fix: cookie max age 변경 - #193

[sjk4618]

🔥Pull requests

⛳️ 작업한 브랜치

• Resolved: fix: 쿠키 max-age 변경 #193

👷 작업한 내용

• 클라와 dev admin 테스트용으로 쿠키 max-age 변경

🚨 참고 사항

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

릴리스 노트

• Refactor
  • 인증 쿠키 생성 로직을 개선하여 일관된 만료 정책(90일)을 적용했습니다.
  • 쿠키 만료 처리 방식을 단순화하여 유지보수성을 향상시켰습니다.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

요약 및 분석

Walkthrough

쿠키 max-age 설정을 일관되게 관리하기 위해 AuthController와 CookieCreatorUtil을 수정했습니다. 토큰별 expiration 파라미터를 제거하고 COOKIE_MAX_AGE 상수(90)를 도입하여 접근 및 갱신 토큰 쿠키에 고정 max-age를 적용했습니다.

Changes

Cohort / File(s)	변경 요약
쿠키 생성 로직 단순화 src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java	COOKIE_MAX_AGE(90) 상수 도입 및 적용; createAccessTokenCookie(), createRefreshTokenCookie() 메서드 시그니처 변경 — expiration 파라미터 제거; toCookieMaxAgeSeconds() 헬퍼 메서드 단순화; 예약 쿠키 및 삭제 쿠키 로직 유지
AuthController 의존성 정리 src/main/java/com/permitseoul/permitserver/domain/auth/api/controller/AuthController.java	JwtProperties 필드 제거; responseWithGeneratedCookie()에서 쿠키 생성 시 expiration 시간 없이 createAccessTokenCookie()/createRefreshTokenCookie() 호출

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 분

• 주의 사항:
  • Public API 시그니처 변경에 따른 다른 호출 부분 확인 필요
  • JwtProperties 필드 제거로 인한 다른 용도 사용 여부 확인

Possibly related PRs

• fix: 재발급, 로그인 쿠키, 토큰 수정 - #188 #189: 같은 인증 쿠키 생성 로직 및 AuthController의 JwtProperties 사용 방식 변경과 직결
• fix: 쿠키 도메인 설정 변경 #45: 동일한 CookieCreatorUtil의 createAccessTokenCookie/createRefreshTokenCookie API 시그니처 변경
• fix: cookie samesite 분기처리 삭제 #43: CookieCreatorUtil의 쿠키 생성 함수 수정(SameSite 처리)

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목이 pull request의 주요 변경 사항인 쿠키 max-age 변경을 명확하게 설명하고 있습니다.
Description check	✅ Passed	설명이 쿠키 max-age 변경 작업과 관련이 있으며, 변경 내용이 pull request 변경 사항과 일치합니다.
Linked Issues check	✅ Passed	PR이 연결된 issue #193의 목표인 쿠키 max-age 변경을 구현했습니다. 고정된 COOKIE_MAX_AGE 값(90)을 사용하도록 수정했습니다.
Out of Scope Changes check	✅ Passed	모든 변경 사항이 쿠키 max-age 설정 변경이라는 범위 내에서 진행되었으며, 관련 없는 변경사항은 없습니다.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/#193

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java (1)

23-41: Cookie max-age values must be synchronized with JWT token expiration times from JwtProperties.

Both createAccessTokenCookie() and createRefreshTokenCookie() use a hardcoded COOKIE_MAX_AGE of 90 seconds (marked "테스트용" for testing), while JwtGenerator correctly assigns different expiration times to access and refresh tokens via JwtProperties.accessTokenExpirationTime() and JwtProperties.refreshTokenExpirationTime().

The unused helper method toCookieMaxAgeSeconds() indicates this implementation is incomplete. Update both methods to:

• Use the appropriate JWT expiration time from JwtProperties for each token type
• Convert milliseconds to seconds using toCookieMaxAgeSeconds()
• Ensure refresh token cookie max-age exceeds access token cookie max-age to match JWT design

🧹 Nitpick comments (1)

src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java (1)

63-65: 사용되지 않는 메서드를 제거하세요.

toCookieMaxAgeSeconds 메서드는 더 이상 호출되지 않아 데드 코드입니다. 코드 정리를 위해 제거하는 것을 권장합니다.

다음 diff를 적용하여 사용되지 않는 메서드를 제거하세요:

-    private static long toCookieMaxAgeSeconds(final long jwtExpirationMillis) {
-        return jwtExpirationMillis / 1000;
-    }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 91e1db6 and 91dc9fe.

📒 Files selected for processing (2)

• src/main/java/com/permitseoul/permitserver/domain/auth/api/controller/AuthController.java (1 hunks)
• src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java (3 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: sjk4618
Repo: PERMIT-SEOUL/permit-server PR: 48
File: src/main/java/com/permitseoul/permitserver/domain/guest/core/domain/entity/GuestEntity.java:31-37
Timestamp: 2025-07-15T09:37:32.765Z
Learning: sjk4618 prefers to implement factory methods or public constructors for entities when they are actually needed, rather than creating them proactively.

🧬 Code graph analysis (1)

src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java (1)

src/main/java/com/permitseoul/permitserver/global/Constants.java (1)

• Constants (3-24)

🔇 Additional comments (1)

src/main/java/com/permitseoul/permitserver/domain/auth/api/controller/AuthController.java (1)

83-84: 메서드 호출이 올바르게 단순화되었습니다.

CookieCreatorUtil의 메서드 시그니처와 일치하게 호출되고 있습니다. 코드베이스 전체에서 이 메서드들은 토큰 값만 인자로 받아 호출되고 있으며, 다중 인자로 호출하는 레거시 코드는 없습니다.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's read the full CookieCreatorUtil.java file to understand context
cat -n src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java

Repository: PERMIT-SEOUL/permit-server

Length of output: 2809

---

🏁 Script executed:

# Search for application configuration files
find . -type f \( -name "application*.properties" -o -name "application*.yml" -o -name "application*.yaml" \) | head -20

Repository: PERMIT-SEOUL/permit-server

Length of output: 52

---

🏁 Script executed:

# Check if there are any configuration classes or beans related to cookie settings
rg -i "cookie.*max.*age|COOKIE_MAX_AGE" --type java

Repository: PERMIT-SEOUL/permit-server

Length of output: 643

---

🏁 Script executed:

# Check for environment-specific settings
fd -e properties -e yml -e yaml | grep -E "(prod|dev|test|config)" | head -20

Repository: PERMIT-SEOUL/permit-server

Length of output: 52

---

🏁 Script executed:

# Check git history for CookieCreatorUtil.java
git log --oneline src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java | head -10

Repository: PERMIT-SEOUL/permit-server

Length of output: 107

---

🏁 Script executed:

# Check for CI/CD or deployment files
find . -type f \( -name "*.yml" -o -name "*.yaml" -o -name "Dockerfile" -o -name ".github" -o -name "pom.xml" \) | head -20

Repository: PERMIT-SEOUL/permit-server

Length of output: 222

---

🏁 Script executed:

# Check if this is a production project by looking at pom.xml or build files
ls -la | grep -E "(pom|build|gradle|docker)"

Repository: PERMIT-SEOUL/permit-server

Length of output: 370

---

🏁 Script executed:

# Let's check the recent commit to see what "fix" was made
git show 91dc9fe --stat

Repository: PERMIT-SEOUL/permit-server

Length of output: 31912

---

Test configuration in production cookie settings.

The constant COOKIE_MAX_AGE = 90L with comment "90초 테스트용" is being used in both createAccessTokenCookie() and createRefreshTokenCookie(). A 90-second max-age is far too short for production use, particularly for refresh tokens, and will cause frequent user logouts.

This needs to be replaced with appropriate production values:

• Access token: 15-30 minutes
• Refresh token: 7-30 days

Also remove the unused toCookieMaxAgeSeconds() method (lines 63-65) and consider externalizing cookie lifetimes to configuration properties to allow environment-specific values.