[fix] Revoke refresh token renewal on access token reissuance

src/main/java/org/hankki/hankkiserver/api/auth/service/AuthFacade.java

@@ -7,7 +7,6 @@
 import org.hankki.hankkiserver.api.auth.service.response.UserReissueResponse;
 import org.hankki.hankkiserver.api.user.service.UserFinder;
 import org.hankki.hankkiserver.api.user.service.UserInfoFinder;
-import org.hankki.hankkiserver.auth.jwt.JwtValidator;
 import org.hankki.hankkiserver.auth.jwt.Token;
 import org.hankki.hankkiserver.domain.user.model.User;
 import org.hankki.hankkiserver.domain.user.model.UserInfo;
@@ -21,7 +20,6 @@ public class AuthFacade {
 
     private final UserFinder userFinder;
     private final UserInfoFinder userInfoFinder;
-    private final JwtValidator jwtValidator;
     private final ExternalService externalService;
     private final AuthService authService;
 
@@ -46,15 +44,7 @@ public void logout(final long userId) {
 
     @Transactional
     public UserReissueResponse reissue(final String refreshToken) {
-        long userId = authService.parseUserId(refreshToken);
-        validateRefreshToken(refreshToken, userId);
-        Token issuedTokens = authService.generateTokens(userId);
+        Token issuedTokens = authService.generateAccessToken(refreshToken);
         return UserReissueResponse.of(issuedTokens);
     }
-
-    private void validateRefreshToken(final String refreshToken, final Long userId) {
-        jwtValidator.validateRefreshToken(refreshToken);
-        String storedRefreshToken = userInfoFinder.getUserInfo(userId).getRefreshToken();
-        jwtValidator.checkTokenEquality(refreshToken, storedRefreshToken);
-    }
 }

src/main/java/org/hankki/hankkiserver/api/auth/service/AuthService.java

@@ -13,6 +13,7 @@
 import org.hankki.hankkiserver.api.user.service.UserInfoUpdater;
 import org.hankki.hankkiserver.api.user.service.UserUpdater;
 import org.hankki.hankkiserver.auth.jwt.JwtProvider;
+import org.hankki.hankkiserver.auth.jwt.JwtValidator;
 import org.hankki.hankkiserver.auth.jwt.Token;
 import org.hankki.hankkiserver.domain.user.model.Platform;
 import org.hankki.hankkiserver.domain.user.model.User;
@@ -32,6 +33,7 @@ public class AuthService {
     private final UserInfoFinder userInfoFinder;
     private final UserInfoUpdater userInfoUpdater;
     private final JwtProvider jwtProvider;
+    private final JwtValidator jwtValidator;
     private final EventPublisher eventPublisher;
 
     @Transactional
@@ -49,15 +51,25 @@ protected void deleteUser(final User user) {
         userInfoFinder.getUserInfo(user.getId()).softDelete();
     }
 
-    protected Token generateTokens(final long userId) {
+    protected Token generateAccessToken(final String refreshToken) {
+        String strippedToken = refreshToken.substring(BEARER.length());
+        long userId = jwtProvider.getSubject(strippedToken);
+        validateRefreshToken(refreshToken, userId);
+        String accessToken = jwtProvider.generateAccessToken(userId, getUserRole(userId));
+        return Token.of(accessToken, strippedToken);
+    }
+
+    private Token generateTokens(final long userId) {
         Token issuedTokens = jwtProvider.issueTokens(userId, getUserRole(userId));
         UserInfo findUserInfo = userInfoFinder.getUserInfo(userId);
         findUserInfo.updateRefreshToken(issuedTokens.refreshToken());
         return issuedTokens;
     }
 
-    protected long parseUserId(final String refreshToken) {
-        return jwtProvider.getSubject(refreshToken.substring(BEARER.length()));
+    private void validateRefreshToken(final String refreshToken, final long userId) {
+        jwtValidator.validateRefreshToken(refreshToken);
+        String storedRefreshToken = userInfoFinder.getUserInfo(userId).getRefreshToken();
+        jwtValidator.checkTokenEquality(refreshToken, storedRefreshToken);
     }
 
     private boolean isRegistered(final Optional<User> user) {