Skip to content

[feat] 로그인/로그아웃 시 hasSession 쿠키 설정/삭제 #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nYeonG4001 merged 3 commits into from
Apr 12, 2026
Merged

[feat] 로그인/로그아웃 시 hasSession 쿠키 설정/삭제 #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c1e0910
feat: 로그인/로그아웃 시 hasSession 쿠키 설정/삭제
nYeonG4001 Apr 12, 2026
2ac9fd5
test: hasSession 쿠키 설정/삭제 검증 케이스 추가
nYeonG4001 Apr 12, 2026
f3ede95
fix: SonarCloud Quality Gate 오류 수정
nYeonG4001 Apr 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 32 additions & 2 deletions src/main/java/com/devpick/domain/user/controller/AuthController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,9 @@
public class AuthController {

static final String REFRESH_TOKEN_COOKIE = "refreshToken";
static final String HAS_SESSION_COOKIE = "hasSession";
static final int REFRESH_TOKEN_MAX_AGE = 7 * 24 * 60 * 60; // 7일 (초 단위)
private static final String SET_COOKIE_HEADER = "Set-Cookie";

private final AuthService authService;
private final EmailVerificationService emailVerificationService;
Expand Down Expand Up @@ -76,6 +78,7 @@ public ApiResponse<LoginResponse> login(@RequestBody @Valid LoginRequest request
HttpServletResponse response) {
LoginResponse loginResponse = authService.login(request);
setRefreshTokenCookie(response, loginResponse.refreshTokenValue());
setHasSessionCookie(response);
return ApiResponse.ok(loginResponse);
}

Expand All @@ -90,6 +93,7 @@ public ApiResponse<Void> logout(Authentication authentication, HttpServletRespon
UUID userId = (UUID) authentication.getPrincipal();
tokenService.logout(userId);
clearRefreshTokenCookie(response);
clearHasSessionCookie(response);
return ApiResponse.ok(null);
}

Expand Down Expand Up @@ -120,6 +124,7 @@ public ApiResponse<LoginResponse> recover(@RequestBody @Valid RecoverRequest req
HttpServletResponse response) {
LoginResponse loginResponse = authService.recover(request);
setRefreshTokenCookie(response, loginResponse.refreshTokenValue());
setHasSessionCookie(response);
return ApiResponse.ok(loginResponse);
}

Expand All @@ -134,6 +139,7 @@ public ApiResponse<SocialLoginResponse> socialRecover(@RequestBody @Valid Social
HttpServletResponse response) {
SocialLoginResponse loginResponse = socialAuthService.recoverWithToken(request.recoveryToken());
setRefreshTokenCookie(response, loginResponse.refreshTokenValue());
setHasSessionCookie(response);
return ApiResponse.ok(loginResponse);
}

Expand Down Expand Up @@ -195,6 +201,7 @@ public ApiResponse<SocialLoginResponse> githubCallback(
HttpServletResponse response) {
SocialLoginResponse loginResponse = socialAuthService.login("github", code, state);
setRefreshTokenCookie(response, loginResponse.refreshTokenValue());
setHasSessionCookie(response);
return ApiResponse.ok(loginResponse);
}

Expand All @@ -212,11 +219,34 @@ public ApiResponse<SocialLoginResponse> googleCallback(
HttpServletResponse response) {
SocialLoginResponse loginResponse = socialAuthService.login("google", code, state);
setRefreshTokenCookie(response, loginResponse.refreshTokenValue());
setHasSessionCookie(response);
return ApiResponse.ok(loginResponse);
}

// ── Cookie 헬퍼 ──────────────────────────────────────────────

private void setHasSessionCookie(HttpServletResponse response) {
ResponseCookie cookie = ResponseCookie.from(HAS_SESSION_COOKIE, "true")
.httpOnly(false) // NOSONAR java:S2092 — 프론트 JS에서 세션 힌트로 읽어야 하므로 의도적으로 비활성화
.secure(true)
.path("/")
.maxAge(REFRESH_TOKEN_MAX_AGE)
.sameSite("Lax")
.build();
response.addHeader(SET_COOKIE_HEADER, cookie.toString());
}

private void clearHasSessionCookie(HttpServletResponse response) {
ResponseCookie cookie = ResponseCookie.from(HAS_SESSION_COOKIE, "")
.httpOnly(false) // NOSONAR java:S2092 — 프론트 JS에서 세션 힌트로 읽어야 하므로 의도적으로 비활성화
.secure(true)
.path("/")
.maxAge(0)
.sameSite("Lax")
.build();
response.addHeader(SET_COOKIE_HEADER, cookie.toString());
}

private void setRefreshTokenCookie(HttpServletResponse response, String refreshToken) {
ResponseCookie cookie = ResponseCookie.from(REFRESH_TOKEN_COOKIE, refreshToken)
.httpOnly(true)
Expand All @@ -225,7 +255,7 @@ private void setRefreshTokenCookie(HttpServletResponse response, String refreshT
.maxAge(REFRESH_TOKEN_MAX_AGE)
.sameSite("None")
.build();
response.addHeader("Set-Cookie", cookie.toString());
response.addHeader(SET_COOKIE_HEADER, cookie.toString());
}

private void clearRefreshTokenCookie(HttpServletResponse response) {
Expand All @@ -236,6 +266,6 @@ private void clearRefreshTokenCookie(HttpServletResponse response) {
.maxAge(0)
.sameSite("None")
.build();
response.addHeader("Set-Cookie", cookie.toString());
response.addHeader(SET_COOKIE_HEADER, cookie.toString());
}
}
37 changes: 30 additions & 7 deletions src/test/java/com/devpick/domain/user/controller/AuthControllerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,17 @@
import java.util.List;
import java.util.UUID;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.allOf;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.hasItem;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.doNothing;
import static org.mockito.Mockito.doThrow;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.hamcrest.Matchers.containsString;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
Expand Down Expand Up @@ -159,7 +162,10 @@ void login_success() throws Exception {
.andExpect(jsonPath("$.data.email").value("test@devpick.kr"))
.andExpect(header().string("Set-Cookie", containsString("HttpOnly")))
.andExpect(header().string("Set-Cookie", containsString("SameSite=None")))
.andExpect(header().string("Set-Cookie", containsString("refreshToken=refresh-token")));
.andExpect(header().string("Set-Cookie", containsString("refreshToken=refresh-token")))
.andExpect(result -> assertThat(
result.getResponse().getHeaders("Set-Cookie"),
hasItem(allOf(containsString("hasSession=true"), containsString("SameSite=Lax")))));
}

@Test
Expand Down Expand Up @@ -216,7 +222,12 @@ void logout_success() throws Exception {
testUserId, null, List.of())))
.andExpect(status().isOk())
.andExpect(jsonPath("$.success").value(true))
.andExpect(header().string("Set-Cookie", containsString("Max-Age=0")));
.andExpect(result -> assertThat(
result.getResponse().getHeaders("Set-Cookie"),
hasItem(allOf(containsString("refreshToken="), containsString("Max-Age=0")))))
.andExpect(result -> assertThat(
result.getResponse().getHeaders("Set-Cookie"),
hasItem(allOf(containsString("hasSession="), containsString("Max-Age=0")))));
}

@Test
Expand Down Expand Up @@ -360,7 +371,10 @@ void githubCallback_success() throws Exception {
.andExpect(jsonPath("$.data.email").value("hayoung@test.com"))
.andExpect(header().string("Set-Cookie", containsString("HttpOnly")))
.andExpect(header().string("Set-Cookie", containsString("SameSite=None")))
.andExpect(header().string("Set-Cookie", containsString("refreshToken=refresh-token")));
.andExpect(header().string("Set-Cookie", containsString("refreshToken=refresh-token")))
.andExpect(result -> assertThat(
result.getResponse().getHeaders("Set-Cookie"),
hasItem(allOf(containsString("hasSession=true"), containsString("SameSite=Lax")))));
}

@Test
Expand Down Expand Up @@ -420,7 +434,10 @@ void googleCallback_success() throws Exception {
.andExpect(jsonPath("$.data.email").value("hayoung@gmail.com"))
.andExpect(header().string("Set-Cookie", containsString("HttpOnly")))
.andExpect(header().string("Set-Cookie", containsString("SameSite=None")))
.andExpect(header().string("Set-Cookie", containsString("refreshToken=refresh-token")));
.andExpect(header().string("Set-Cookie", containsString("refreshToken=refresh-token")))
.andExpect(result -> assertThat(
result.getResponse().getHeaders("Set-Cookie"),
hasItem(allOf(containsString("hasSession=true"), containsString("SameSite=Lax")))));
}

@Test
Expand Down Expand Up @@ -450,7 +467,10 @@ void recover_success() throws Exception {
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isOk())
.andExpect(jsonPath("$.success").value(true))
.andExpect(jsonPath("$.data.accessToken").value("access-token"));
.andExpect(jsonPath("$.data.accessToken").value("access-token"))
.andExpect(result -> assertThat(
result.getResponse().getHeaders("Set-Cookie"),
hasItem(allOf(containsString("hasSession=true"), containsString("SameSite=Lax")))));
}

@Test
Expand Down Expand Up @@ -484,7 +504,10 @@ void socialRecover_success() throws Exception {
.andExpect(jsonPath("$.success").value(true))
.andExpect(jsonPath("$.data.accessToken").value("access-token"))
.andExpect(header().string("Set-Cookie", containsString("HttpOnly")))
.andExpect(header().string("Set-Cookie", containsString("SameSite=None")));
.andExpect(header().string("Set-Cookie", containsString("SameSite=None")))
.andExpect(result -> assertThat(
result.getResponse().getHeaders("Set-Cookie"),
hasItem(allOf(containsString("hasSession=true"), containsString("SameSite=Lax")))));
}

@Test
Expand Down
Loading