-
Notifications
You must be signed in to change notification settings - Fork 0
♻️ [Refactor] SMS 인증 무차별 대입 방어 추가 #137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
c7f2999
✨ feat: RedisUtil에 원자적 increment 메서드 추가
komascode 723cb7e
✨ feat: SMS 인증 시도 횟수 초과 에러코드 추가
komascode 98efdee
♻️ refactor: SMS 인증 무차별 대입 방어 및 로그 노출 제거
komascode 7569673
✨ feat: verifySms 무차별 대입 방어 단위 테스트 추가
komascode a63b6d8
♻️ refactor: 실패 카운터 INCR/TTL을 Lua 스크립트로 원자화
komascode 8c99c82
🐛 fix: 새 인증번호 발급 시 실패 카운터 초기화
komascode File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
167 changes: 167 additions & 0 deletions
167
src/test/java/com/example/scoi/domain/auth/service/AuthServiceTest.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,167 @@ | ||
| package com.example.scoi.domain.auth.service; | ||
|
|
||
| import com.example.scoi.domain.auth.dto.AuthReqDTO; | ||
| import com.example.scoi.domain.auth.dto.AuthResDTO; | ||
| import com.example.scoi.domain.auth.exception.AuthException; | ||
| import com.example.scoi.domain.auth.exception.code.AuthErrorCode; | ||
| import com.example.scoi.domain.member.repository.MemberRepository; | ||
| import com.example.scoi.global.redis.RedisUtil; | ||
| import com.example.scoi.global.security.jwt.JwtUtil; | ||
| import org.junit.jupiter.api.DisplayName; | ||
| import org.junit.jupiter.api.Nested; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.junit.jupiter.api.extension.ExtendWith; | ||
| import org.mockito.InjectMocks; | ||
| import org.mockito.Mock; | ||
| import org.mockito.junit.jupiter.MockitoExtension; | ||
|
|
||
| import java.util.concurrent.TimeUnit; | ||
|
|
||
| import static org.assertj.core.api.Assertions.assertThat; | ||
| import static org.assertj.core.api.Assertions.assertThatThrownBy; | ||
| import static org.mockito.ArgumentMatchers.any; | ||
| import static org.mockito.ArgumentMatchers.anyLong; | ||
| import static org.mockito.ArgumentMatchers.eq; | ||
| import static org.mockito.Mockito.never; | ||
| import static org.mockito.Mockito.times; | ||
| import static org.mockito.Mockito.verify; | ||
| import static org.mockito.Mockito.when; | ||
|
|
||
| /** | ||
| * SMS 인증 무차별 대입 방어 로직 단위 테스트. | ||
| * Spring 컨텍스트 없이 Mockito로 협력 객체를 스텁하여 분기별 동작을 검증한다. | ||
| */ | ||
| @ExtendWith(MockitoExtension.class) | ||
| class AuthServiceTest { | ||
|
|
||
| @Mock | ||
| private MemberRepository memberRepository; | ||
| @Mock | ||
| private JwtUtil jwtUtil; | ||
| @Mock | ||
| private RedisUtil redisUtil; | ||
|
|
||
| @InjectMocks | ||
| private AuthService authService; | ||
|
|
||
| private static final String PHONE = "01012345678"; | ||
| private static final String CODE = "123456"; | ||
| private static final String SMS_KEY = "sms:" + PHONE; | ||
| private static final String FAIL_KEY = "sms:verify:fail:" + PHONE; | ||
| private static final String COOLDOWN_KEY = "sms:cooldown:" + PHONE; | ||
|
|
||
| private AuthReqDTO.SmsVerifyRequest request(String verificationCode) { | ||
| return new AuthReqDTO.SmsVerifyRequest(PHONE, verificationCode); | ||
| } | ||
|
|
||
| @Nested | ||
| @DisplayName("verifySms - SMS 인증번호 검증") | ||
| class VerifySms { | ||
|
|
||
| @Test | ||
| @DisplayName("성공: 코드 일치 시 토큰 발급 및 코드·실패카운터 삭제") | ||
| void success() { | ||
| // given | ||
| when(redisUtil.get(SMS_KEY)).thenReturn(CODE); | ||
| when(jwtUtil.createVerificationToken(PHONE)).thenReturn("verification-token"); | ||
| when(memberRepository.existsByPhoneNumber(PHONE)).thenReturn(true); | ||
|
|
||
| // when | ||
| AuthResDTO.SmsVerifyResponse response = authService.verifySms(request(CODE)); | ||
|
|
||
| // then | ||
| assertThat(response.verificationToken()).isEqualTo("verification-token"); | ||
| assertThat(response.isExistingMember()).isTrue(); | ||
| verify(redisUtil).delete(SMS_KEY); // 코드 삭제 | ||
| verify(redisUtil).delete(FAIL_KEY); // 실패 카운터 초기화 | ||
| } | ||
|
|
||
| @Test | ||
| @DisplayName("실패: 저장된 코드가 없으면 VERIFICATION_CODE_EXPIRED, 실패 카운터 증가 안 함") | ||
| void expired() { | ||
| // given | ||
| when(redisUtil.get(SMS_KEY)).thenReturn(null); | ||
|
|
||
| // when & then | ||
| assertThatThrownBy(() -> authService.verifySms(request(CODE))) | ||
| .isInstanceOf(AuthException.class) | ||
| .extracting(e -> ((AuthException) e).getCode()) | ||
| .isEqualTo(AuthErrorCode.VERIFICATION_CODE_EXPIRED); | ||
|
|
||
| verify(redisUtil, never()).increment(any(), anyLong(), any()); | ||
| } | ||
|
|
||
| @Test | ||
| @DisplayName("실패: 코드 불일치 - 한도 미만이면 INVALID_VERIFICATION_CODE + 남은 횟수 반환") | ||
| void mismatchUnderLimit() { | ||
| // given: 실패 카운터가 2 (한도 5 미만) | ||
| when(redisUtil.get(SMS_KEY)).thenReturn(CODE); | ||
| when(redisUtil.increment(eq(FAIL_KEY), eq(5L), eq(TimeUnit.MINUTES))).thenReturn(2L); | ||
|
|
||
| // when & then | ||
| assertThatThrownBy(() -> authService.verifySms(request("000000"))) | ||
| .isInstanceOf(AuthException.class) | ||
| .satisfies(e -> { | ||
| AuthException ex = (AuthException) e; | ||
| assertThat(ex.getCode()).isEqualTo(AuthErrorCode.INVALID_VERIFICATION_CODE); | ||
| assertThat(ex.getBind()).containsEntry("remainingAttempts", "3"); // 5 - 2 | ||
| }); | ||
|
|
||
| // 한도 미만이므로 코드·카운터 삭제하지 않음 | ||
| verify(redisUtil, never()).delete(SMS_KEY); | ||
| verify(redisUtil, never()).delete(FAIL_KEY); | ||
| } | ||
|
|
||
| @Test | ||
| @DisplayName("실패: 코드 불일치 - 한도 도달 시 VERIFICATION_ATTEMPTS_EXCEEDED + 코드·카운터 삭제") | ||
| void mismatchLimitExceeded() { | ||
| // given: 실패 카운터가 5 (한도 도달) | ||
| when(redisUtil.get(SMS_KEY)).thenReturn(CODE); | ||
| when(redisUtil.increment(eq(FAIL_KEY), eq(5L), eq(TimeUnit.MINUTES))).thenReturn(5L); | ||
|
|
||
| // when & then | ||
| assertThatThrownBy(() -> authService.verifySms(request("000000"))) | ||
| .isInstanceOf(AuthException.class) | ||
| .extracting(e -> ((AuthException) e).getCode()) | ||
| .isEqualTo(AuthErrorCode.VERIFICATION_ATTEMPTS_EXCEEDED); | ||
|
|
||
| // 코드 무효화: 코드·카운터 모두 삭제 | ||
| verify(redisUtil).delete(SMS_KEY); | ||
| verify(redisUtil).delete(FAIL_KEY); | ||
| } | ||
| } | ||
|
|
||
| @Nested | ||
| @DisplayName("sendSms - SMS 인증번호 발송") | ||
| class SendSms { | ||
|
|
||
| @Test | ||
| @DisplayName("새 코드 발급 시 이전 실패 카운터를 초기화한다") | ||
| void resetsFailCounter() { | ||
| // given: 쿨다운 없음 (smsEnabled 기본값 false → 실제 발송 건너뜀) | ||
| when(redisUtil.exists(COOLDOWN_KEY)).thenReturn(false); | ||
|
|
||
| // when | ||
| authService.sendSms(new AuthReqDTO.SmsSendRequest(PHONE)); | ||
|
|
||
| // then: 새 코드에는 새 시도 예산이 주어져야 한다 | ||
| verify(redisUtil).set(eq(SMS_KEY), any(), eq(5L), eq(TimeUnit.MINUTES)); | ||
| verify(redisUtil).delete(FAIL_KEY); | ||
| } | ||
|
|
||
| @Test | ||
| @DisplayName("쿨다운 중이면 SMS_COOLDOWN, 실패 카운터를 건드리지 않는다") | ||
| void cooldown() { | ||
| // given | ||
| when(redisUtil.exists(COOLDOWN_KEY)).thenReturn(true); | ||
|
|
||
| // when & then | ||
| assertThatThrownBy(() -> authService.sendSms(new AuthReqDTO.SmsSendRequest(PHONE))) | ||
| .isInstanceOf(AuthException.class) | ||
| .extracting(e -> ((AuthException) e).getCode()) | ||
| .isEqualTo(AuthErrorCode.SMS_COOLDOWN); | ||
|
|
||
| verify(redisUtil, never()).delete(FAIL_KEY); | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
Repository: UMCSCOI/Backend
Length of output: 153
🏁 Script executed:
Repository: UMCSCOI/Backend
Length of output: 6670
🏁 Script executed:
Repository: UMCSCOI/Backend
Length of output: 4603
🏁 Script executed:
Repository: UMCSCOI/Backend
Length of output: 2794
🏁 Script executed:
Repository: UMCSCOI/Backend
Length of output: 4116
INCR뒤 TTL을 원자적으로 보장하세요.StringRedisSerializer가 사용되어 직렬화 문제는 없지만,count == 1L일 때만expire를 별도 호출하면 중간 실패 시 실패 카운터가 TTL 없이 남을 수 있습니다.expire실패를 처리하거나 Lua/트랜잭션으로 묶어 주세요.🤖 Prompt for AI Agents