Merge pull request #223 from boostcampwm-2024/fix/login-cookie-prefix

🐛 fix: 쿠키 Redis String Key 일 경우 Login 보안 버그 수정

server/src/admin/admin.controller.ts

@@ -5,12 +5,13 @@ import {
   HttpCode,
   HttpStatus,
   Post,
+  Req,
   Res,
   UseGuards,
   UsePipes,
   ValidationPipe,
 } from '@nestjs/common';
-import { Response } from 'express';
+import { Request, Response } from 'express';
 import { AdminService } from './admin.service';
 import { RegisterAdminDto } from './dto/register-admin.dto';
 import { ApiTags } from '@nestjs/swagger';
@@ -35,8 +36,9 @@ export class AdminController {
   async loginAdmin(
     @Body() loginAdminDto: LoginAdminDto,
     @Res({ passthrough: true }) response: Response,
+    @Req() request: Request,
   ) {
-    await this.adminService.loginAdmin(loginAdminDto, response);
+    await this.adminService.loginAdmin(loginAdminDto, response, request);
     return ApiResponse.responseWithNoContent(
       '로그인이 성공적으로 처리되었습니다.',
     );

server/src/admin/admin.service.ts

@@ -3,7 +3,7 @@ import {
   Injectable,
   UnauthorizedException,
 } from '@nestjs/common';
-import { Response } from 'express';
+import { Response, Request } from 'express';
 import { RegisterAdminDto } from './dto/register-admin.dto';
 import { AdminRepository } from './admin.repository';
 import * as bcrypt from 'bcrypt';
@@ -22,7 +22,12 @@ export class AdminService {
     private readonly redisService: RedisService,
   ) {}
 
-  async loginAdmin(loginAdminDto: LoginAdminDto, response: Response) {
+  async loginAdmin(
+    loginAdminDto: LoginAdminDto,
+    response: Response,
+    request: Request,
+  ) {
+    const cookie = request.cookies['sessionId'];
     const { loginId, password } = loginAdminDto;
 
     const admin = await this.loginRepository.findOne({
@@ -35,8 +40,44 @@ export class AdminService {
 
     const sessionId = uuid.v4();
 
-    await this.redisService.redisClient.set(
-      sessionId,
+    if (cookie) {
+      this.redisService.redisClient.del(`auth:${cookie}`);
+    }
+
+    let cursor = '0';
+    let scanFlag = false;
+    do {
+      const [newCursor, keys] = await this.redisService.redisClient.scan(
+        cursor,
+        'MATCH',
+        'auth:*',
+        'COUNT',
+        100,
+      );
+
+      cursor = newCursor;
+
+      if (!keys.length) {
+        continue;
+      }
+
+      const values = await this.redisService.redisClient.mget(keys);
+
+      for (let i = 0; i < keys.length; i++) {
+        const sessionValue = values[i];
+        if (sessionValue === loginId) {
+          await this.redisService.redisClient.del(keys[i]);
+          scanFlag = true;
+          break;
+        }
+      }
+      if (scanFlag) {
+        break;
+      }
+    } while (cursor !== '0');
+
+    this.redisService.redisClient.set(
+      `auth:${sessionId}`,
       admin.loginId,
       `EX`,
       this.SESSION_TTL,

server/src/common/guard/auth.guard.ts

@@ -14,7 +14,7 @@ export class CookieAuthGuard implements CanActivate {
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<Request>();
     const sid = request.cookies['sessionId'];
-    const loginId = await this.redisService.redisClient.get(sid);
+    const loginId = await this.redisService.redisClient.get(`auth:${sid}`);
     if (!loginId) {
       throw new UnauthorizedException('인증되지 않은 요청입니다.');
     }

server/test/statistic/today.e2e-spec.ts

@@ -25,7 +25,7 @@ describe('Today view count statistic E2E Test : GET /api/statistic/today', () =>
         email: '[email protected]',
         rssUrl: 'https://test.com/rss',
       }),
-      redisService.redisClient.set('test1234', 'test'),
+      redisService.redisClient.set('auth:test1234', 'test'),
       redisService.redisClient.zadd(
         redisKeys.FEED_TREND_KEY,
         '1',