Feat: 회원탈퇴 구현

.gitignore

@@ -44,3 +44,5 @@ out/
 **/resources/.env
 **/resources/.env.*
 !**/resources/.env.example
+
+**/resources/*.p8

build.gradle.kts

@@ -31,6 +31,8 @@ dependencies {
     implementation(libs.jetbrains.annotations)
     implementation(libs.springdoc)
 
+    implementation(libs.bcpkix)
+
     // JWT
     implementation(libs.jjwt.api)
     runtimeOnly(libs.jjwt.impl)

gradle/libs.versions.toml

@@ -18,6 +18,8 @@ spring-boot-devtools = { group = "org.springframework.boot", name = "spring-boot
 spring-boot-starter-test = { group = "org.springframework.boot", name = "spring-boot-starter-test", version.ref = "spring-boot" }
 spring-boot-testcontainers = { group = "org.springframework.boot", name = "spring-boot-testcontainers", version.ref = "spring-boot" }
 
+bcpkix = {group= "org.bouncycastle", name = "bcpkix-jdk18on", version = "1.78.1" }
+
 lombok = { group = "org.projectlombok", name = "lombok", version = "1.18.34" }
 dotenv = { group = "me.paulschwarz", name = "spring-dotenv", version = "4.0.0" }
 jetbrains-annotations = { group = "org.jetbrains", name = "annotations", version = "24.1.0" }

src/main/java/com/dnd/runus/domain/oauth/service/OauthService.java → src/main/java/com/dnd/runus/application/oauth/OauthService.java

@@ -1,18 +1,24 @@
-package com.dnd.runus.domain.oauth.service;
+package com.dnd.runus.application.oauth;
 
 import com.dnd.runus.auth.exception.AuthException;
+import com.dnd.runus.auth.oidc.provider.OidcProvider;
 import com.dnd.runus.auth.oidc.provider.OidcProviderFactory;
 import com.dnd.runus.auth.token.TokenProviderModule;
 import com.dnd.runus.auth.token.dto.AuthTokenDto;
+import com.dnd.runus.domain.badge.BadgeAchievementRepository;
 import com.dnd.runus.domain.member.Member;
+import com.dnd.runus.domain.member.MemberLevelRepository;
 import com.dnd.runus.domain.member.MemberRepository;
 import com.dnd.runus.domain.member.SocialProfile;
 import com.dnd.runus.domain.member.SocialProfileRepository;
-import com.dnd.runus.domain.oauth.dto.request.OauthRequest;
-import com.dnd.runus.domain.oauth.dto.response.TokenResponse;
+import com.dnd.runus.domain.running.RunningRecordRepository;
 import com.dnd.runus.global.constant.MemberRole;
 import com.dnd.runus.global.constant.SocialType;
+import com.dnd.runus.global.exception.NotFoundException;
 import com.dnd.runus.global.exception.type.ErrorType;
+import com.dnd.runus.presentation.v1.oauth.dto.request.OauthRequest;
+import com.dnd.runus.presentation.v1.oauth.dto.request.WithdrawRequest;
+import com.dnd.runus.presentation.v1.oauth.dto.response.TokenResponse;
 import io.jsonwebtoken.Claims;
 import io.micrometer.common.util.StringUtils;
 import lombok.RequiredArgsConstructor;
@@ -30,6 +36,9 @@ public class OauthService {
 
     private final MemberRepository memberRepository;
     private final SocialProfileRepository socialProfileRepository;
+    private final BadgeAchievementRepository badgeAchievementRepository;
+    private final RunningRecordRepository runningRecordRepository;
+    private final MemberLevelRepository memberLevelRepository;
 
     /**
      * 회원가입 유뮤 확인 후 회원가입/로그인 진행
@@ -39,8 +48,9 @@ public class OauthService {
      */
     @Transactional
     public TokenResponse signIn(OauthRequest request) {
+        OidcProvider oidcProvider = oidcProviderFactory.getOidcProviderBy(request.socialType());
 
-        Claims claim = oidcProviderFactory.getClaims(request.socialType(), request.idToken());
+        Claims claim = oidcProvider.getClaimsBy(request.idToken());
         String oauthId = claim.getSubject();
         String email = String.valueOf(claim.get("email"));
         if (StringUtils.isBlank(email)) {
@@ -64,6 +74,36 @@ public TokenResponse signIn(OauthRequest request) {
         return TokenResponse.from(tokenDto);
     }
 
+    @Transactional
+    public void withdraw(long memberId, WithdrawRequest request) {
+
+        memberRepository.findById(memberId).orElseThrow(() -> new NotFoundException(Member.class, memberId));
+
+        OidcProvider oidcProvider = oidcProviderFactory.getOidcProviderBy(request.socialType());
+
+        // 토큰 검증 -> 애플 지침
+        Claims claim = oidcProvider.getClaimsBy(request.idToken());
+        String oauthId = claim.getSubject();
+
+        SocialProfile socialProfile = socialProfileRepository
+                .findBySocialTypeAndOauthId(request.socialType(), oauthId)
+                .orElseThrow(() -> new NotFoundException("존재하지 않은 SocialProfile"));
+
+        if (memberId != socialProfile.member().memberId()) {
+            log.error(
+                    "MemberId and MemberId find by SocialProfile oauthId do not match each other! memberId: {}, socialProfileId: {}",
+                    memberId,
+                    socialProfile.socialProfileId());
+            throw new NotFoundException("잘못된 데이터: Member and SocialProfile do not match each other");
+        }
+
+        // 탈퇴를 위한 access token 발급
+        String accessToken = oidcProvider.getAccessToken(request.authorizationCode());
+        oidcProvider.revoke(accessToken);
+
+        deleteMember(memberId);
+    }
+
     private SocialProfile createMember(String oauthId, String email, SocialType socialType, String nickname) {
         Member member = memberRepository.save(new Member(MemberRole.USER, nickname));
 
@@ -74,4 +114,12 @@ private SocialProfile createMember(String oauthId, String email, SocialType soci
                 .oauthEmail(email)
                 .build());
     }
+
+    private void deleteMember(long memberId) {
+        badgeAchievementRepository.deleteByMemberId(memberId);
+        runningRecordRepository.deleteByMemberId(memberId);
+        memberLevelRepository.deleteByMemberId(memberId);
+        socialProfileRepository.deleteByMemberId(memberId);
+        memberRepository.deleteById(memberId);
+    }
 }

src/main/java/com/dnd/runus/auth/oidc/provider/OidcProvider.java

@@ -17,6 +17,14 @@ public interface OidcProvider {
 
     Claims getClaimsBy(String idToken);
 
+    String getAccessToken(String code);
+
+    /**
+     *
+     * @param accessToken 엑세스토큰
+     */
+    void revoke(String accessToken);
+
     default Map<String, String> parseHeaders(String token) {
         String header = token.split("\\.")[0];
 

src/main/java/com/dnd/runus/auth/oidc/provider/OidcProviderFactory.java

@@ -3,7 +3,6 @@
 import com.dnd.runus.global.constant.SocialType;
 import com.dnd.runus.global.exception.BusinessException;
 import com.dnd.runus.global.exception.type.ErrorType;
-import io.jsonwebtoken.Claims;
 import org.springframework.stereotype.Component;
 
 import java.util.EnumMap;
@@ -22,13 +21,13 @@ public OidcProviderFactory(List<OidcProvider> providers) {
         providers.forEach(provider -> authProviderMap.put(provider.getSocialType(), provider));
     }
 
-    public Claims getClaims(SocialType socialType, String idToken) {
+    public OidcProvider getOidcProviderBy(SocialType socialType) {
         OidcProvider oidcProvider = authProviderMap.get(socialType);
 
         if (isNull(oidcProvider)) {
             throw new BusinessException(ErrorType.UNSUPPORTED_SOCIAL_TYPE, socialType.getValue());
         }
 
-        return oidcProvider.getClaimsBy(idToken);
+        return oidcProvider;
     }
 }

src/main/java/com/dnd/runus/auth/oidc/provider/impl/AppleAuthProvider.java

@@ -3,19 +3,38 @@
 import com.dnd.runus.auth.exception.AuthException;
 import com.dnd.runus.auth.oidc.provider.OidcProvider;
 import com.dnd.runus.auth.oidc.provider.PublicKeyProvider;
+import com.dnd.runus.client.vo.AppleAuthRevokeRequest;
+import com.dnd.runus.client.vo.AppleAuthTokenRequest;
 import com.dnd.runus.client.vo.OidcPublicKeyList;
 import com.dnd.runus.client.web.AppleAuthClient;
 import com.dnd.runus.global.constant.SocialType;
+import com.dnd.runus.global.exception.BusinessException;
 import com.dnd.runus.global.exception.type.ErrorType;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.Jwts.SIG;
 import io.jsonwebtoken.MalformedJwtException;
 import io.jsonwebtoken.security.SignatureException;
 import lombok.RequiredArgsConstructor;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.io.ClassPathResource;
 import org.springframework.stereotype.Component;
+import org.springframework.web.client.HttpClientErrorException;
 
+import java.io.IOException;
+import java.io.Reader;
+import java.io.StringReader;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.util.Date;
 
 @Component
 @RequiredArgsConstructor
@@ -24,6 +43,15 @@ public class AppleAuthProvider implements OidcProvider {
     private final AppleAuthClient appleAuthClient;
     private final PublicKeyProvider publicKeyProvider;
 
+    @Value("${oauth.apple.key_id}")
+    private String keyId;
+
+    @Value("${oauth.apple.team_id}")
+    private String teamId;
+
+    @Value("${oauth.apple.client_id}")
+    private String clientId;
+
     @Override
     public SocialType getSocialType() {
         return SocialType.APPLE;
@@ -39,6 +67,36 @@ public Claims getClaimsBy(String identityToken) {
         return parseClaims(identityToken, publicKey);
     }
 
+    @Override
+    public String getAccessToken(String code) {
+        try {
+            return appleAuthClient
+                    .getAccessAppleToken(AppleAuthTokenRequest.builder()
+                            .client_secret(createClientSecret())
+                            .client_id(clientId)
+                            .code(code)
+                            .grant_type("authorization_code")
+                            .build())
+                    .accessToken();
+        } catch (HttpClientErrorException e) {
+            throw new BusinessException(ErrorType.FAILED_AUTHENTICATION, e.getMessage());
+        }
+    }
+
+    @Override
+    public void revoke(String accessToken) {
+        try {
+            appleAuthClient.revokeAccount(AppleAuthRevokeRequest.builder()
+                    .client_id(clientId)
+                    .client_secret(createClientSecret())
+                    .token(accessToken)
+                    .token_type_hint("access_token")
+                    .build());
+        } catch (HttpClientErrorException e) {
+            throw new BusinessException(ErrorType.FAILED_AUTHENTICATION, e.getMessage());
+        }
+    }
+
     private Claims parseClaims(String token, PublicKey publicKey) {
         try {
             return Jwts.parser()
@@ -53,4 +111,57 @@ private Claims parseClaims(String token, PublicKey publicKey) {
             throw new AuthException(ErrorType.EXPIRED_ACCESS_TOKEN, e.getMessage());
         }
     }
+
+    private void validateClaims(Claims claims) {
+        // todo 4가지 검증 추가
+        // 1. Verify the nonce for the authentication
+        // 2. Verify that the iss field contains https://appleid.apple.com
+        // 3. Verify that the aud field is the developer’s client_id
+        // 4. Verify that the time is earlier than the exp value of the token
+        // nonce 검증 방법 알아보기
+        //        if(claims.get("nonce") == null) {
+        //            throw new AuthException(ErrorType.TAMPERED_ACCESS_TOKEN,
+        //        }
+        //        if (!claims.getIssuer().contains("https://appleid.apple.com")) {
+        //            throw new AuthException(ErrorType.TAMPERED_ACCESS_TOKEN, "잘못된 iss");
+        //        }
+    }
+
+    private PrivateKey getPrivateKey() {
+        ClassPathResource resource = new ClassPathResource("AuthKey_" + keyId + ".p8");
+        try {
+            String privateKey = new String(Files.readAllBytes(Paths.get(resource.getURI())));
+            Reader pemReader = new StringReader(privateKey);
+            PEMParser pemParser = new PEMParser(pemReader);
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+            PrivateKeyInfo object = (PrivateKeyInfo) pemParser.readObject();
+
+            converter.getPrivateKey(object);
+            return converter.getPrivateKey(object);
+        } catch (IOException e) {
+            throw new BusinessException(ErrorType.UNHANDLED_EXCEPTION, e.getMessage());
+        }
+    }
+
+    private String createClientSecret() {
+        Date expirationDate = Date.from(LocalDateTime.now()
+                .plusMinutes(10)
+                .atZone(ZoneId.systemDefault())
+                .toInstant());
+
+        return Jwts.builder()
+                .header()
+                .add("kid", keyId)
+                .add("alg", "ES256")
+                .and()
+                .issuer(teamId)
+                .issuedAt(new Date(System.currentTimeMillis()))
+                .expiration(expirationDate)
+                .audience()
+                .add("https://appleid.apple.com")
+                .and()
+                .subject(clientId)
+                .signWith(getPrivateKey(), SIG.ES256)
+                .compact();
+    }
 }

src/main/java/com/dnd/runus/client/vo/AppleAuthRevokeRequest.java

@@ -0,0 +1,23 @@
+package com.dnd.runus.client.vo;
+
+
+import lombok.Builder;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+
+@Builder
+public record AppleAuthRevokeRequest(
+    String client_id,
+    String client_secret,
+    String token,
+    String token_type_hint
+) {
+    public MultiValueMap<String, String> toMultiValueMap() {
+        return new LinkedMultiValueMap<>(){{
+            add("client_id", client_id);
+            add("client_secret", client_secret);
+            add("token", token);
+            add("token_type_hint", token_type_hint);
+        }};
+    }
+}

src/main/java/com/dnd/runus/client/vo/AppleAuthTokenRequest.java

@@ -0,0 +1,23 @@
+package com.dnd.runus.client.vo;
+
+import lombok.Builder;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+
+@Builder
+public record AppleAuthTokenRequest(
+    String code,
+    String client_id,
+    String client_secret,
+    String grant_type
+) {
+
+    public MultiValueMap<String, String> toMultiValueMap() {
+        return new LinkedMultiValueMap<>(){{
+            add("code", code);
+            add("client_id", client_id);
+            add("client_secret", client_secret);
+                add("grant_type", grant_type);
+        }};
+    }
+}

src/main/java/com/dnd/runus/client/vo/AppleAuthTokenResponse.java

@@ -0,0 +1,16 @@
+package com.dnd.runus.client.vo;
+
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+
+@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+public record AppleAuthTokenResponse(
+    String accessToken,
+    String expiresIn,
+    String idToken,
+    String refreshToken,
+    String tokenType,
+    String error
+) {
+
+}

src/main/java/com/dnd/runus/client/web/AppleAuthClient.java

@@ -1,5 +1,8 @@
 package com.dnd.runus.client.web;
 
+import com.dnd.runus.client.vo.AppleAuthRevokeRequest;
+import com.dnd.runus.client.vo.AppleAuthTokenRequest;
+import com.dnd.runus.client.vo.AppleAuthTokenResponse;
 import com.dnd.runus.client.vo.OidcPublicKeyList;
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Component;
@@ -13,4 +16,12 @@ public class AppleAuthClient {
     public OidcPublicKeyList getPublicKeys() {
         return appleAuthClientComponent.getPublicKeys();
     }
+
+    public AppleAuthTokenResponse getAccessAppleToken(AppleAuthTokenRequest request) {
+        return appleAuthClientComponent.getAccessAppleToken(request.toMultiValueMap());
+    }
+
+    public void revokeAccount(AppleAuthRevokeRequest request) {
+        appleAuthClientComponent.revoke(request.toMultiValueMap());
+    }
 }