v0.1.38 - 인쇄 출력 보정과 인증 토큰 기반 확장

2026-04-22 18:02:23 +09:00
parent bf62eb12bb
commit 3c3b0d20dd
10 changed files with 361 additions and 10 deletions
--- a/backend/src/config.js
+++ b/backend/src/config.js
@@ -13,6 +13,7 @@ const envSchema = z.object({
  DATABASE_URL: z.string().min(1).default('postgresql://planner:planner1234@localhost:5432/ten_minute_planner'),
  CORS_ORIGIN: z.string().default('http://localhost:5173'),
  SESSION_TTL_DAYS: z.coerce.number().default(30),
+  APP_BASE_URL: z.string().default('http://localhost:5173'),
 })

 export const env = envSchema.parse(process.env)
--- a/backend/src/db/init.js
+++ b/backend/src/db/init.js
@@ -7,10 +7,14 @@ export async function ensureDatabaseSchema() {
      email VARCHAR(255) NOT NULL UNIQUE,
      password_hash VARCHAR(255) NOT NULL,
      nickname VARCHAR(60) NOT NULL,
+      email_verified_at TIMESTAMPTZ,
      created_at TIMESTAMPTZ NOT NULL,
      updated_at TIMESTAMPTZ NOT NULL
    );

+    ALTER TABLE users
+    ADD COLUMN IF NOT EXISTS email_verified_at TIMESTAMPTZ;
+
    CREATE TABLE IF NOT EXISTS auth_sessions (
      id SERIAL PRIMARY KEY,
      user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
@@ -51,5 +55,29 @@ export async function ensureDatabaseSchema() {

    CREATE INDEX IF NOT EXISTS goals_user_id_idx
    ON goals (user_id);
+
+    CREATE TABLE IF NOT EXISTS email_verification_tokens (
+      id SERIAL PRIMARY KEY,
+      user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      token_hash VARCHAR(255) NOT NULL UNIQUE,
+      expires_at TIMESTAMPTZ NOT NULL,
+      used_at TIMESTAMPTZ,
+      created_at TIMESTAMPTZ NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS email_verification_tokens_user_id_idx
+    ON email_verification_tokens (user_id);
+
+    CREATE TABLE IF NOT EXISTS password_reset_tokens (
+      id SERIAL PRIMARY KEY,
+      user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      token_hash VARCHAR(255) NOT NULL UNIQUE,
+      expires_at TIMESTAMPTZ NOT NULL,
+      used_at TIMESTAMPTZ,
+      created_at TIMESTAMPTZ NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS password_reset_tokens_user_id_idx
+    ON password_reset_tokens (user_id);
  `)
 }
--- a/backend/src/db/schema.js
+++ b/backend/src/db/schema.js
@@ -14,6 +14,7 @@ export const users = pgTable('users', {
  email: varchar('email', { length: 255 }).notNull().unique(),
  passwordHash: varchar('password_hash', { length: 255 }).notNull(),
  nickname: varchar('nickname', { length: 60 }).notNull(),
+  emailVerifiedAt: timestamp('email_verified_at', { withTimezone: true }),
  createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
 })
@@ -65,3 +66,33 @@ export const goals = pgTable(
    userIndex: index('goals_user_id_idx').on(table.userId),
  }),
 )
+
+export const emailVerificationTokens = pgTable(
+  'email_verification_tokens',
+  {
+    id: serial('id').primaryKey(),
+    userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
+    tokenHash: varchar('token_hash', { length: 255 }).notNull().unique(),
+    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+    usedAt: timestamp('used_at', { withTimezone: true }),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+  },
+  (table) => ({
+    userIndex: index('email_verification_tokens_user_id_idx').on(table.userId),
+  }),
+)
+
+export const passwordResetTokens = pgTable(
+  'password_reset_tokens',
+  {
+    id: serial('id').primaryKey(),
+    userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
+    tokenHash: varchar('token_hash', { length: 255 }).notNull().unique(),
+    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+    usedAt: timestamp('used_at', { withTimezone: true }),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+  },
+  (table) => ({
+    userIndex: index('password_reset_tokens_user_id_idx').on(table.userId),
+  }),
+)
--- a/backend/src/routes/auth.js
+++ b/backend/src/routes/auth.js
@@ -1,8 +1,9 @@
-import { eq } from 'drizzle-orm'
+import { and, eq, gt, isNull } from 'drizzle-orm'
+import { env } from '../config.js'
 import { z } from 'zod'
 import { db } from '../db/client.js'
-import { users } from '../db/schema.js'
-import { hashPassword, verifyPassword } from '../lib/password.js'
+import { authSessions, emailVerificationTokens, passwordResetTokens, users } from '../db/schema.js'
+import { createSessionToken, hashSessionToken, hashPassword, verifyPassword } from '../lib/password.js'
 import { createSession, findAuthenticatedUser } from '../lib/authSession.js'

 const signupSchema = z.object({
@@ -26,11 +27,79 @@ const passwordSchema = z.object({
  newPassword: z.string().min(8).max(72),
 })

+const verificationRequestSchema = z.object({
+  email: z.string().trim().email().optional(),
+})
+
+const verificationConfirmSchema = z.object({
+  token: z.string().trim().min(20).max(255),
+})
+
+const passwordResetRequestSchema = z.object({
+  email: z.string().trim().email(),
+})
+
+const passwordResetConfirmSchema = z.object({
+  token: z.string().trim().min(20).max(255),
+  newPassword: z.string().min(8).max(72),
+})
+
+const TOKEN_TTL_MS = 1000 * 60 * 30
+
+function buildPreviewUrl(pathname, token) {
+  const url = new URL(pathname, env.APP_BASE_URL)
+  url.searchParams.set('token', token)
+  return url.toString()
+}
+
+async function createEmailVerificationToken(userId) {
+  const token = createSessionToken()
+  const tokenHash = hashSessionToken(token)
+  const now = new Date()
+  const expiresAt = new Date(now.getTime() + TOKEN_TTL_MS)
+
+  await db.delete(emailVerificationTokens).where(eq(emailVerificationTokens.userId, userId))
+
+  await db.insert(emailVerificationTokens).values({
+    userId,
+    tokenHash,
+    expiresAt,
+    createdAt: now,
+  })
+
+  return {
+    token,
+    previewUrl: buildPreviewUrl('/verify-email', token),
+  }
+}
+
+async function createPasswordResetToken(userId) {
+  const token = createSessionToken()
+  const tokenHash = hashSessionToken(token)
+  const now = new Date()
+  const expiresAt = new Date(now.getTime() + TOKEN_TTL_MS)
+
+  await db.delete(passwordResetTokens).where(eq(passwordResetTokens.userId, userId))
+
+  await db.insert(passwordResetTokens).values({
+    userId,
+    tokenHash,
+    expiresAt,
+    createdAt: now,
+  })
+
+  return {
+    token,
+    previewUrl: buildPreviewUrl('/reset-password', token),
+  }
+}
+
 function sanitizeUser(user) {
  return {
    id: user.id,
    email: user.email,
    nickname: user.nickname,
+    emailVerifiedAt: user.emailVerifiedAt,
    createdAt: user.createdAt,
    updatedAt: user.updatedAt,
  }
@@ -71,17 +140,20 @@ export async function registerAuthRoutes(app) {
        email: normalizedEmail,
        passwordHash,
        nickname,
+        emailVerifiedAt: null,
        createdAt: now,
        updatedAt: now,
      })
      .returning()

    const { token } = await createSession(user.id)
+    const verification = await createEmailVerificationToken(user.id)

    return reply.code(201).send({
      message: '회원가입이 완료되었습니다.',
      token,
      user: sanitizeUser(user),
+      verificationPreviewUrl: verification.previewUrl,
    })
  })

@@ -228,4 +300,188 @@ export async function registerAuthRoutes(app) {
      message: '비밀번호가 변경되었습니다.',
    }
  })
+
+  app.post('/api/auth/verification/request', async (request, reply) => {
+    const authenticatedUser = await findAuthenticatedUser(request)
+    const payload = verificationRequestSchema.safeParse(request.body ?? {})
+
+    if (!payload.success) {
+      return reply.code(400).send({
+        message: '이메일 입력값이 올바르지 않습니다.',
+        issues: payload.error.flatten(),
+      })
+    }
+
+    const normalizedEmail = (payload.data.email || authenticatedUser?.email || '').toLowerCase()
+
+    if (!normalizedEmail) {
+      return reply.code(400).send({
+        message: '인증 메일을 받을 이메일이 필요합니다.',
+      })
+    }
+
+    const [user] = await db
+      .select()
+      .from(users)
+      .where(eq(users.email, normalizedEmail))
+      .limit(1)
+
+    if (!user) {
+      return {
+        message: '입력한 이메일로 인증 안내를 보낼 준비가 되면 처리됩니다.',
+      }
+    }
+
+    if (user.emailVerifiedAt) {
+      return {
+        message: '이미 이메일 인증이 완료된 계정입니다.',
+      }
+    }
+
+    const verification = await createEmailVerificationToken(user.id)
+
+    return {
+      message: '이메일 인증 링크를 준비했습니다.',
+      verificationPreviewUrl: verification.previewUrl,
+    }
+  })
+
+  app.post('/api/auth/verification/confirm', async (request, reply) => {
+    const payload = verificationConfirmSchema.safeParse(request.body)
+
+    if (!payload.success) {
+      return reply.code(400).send({
+        message: '인증 토큰이 올바르지 않습니다.',
+        issues: payload.error.flatten(),
+      })
+    }
+
+    const tokenHash = hashSessionToken(payload.data.token)
+
+    const [verification] = await db
+      .select()
+      .from(emailVerificationTokens)
+      .where(
+        and(
+          eq(emailVerificationTokens.tokenHash, tokenHash),
+          isNull(emailVerificationTokens.usedAt),
+          gt(emailVerificationTokens.expiresAt, new Date()),
+        ),
+      )
+      .limit(1)
+
+    if (!verification) {
+      return reply.code(400).send({
+        message: '이미 사용했거나 만료된 인증 링크입니다.',
+      })
+    }
+
+    const now = new Date()
+
+    await db
+      .update(users)
+      .set({
+        emailVerifiedAt: now,
+        updatedAt: now,
+      })
+      .where(eq(users.id, verification.userId))
+
+    await db
+      .update(emailVerificationTokens)
+      .set({
+        usedAt: now,
+      })
+      .where(eq(emailVerificationTokens.id, verification.id))
+
+    return {
+      message: '이메일 인증이 완료되었습니다.',
+    }
+  })
+
+  app.post('/api/auth/password-reset/request', async (request, reply) => {
+    const payload = passwordResetRequestSchema.safeParse(request.body)
+
+    if (!payload.success) {
+      return reply.code(400).send({
+        message: '이메일 입력값이 올바르지 않습니다.',
+        issues: payload.error.flatten(),
+      })
+    }
+
+    const normalizedEmail = payload.data.email.toLowerCase()
+
+    const [user] = await db
+      .select()
+      .from(users)
+      .where(eq(users.email, normalizedEmail))
+      .limit(1)
+
+    if (!user) {
+      return {
+        message: '입력한 이메일로 재설정 안내를 보낼 준비가 되면 처리됩니다.',
+      }
+    }
+
+    const reset = await createPasswordResetToken(user.id)
+
+    return {
+      message: '비밀번호 재설정 링크를 준비했습니다.',
+      resetPreviewUrl: reset.previewUrl,
+    }
+  })
+
+  app.post('/api/auth/password-reset/confirm', async (request, reply) => {
+    const payload = passwordResetConfirmSchema.safeParse(request.body)
+
+    if (!payload.success) {
+      return reply.code(400).send({
+        message: '비밀번호 재설정 입력값이 올바르지 않습니다.',
+        issues: payload.error.flatten(),
+      })
+    }
+
+    const tokenHash = hashSessionToken(payload.data.token)
+
+    const [resetToken] = await db
+      .select()
+      .from(passwordResetTokens)
+      .where(
+        and(
+          eq(passwordResetTokens.tokenHash, tokenHash),
+          isNull(passwordResetTokens.usedAt),
+          gt(passwordResetTokens.expiresAt, new Date()),
+        ),
+      )
+      .limit(1)
+
+    if (!resetToken) {
+      return reply.code(400).send({
+        message: '이미 사용했거나 만료된 재설정 링크입니다.',
+      })
+    }
+
+    const now = new Date()
+    const passwordHash = await hashPassword(payload.data.newPassword)
+
+    await db
+      .update(users)
+      .set({
+        passwordHash,
+        updatedAt: now,
+      })
+      .where(eq(users.id, resetToken.userId))
+
+    await db
+      .update(passwordResetTokens)
+      .set({
+        usedAt: now,
+      })
+      .where(eq(passwordResetTokens.id, resetToken.id))
+
+    await db.delete(authSessions).where(eq(authSessions.userId, resetToken.userId))
+
+    return {
+      message: '비밀번호가 재설정되었습니다. 다시 로그인해 주세요.',
+    }
+  })
 }