrorException e) {
+            throw new BusinessException(ErrorType.FAILED_AUTHENTICATION, e.getMessage());
+        }
+    }
+
+    @Override
+    public void revoke(String accessToken) {
+        try {
+            appleAuthClient.revokeAccount(AppleAuthRevokeRequest.builder()
+                    .client_id(clientId)
+                    .client_secret(createClientSecret())
+                    .token(accessToken)
+                    .token_type_hint("access_token")
+                    .build());
+        } catch (HttpClientErrorException e) {
+            throw new BusinessException(ErrorType.FAILED_AUTHENTICATION, e.getMessage());
+        }
+    }
+
     private Claims parseClaims(String token, PublicKey publicKey) {
         try {
             return Jwts.parser()
@@ -53,4 +111,57 @@ private Claims parseClaims(String token, PublicKey publicKey) {
             throw new AuthException(ErrorType.EXPIRED_ACCESS_TOKEN, e.getMessage());
         }
     }
+
+    private void validateClaims(Claims claims) {
+        // todo 4가지 검증 추가
+        // 1. Verify the nonce for the authentication
+        // 2. Verify that the iss field contains https://appleid.apple.com
+        // 3. Verify that the aud field is the developer’s client_id
+        // 4. Verify that the time is earlier than the exp value of the token
+        // nonce 검증 방법 알아보기
+        //        if(claims.get("nonce") == null) {
+        //            throw new AuthException(ErrorType.TAMPERED_ACCESS_TOKEN,
+        //        }
+        //        if (!claims.getIssuer().contains("https://appleid.apple.com")) {
+        //            throw new AuthException(ErrorType.TAMPERED_ACCESS_TOKEN, "잘못된 iss");
+        //        }
+    }
+
+    private PrivateKey getPrivateKey() {
+        ClassPathResource resource = new ClassPathResource("AuthKey_" + keyId + ".p8");
+        try {
+            String privateKey = new String(Files.readAllBytes(Paths.get(resource.getURI())));
+            Reader pemReader = new StringReader(privateKey);
+            PEMParser pemParser = new PEMParser(pemReader);
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+            PrivateKeyInfo object = (PrivateKeyInfo) pemParser.readObject();
+
+            converter.getPrivateKey(object);
+            return converter.getPrivateKey(object);
+        } catch (IOException e) {
+            throw new BusinessException(ErrorType.UNHANDLED_EXCEPTION, e.getMessage());
+        }
+    }
+
+    private String createClientSecret() {
+        Date expirationDate = Date.from(LocalDateTime.now()
+                .plusMinutes(10)
+                .atZone(ZoneId.systemDefault())
+                .toInstant());
+
+        return Jwts.builder()
+                .header()
+                .add("kid", keyId)
+                .add("alg", "ES256")
+                .and()
+                .issuer(teamId)
+                .issuedAt(new Date(System.currentTimeMillis()))
+                .expiration(expirationDate)
+                .audience()
+                .add("https://appleid.apple.com")
+                .and()
+                .subject(clientId)
+                .signWith(getPrivateKey(), SIG.ES256)
+                .compact();
+    }
 }

src/main/java/com/dnd/runus/client/vo/AppleAuthRevokeRequest.java

@@ -0,0 +1,24 @@
+package com.dnd.runus.client.vo;
+
+
+import lombok.Builder;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+
+@Builder
+public record AppleAuthRevokeRequest(
+    String client_id,
+    String client_secret,
+    String token,
+    String token_type_hint
+) {
+    public MultiValueMap<String, String> toMultiValueMap() {
+        MultiValueMap<String, String> params = new LinkedMultiValueMap<>();
+        params.add("client_id", client_id);
+        params.add("client_secret", client_secret);
+        params.add("token", token);
+        params.add("token_type_hint", token_type_hint);
+
+        return params;
+    }
+}

src/main/java/com/dnd/runus/client/vo/AppleAuthTokenRequest.java

@@ -0,0 +1,24 @@
+package com.dnd.runus.client.vo;
+
+import lombok.Builder;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+
+@Builder
+public record AppleAuthTokenRequest(
+    String code,
+    String client_id,
+    String client_secret,
+    String grant_type
+) {
+
+    public MultiValueMap<String, String> toMultiValueMap() {
+        MultiValueMap<String, String> params = new LinkedMultiValueMap<>();
+        params.add("code", code);
+        params.add("client_id", client_id);
+        params.add("client_secret", client_secret);
+        params.add("grant_type", grant_type);
+
+        return params;
+    }
+}

src/main/java/com/dnd/runus/client/vo/AppleAuthTokenResponse.java

@@ -0,0 +1,13 @@
+package com.dnd.runus.client.vo;
+
+
+public record AppleAuthTokenResponse(
+    String access_token,
+    String expires_in,
+    String id_token,
+    String refresh_token,
+    String token_type,
+    String error
+) {
+
+}

src/main/java/com/dnd/runus/client/web/AppleAuthClient.java

@@ -1,5 +1,8 @@
 package com.dnd.runus.client.web;
 
+import com.dnd.runus.client.vo.AppleAuthRevokeRequest;
+import com.dnd.runus.client.vo.AppleAuthTokenRequest;
+import com.dnd.runus.client.vo.AppleAuthTokenResponse;
 import com.dnd.runus.client.vo.OidcPublicKeyList;
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Component;
@@ -13,4 +16,12 @@ public class AppleAuthClient {
     public OidcPublicKeyList getPublicKeys() {
         return appleAuthClientComponent.getPublicKeys();
     }
+
+    public AppleAuthTokenResponse getAccessAppleToken(AppleAuthTokenRequest request) {
+        return appleAuthClientComponent.getAccessAppleToken(request.toMultiValueMap());
+    }
+
+    public void revokeAccount(AppleAuthRevokeRequest request) {
+        appleAuthClientComponent.revoke(request.toMultiValueMap());
+    }
 }

src/main/java/com/dnd/runus/client/web/AppleAuthClientComponent.java

@@ -1,13 +1,31 @@
 package com.dnd.runus.client.web;
 
+import com.dnd.runus.client.vo.AppleAuthTokenResponse;
 import com.dnd.runus.client.vo.OidcPublicKeyList;
+import org.springframework.http.MediaType;
 import org.springframework.stereotype.Component;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.service.annotation.GetExchange;
 import org.springframework.web.service.annotation.HttpExchange;
+import org.springframework.web.service.annotation.PostExchange;
 
 @Component
 @HttpExchange
 public interface AppleAuthClientComponent {
+
     @GetExchange("/keys")
     OidcPublicKeyList getPublicKeys();
+
+    @PostExchange(
+            url = "/token",
+            contentType = MediaType.APPLICATION_FORM_URLENCODED_VALUE,
+            accept = MediaType.APPLICATION_JSON_VALUE)
+    AppleAuthTokenResponse getAccessAppleToken(@RequestBody MultiValueMap<String, String> request);
+
+    @PostExchange(
+            url = "/revoke",
+            contentType = MediaType.APPLICATION_FORM_URLENCODED_VALUE,
+            accept = MediaType.APPLICATION_JSON_VALUE)
+    void revoke(@RequestBody MultiValueMap<String, String> request);
 }

src/main/java/com/dnd/runus/domain/badge/BadgeAchievement.java

@@ -4,4 +4,9 @@
 
 import java.time.OffsetDateTime;
 
-public record BadgeAchievement(Badge badge, Member member, OffsetDateTime createdAt, OffsetDateTime updatedAt) {}
+public record BadgeAchievement(Badge badge, Member member, OffsetDateTime createdAt, OffsetDateTime updatedAt) {
+
+    public BadgeAchievement(Badge badge, Member member) {
+        this(badge, member, null, null);
+    }
+}

src/main/java/com/dnd/runus/domain/badge/BadgeAchievementRepository.java

@@ -0,0 +1,6 @@
+package com.dnd.runus.domain.badge;
+
+public interface BadgeAchievementRepository {
+
+    void deleteByMemberId(long memberId);
+}

src/main/java/com/dnd/runus/domain/member/MemberLevelRepository.java

@@ -0,0 +1,6 @@
+package com.dnd.runus.domain.member;
+
+public interface MemberLevelRepository {
+
+    void deleteByMemberId(long memberId);
+}

src/main/java/com/dnd/runus/domain/member/MemberRepository.java

@@ -6,4 +6,6 @@ public interface MemberRepository {
     Optional<Member> findById(long id);
 
     Member save(Member member);
+
+    void deleteById(long memberId);
 }

src/main/java/com/dnd/runus/domain/member/SocialProfileRepository.java

@@ -5,11 +5,14 @@
 import java.util.Optional;
 
 public interface SocialProfileRepository {
+
     Optional<SocialProfile> findById(Long socialProfileId);
 
     Optional<SocialProfile> findBySocialTypeAndOauthId(SocialType socialType, String oauthId);
 
     SocialProfile save(SocialProfile socialProfile);
 
     void updateOauthEmail(long socialProfileId, String oauthEmail);
+
+    void deleteByMemberId(long memberId);
 }

src/main/java/com/dnd/runus/domain/oauth/controller/OauthController.java

@@ -1,10 +1,12 @@
 package com.dnd.runus.domain.oauth.controller;
 
 import com.dnd.runus.domain.oauth.dto.request.OauthRequest;
+import com.dnd.runus.domain.oauth.dto.request.WithdrawRequest;
 import com.dnd.runus.domain.oauth.dto.response.TokenResponse;
 import com.dnd.runus.domain.oauth.service.OauthService;
 import com.dnd.runus.global.exception.type.ApiErrorType;
 import com.dnd.runus.global.exception.type.ErrorType;
+import com.dnd.runus.presentation.annotation.MemberId;
 import io.swagger.v3.oas.annotations.Operation;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
@@ -30,4 +32,9 @@ public class OauthController {
     public TokenResponse signIn(@Valid @RequestBody OauthRequest request) {
         return oauthService.signIn(request);
     }
+
+    @PostMapping("/withdraw")
+    public void withdraw(@MemberId long memberId, @Valid @RequestBody WithdrawRequest request) {
+        oauthService.withdraw(memberId, request);
+    }
 }