[✨ feat] 잘못된 JWT 토큰 요청에 대한 Rate Limit 적용

build.gradle

@@ -55,7 +55,6 @@ dependencies {
 	implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
 	implementation 'io.jsonwebtoken:jjwt-impl:0.11.5'
 	implementation 'io.jsonwebtoken:jjwt-jackson:0.11.5'
-//	implementation 'com.nimbusds:nimbus-jose-jwt:3.10'
 
 	// Gson
 	implementation 'com.google.code.gson:gson:2.8.6'
@@ -70,35 +69,21 @@ dependencies {
 	// Spring Batch
 	implementation 'org.springframework.boot:spring-boot-starter-batch'
 
+	// Bucket4j
+	implementation 'com.bucket4j:bucket4j-core:8.1.0'
 }
 
-//QueryDSL 초기 설정
-//1. Q-Class를 생성할 디렉토리 경로를 설정합니다.
-def queryDslSrcDir = 'src/main/generated/querydsl/'
+def generatedDir = 'src/main/generated'
 
-//2. JavaCompile Task를 수행하는 경우 생성될 소스코드의 출력 디렉토리를 queryDslSrcDir로 설정합니다.
-tasks.withType(JavaCompile).configureEach {
-	options.getGeneratedSourceOutputDirectory().set(file(queryDslSrcDir))
-}
-
-//3. 소스 코드로 인식할 디렉토리 경로에 Q-Class 파일을 추가합니다. 이렇게 하면 Q-Class가 일반 Java 클래스처럼 취급되어 컴파일과 실행 시 classPath에 포함됩니다.
 sourceSets {
-	main.java.srcDirs += [queryDslSrcDir]
+	main.java.srcDirs += [generatedDir]
 }
 
-//4. clean Task를 수행하는 경우 지정한 디렉토리를 삭제하도록 설정합니다. -> 자동 생성된 Q-Class를 제거합니다.
 clean {
-	delete file(queryDslSrcDir)
-}
-
-//5. QueryDSL과 관련된 라이브러리들이 컴파일 시점에만 필요하도록 설정합니다. 또한, QueryDSL 설정을 컴파일 클래스 패스에 추가합니다.
-configurations {
-	compileOnly {
-		extendsFrom annotationProcessor
-	}
-	querydsl.extendsFrom compileClasspath
+	delete file(generatedDir)
 }
+// =================================================
 
 tasks.named('test') {
 	useJUnitPlatform()
-}
+}

src/main/java/org/terning/terningserver/common/exception/GlobalExceptionHandler.java

@@ -47,25 +47,23 @@ public ResponseEntity<ErrorResponse> handleAuthException(JwtException e) {
     }
 
     @ExceptionHandler(Exception.class)
-    public ResponseEntity handleException(Exception e){
+    public ResponseEntity<ErrorResponse> handleException(Exception e){
         log.warn("[Exception] cause: {} , message: {}", NestedExceptionUtils.getMostSpecificCause(e), e.getMessage());
         ErrorMessage errorCode = ErrorMessage.INTERNAL_SERVER_ERROR;
         return ResponseEntity
                 .status(errorCode.getStatus())
                 .body(ErrorResponse.of(errorCode.getStatus(), errorCode.getMessage()));
     }
 
-    //메소드가 잘못되었거나 부적합한 인수를 전달했을 경우 -> 필수 파라미터 없을 때
     @ExceptionHandler(IllegalArgumentException.class)
-    public ResponseEntity handleIllegalArgumentException(IllegalArgumentException e){
+    public ResponseEntity<ErrorResponse> handleIllegalArgumentException(IllegalArgumentException e){
         log.warn("[IlleagalArgumentException] cause: {} , message: {}", NestedExceptionUtils.getMostSpecificCause(e), e.getMessage());
         ErrorMessage errorCode = ErrorMessage.ILLEGAL_ARGUMENT_ERROR;
         return ResponseEntity
                 .status(errorCode.getStatus())
                 .body(ErrorResponse.of(errorCode.getStatus(), errorCode.getMessage()));
     }
 
-    //@Valid 유효성 검사에서 예외가 발생했을 때 -> requestbody에 잘못 들어왔을 때
     @ExceptionHandler(MethodArgumentNotValidException.class)
     public ResponseEntity<ErrorResponse> handleMethodArgumentNotValidException(MethodArgumentNotValidException e){
         log.warn("[MethodArgumentNotValidException] cause: {}, message: {}", NestedExceptionUtils.getMostSpecificCause(e), e.getMessage());
@@ -75,7 +73,6 @@ public ResponseEntity<ErrorResponse> handleMethodArgumentNotValidException(Metho
                 .body(ErrorResponse.of(errorCode.getStatus(), errorCode.getMessage()));
     }
 
-    //잘못된 포맷 요청 -> Json으로 안보내다던지
     @ExceptionHandler(HttpMessageNotReadableException.class)
     public ResponseEntity<ErrorResponse> handleHttpMessageNotReadableException(HttpMessageNotReadableException e){
         log.warn("[HttpMessageNotReadableException] cause: {}, message: {}", NestedExceptionUtils.getMostSpecificCause(e), e.getMessage());
@@ -84,6 +81,7 @@ public ResponseEntity<ErrorResponse> handleHttpMessageNotReadableException(HttpM
                 .status(errorCode.getStatus())
                 .body(ErrorResponse.of(errorCode.getStatus(), errorCode.getMessage()));
     }
+
     @ExceptionHandler(HttpRequestMethodNotSupportedException.class)
     public ResponseEntity<ErrorResponse> handleHttpMethodException(
             HttpRequestMethodNotSupportedException e,
@@ -96,4 +94,3 @@ public ResponseEntity<ErrorResponse> handleHttpMethodException(
                 .body(ErrorResponse.of(errorCode.getStatus(), errorCode.getMessage()));
     }
 }
-

src/main/java/org/terning/terningserver/common/security/jwt/filter/CustomJwtAuthenticationEntryPoint.java

@@ -1,26 +1,37 @@
 package org.terning.terningserver.common.security.jwt.filter;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
+import org.springframework.http.MediaType;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.stereotype.Component;
+import org.terning.terningserver.common.exception.dto.ErrorResponse;
 import org.terning.terningserver.common.security.jwt.exception.JwtErrorCode;
-import org.terning.terningserver.common.security.jwt.exception.JwtException;
 
 import java.io.IOException;
 
 @Component
 @RequiredArgsConstructor
 public class CustomJwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
 
+    private final ObjectMapper objectMapper;
+
     @Override
     public void commence(
             HttpServletRequest request,
             HttpServletResponse response,
-            AuthenticationException exception
+            AuthenticationException authException
     ) throws IOException {
-        throw new JwtException(JwtErrorCode.INVALID_JWT_TOKEN);
+        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.setCharacterEncoding("UTF-8");
+
+        JwtErrorCode errorCode = JwtErrorCode.INVALID_JWT_TOKEN;
+        ErrorResponse errorResponse = ErrorResponse.of(errorCode.getStatus().value(), errorCode.getMessage());
+
+        response.getWriter().write(objectMapper.writeValueAsString(errorResponse));
     }
 }

src/main/java/org/terning/terningserver/common/security/jwt/filter/JwtAuthenticationFilter.java

@@ -1,14 +1,21 @@
 package org.terning.terningserver.common.security.jwt.filter;
 
+import io.github.bucket4j.Bucket;
+import io.github.bucket4j.ConsumptionProbe;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.terning.terningserver.common.security.jwt.auth.UserAuthentication;
+import org.terning.terningserver.common.security.jwt.exception.JwtException;
+import org.terning.terningserver.common.security.ratelimit.RateLimitingService;
+import org.terning.terningserver.common.util.IpAddressUtil;
 
 import java.io.IOException;
 import java.util.Optional;
@@ -17,15 +24,40 @@
 
 @Component
 @RequiredArgsConstructor
+@Slf4j
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
     private final JwtTokenVerifier jwtTokenVerifier;
+    private final RateLimitingService rateLimitingService; // RateLimitingService 주입
 
     @Override
-    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-        extractToken(request)
-                .flatMap(jwtTokenVerifier::validateAndExtractUserId)
-                .ifPresent(this::authenticateUser);
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+
+        Optional<String> token = extractToken(request);
+
+        if (token.isPresent()) {
+            try {
+                Long userId = jwtTokenVerifier.validateAndExtractUserId(token.get())
+                        .orElseThrow(() -> new JwtException(null));
+                authenticateUser(userId);
+
+            } catch (JwtException e) {
+                String clientIp = IpAddressUtil.getClientIp(request);
+                Bucket bucket = rateLimitingService.resolveBucket(clientIp);
+                ConsumptionProbe probe = bucket.tryConsumeAndReturnRemaining(1);
+
+                if (probe.isConsumed()) {
+                    log.error("[ERROR] 유효하지 않은 JWT 토큰 요청. IP: {}. 남은 시도 횟수: {}", clientIp, probe.getRemainingTokens());
+                    SecurityContextHolder.clearContext();
+                } else {
+                    long waitForRefillSeconds = probe.getNanosToWaitForRefill() / 1_000_000_000L;
+                    log.error("[ERROR] 과도한 JWT 토큰 요청. IP: {}. 요청을 차단합니다. 대기 시간: {}초", clientIp, waitForRefillSeconds);
+                    response.sendError(HttpStatus.TOO_MANY_REQUESTS.value(), "과도한 요청입니다. 잠시 후 다시 시도해주세요.");
+                    return;
+                }
+            }
+        }
 
         filterChain.doFilter(request, response);
     }

src/main/java/org/terning/terningserver/common/security/jwt/filter/JwtTokenVerifier.java

@@ -3,6 +3,7 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Service;
 import org.terning.terningserver.common.security.jwt.application.JwtUserIdExtractor;
+import org.terning.terningserver.common.security.jwt.exception.JwtException;
 
 import java.util.Optional;
 
@@ -12,11 +13,7 @@ public class JwtTokenVerifier {
 
     private final JwtUserIdExtractor jwtUserIdExtractor;
 
-    public Optional<Long> validateAndExtractUserId(String token) {
-        try {
-            return Optional.of(jwtUserIdExtractor.extractUserId(token));
-        } catch (Exception e) {
-            return Optional.empty();
-        }
+    public Optional<Long> validateAndExtractUserId(String token) throws JwtException {
+        return Optional.of(jwtUserIdExtractor.extractUserId(token));
     }
 }

src/main/java/org/terning/terningserver/common/security/ratelimit/RateLimitingService.java

@@ -0,0 +1,28 @@
+package org.terning.terningserver.common.security.ratelimit;
+
+import io.github.bucket4j.Bandwidth;
+import io.github.bucket4j.Bucket;
+import io.github.bucket4j.Refill;
+import org.springframework.stereotype.Service;
+
+import java.time.Duration;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+@Service
+public class RateLimitingService {
+
+    private final Map<String, Bucket> cache = new ConcurrentHashMap<>();
+
+    public Bucket resolveBucket(String ipAddress) {
+        return cache.computeIfAbsent(ipAddress, this::newBucket);
+    }
+
+    private Bucket newBucket(String ipAddress) {
+        Refill refill = Refill.intervally(10, Duration.ofMinutes(1));
+        Bandwidth limit = Bandwidth.classic(10, refill);
+        return Bucket.builder()
+                .addLimit(limit)
+                .build();
+    }
+}

src/main/java/org/terning/terningserver/common/util/IpAddressUtil.java

@@ -0,0 +1,30 @@
+package org.terning.terningserver.common.util;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+public class IpAddressUtil {
+
+    private static final String[] IP_HEADER_CANDIDATES = {
+            "X-Forwarded-For",
+            "Proxy-Client-IP",
+            "WL-Proxy-Client-IP",
+            "HTTP_X_FORWARDED_FOR",
+            "HTTP_X_FORWARDED",
+            "HTTP_X_CLUSTER_CLIENT_IP",
+            "HTTP_CLIENT_IP",
+            "HTTP_FORWARDED_FOR",
+            "HTTP_FORWARDED",
+            "HTTP_VIA",
+            "REMOTE_ADDR"
+    };
+
+    public static String getClientIp(HttpServletRequest request) {
+        for (String header : IP_HEADER_CANDIDATES) {
+            String ip = request.getHeader(header);
+            if (ip != null && !ip.isEmpty() && !"unknown".equalsIgnoreCase(ip)) {
+                return ip.split(",")[0];
+            }
+        }
+        return request.getRemoteAddr();
+    }
+}

src/main/java/org/terning/terningserver/internshipAnnouncement/domain/Company.java

@@ -5,6 +5,7 @@
 import jakarta.persistence.Embeddable;
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
+import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 
@@ -13,6 +14,7 @@
 @Embeddable
 @Getter
 @NoArgsConstructor(access = PROTECTED)
+@AllArgsConstructor
 public class Company {
 
     @Column(nullable = false, length = 64)

src/main/java/org/terning/terningserver/internshipAnnouncement/domain/InternshipAnnouncement.java

@@ -1,6 +1,7 @@
 package org.terning.terningserver.internshipAnnouncement.domain;
 
 import jakarta.persistence.*;
+import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import org.terning.terningserver.common.BaseTimeEntity;
@@ -15,6 +16,7 @@
 @Entity
 @Getter
 @NoArgsConstructor(access = PROTECTED)
+@AllArgsConstructor
 public class InternshipAnnouncement extends BaseTimeEntity {
 
     @Id

src/test/java/org/terning/terningserver/common/security/jwt/filter/JwtAuthenticationFilterTest.java

@@ -0,0 +1,65 @@
+package org.terning.terningserver.common.security.jwt.filter;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.HttpHeaders;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+import org.terning.terningserver.common.security.jwt.exception.JwtErrorCode;
+import org.terning.terningserver.common.security.jwt.exception.JwtException;
+
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest
+@AutoConfigureMockMvc
+class JwtAuthenticationFilterTest {
+
+    private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationFilterTest.class);
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private JwtTokenVerifier jwtTokenVerifier;
+
+    @Test
+    @DisplayName("잘못된 JWT 토큰으로 반복 요청 시, Rate Limit에 따라 429 에러를 반환한다")
+    void when_repeated_requests_with_invalid_token_then_return_429_error() throws Exception {
+        // given
+        String invalidToken = "this-is-an-invalid-token";
+        when(jwtTokenVerifier.validateAndExtractUserId(anyString()))
+                .thenThrow(new JwtException(JwtErrorCode.INVALID_JWT_TOKEN));
+
+        // when & then
+        log.info("====== Rate Limit 허용 횟수 내 요청 테스트 시작 ======");
+        for (int i = 1; i <= 10; i++) {
+            log.info("{}번째 요청", i);
+            // when
+            ResultActions actions = mockMvc.perform(get("/api/v1/any-secured-endpoint")
+                    .header(HttpHeaders.AUTHORIZATION, "Bearer " + invalidToken));
+            // then
+            actions.andExpect(status().isUnauthorized());
+        }
+        log.info("====== Rate Limit 허용 횟수 내 요청 테스트 통과 ======");
+
+
+        // when & then
+        log.info("\n====== Rate Limit 초과 요청 테스트 시작 ======");
+        log.info("11번째 요청");
+        // when
+        ResultActions finalAction = mockMvc.perform(get("/api/v1/any-secured-endpoint")
+                .header(HttpHeaders.AUTHORIZATION, "Bearer " + invalidToken));
+        // then
+        finalAction.andExpect(status().isTooManyRequests());
+        log.info("====== Rate Limit 초과 요청 테스트 통과 ======");
+    }
+}

src/test/java/org/terning/terningserver/service/ScrapServiceTest.java

@@ -211,4 +211,4 @@ public void setup() {
             assertThat(savedAnnouncement.getScrapCount()).isEqualTo(100L);
         }
     }
-}
+}