feat: state 값이 아닌 exchange로 변경

Author: ImGdevel

ProjectVG.Api/Controllers/OAuthController.cs

@@ -92,28 +92,26 @@ public async Task<IActionResult> OAuth2Callback(
             return Redirect(result.RedirectUrl!);
         }
 
-        [HttpGet("oauth2/token")]
-        public async Task<IActionResult> GetOAuth2Token([FromQuery] string state)
+        [HttpPost("oauth2/exchange")]
+        public async Task<IActionResult> ExchangeOAuth2Token([FromBody] ExchangeTokenRequest request)
         {
             try
             {
-                if (string.IsNullOrEmpty(state))
+                if (string.IsNullOrEmpty(request.ExchangeToken))
                 {
-                    return BadRequest(new { success = false, message = "State parameter is required" });
+                    return BadRequest(new { success = false, message = "Exchange token is required" });
                 }
 
-                var tokenData = await _oauth2Service.GetTokenDataAsync(state);
+                var tokenData = await _oauth2Service.ExchangeTokenAsync(request.ExchangeToken, HttpContext);
                 if (tokenData == null)
                 {
-                    return BadRequest(new { success = false, message = "Invalid or expired token request" });
+                    return BadRequest(new { success = false, message = "Invalid or expired exchange token" });
                 }
 
-                await _oauth2Service.DeleteTokenDataAsync(state);
-
-                Console.WriteLine($"[OAuth2 Token] User UID: {tokenData.UID}");
-                Console.WriteLine($"[OAuth2 Token] Access Token: {tokenData.AccessToken[..Math.Min(20, tokenData.AccessToken.Length)]}...");
-                Console.WriteLine($"[OAuth2 Token] Refresh Token: {tokenData.RefreshToken[..Math.Min(20, tokenData.RefreshToken.Length)]}...");
-                Console.WriteLine($"[OAuth2 Token] Expires In: {tokenData.ExpiresIn} seconds");
+                Console.WriteLine($"[OAuth2 Exchange] User UID: {tokenData.UID}");
+                Console.WriteLine($"[OAuth2 Exchange] Access Token: {tokenData.AccessToken[..Math.Min(20, tokenData.AccessToken.Length)]}...");
+                Console.WriteLine($"[OAuth2 Exchange] Refresh Token: {tokenData.RefreshToken[..Math.Min(20, tokenData.RefreshToken.Length)]}...");
+                Console.WriteLine($"[OAuth2 Exchange] Expires In: {tokenData.ExpiresIn} seconds");
 
                 Response.Headers.Append("X-Access-Token", tokenData.AccessToken);
                 Response.Headers.Append("X-Refresh-Token", tokenData.RefreshToken);

ProjectVG.Application/Models/Auth/OAuth2Models.cs

@@ -53,6 +53,9 @@ public class OAuth2TokenData
         public int ExpiresIn { get; set; }
         public string UID { get; set; } = string.Empty;
         public DateTime CreatedAt { get; set; }
+        public string ClientIP { get; set; } = string.Empty;
+        public string UserAgent { get; set; } = string.Empty;
+        public bool IsUsed { get; set; } = false;
     }
 
     public class OAuth2CallbackResult
@@ -61,4 +64,10 @@ public class OAuth2CallbackResult
         public string? RedirectUrl { get; set; }
         public string Message { get; set; } = string.Empty;
     }
+
+    public class ExchangeTokenRequest
+    {
+        public string ExchangeToken { get; set; } = string.Empty;
+        public string? ClientFingerprint { get; set; }
+    }
 }

ProjectVG.Application/Services/Auth/IOAuth2Service.cs

@@ -8,6 +8,7 @@ public interface IOAuth2Service
         Task<OAuth2CallbackResult> HandleOAuth2CallbackAsync(string code, string state);
         Task<OAuth2TokenData?> GetTokenDataAsync(string state);
         Task DeleteTokenDataAsync(string state);
+        Task<OAuth2TokenData?> ExchangeTokenAsync(string exchangeToken, Microsoft.AspNetCore.Http.HttpContext httpContext);
         Task<TokenResponse> ExchangeAuthorizationCodeAsync(string code, string clientId, string redirectUri, string codeVerifier = "");
         Task<OAuth2UserInfo> GetUserInfoAsync(string accessToken, string provider);
         Task<OAuth2AuthRequest> StoreOAuth2RequestAsync(string state, OAuth2AuthRequest request);

ProjectVG.Application/Services/Auth/OAuth2Service.cs

@@ -18,6 +18,7 @@ public class OAuth2Service : IOAuth2Service
         private readonly IAuthService _authService;
         private readonly Dictionary<string, string> _oauth2Requests = new();
         private readonly Dictionary<string, string> _tokenData = new();
+        private readonly Dictionary<string, string> _exchangeTokens = new();
 
         public OAuth2Service(
             IHttpClientFactory httpClientFactory,
@@ -303,14 +304,18 @@ public async Task<OAuth2CallbackResult> HandleOAuth2CallbackAsync(string code, s
                     RefreshToken = authResult.Tokens.RefreshToken,
                     ExpiresIn = (int)(authResult.Tokens.AccessTokenExpiresAt - DateTime.UtcNow).TotalSeconds,
                     UID = authResult.User!.UID,
-                    CreatedAt = DateTime.UtcNow
+                    CreatedAt = DateTime.UtcNow,
+                    ClientIP = string.Empty,
+                    UserAgent = string.Empty,
+                    IsUsed = false
                 };
 
-                await StoreTokenDataAsync(state, tokenData);
+                var exchangeToken = GenerateExchangeToken();
+                await StoreExchangeTokenDataAsync(exchangeToken, tokenData);
 
-                var clientRedirectUrl = $"{authRequest.ClientRedirectUri}?" +
-                                       $"success=true&" +
-                                       $"state={Uri.EscapeDataString(state)}";
+                var clientRedirectUrl = $"{authRequest.ClientRedirectUri}#" +
+                                       $"exchange_token={Uri.EscapeDataString(exchangeToken)}&" +
+                                       $"expires_in=300";
 
                 return new OAuth2CallbackResult
                 {
@@ -340,5 +345,43 @@ public async Task<OAuth2CallbackResult> HandleOAuth2CallbackAsync(string code, s
             return null;
         }
 
+        private string GenerateExchangeToken()
+        {
+            using var rng = System.Security.Cryptography.RandomNumberGenerator.Create();
+            var bytes = new byte[32];
+            rng.GetBytes(bytes);
+            return Convert.ToBase64String(bytes).Replace("+", "-").Replace("/", "_").Replace("=", "");
+        }
+
+        public async Task StoreExchangeTokenDataAsync(string exchangeToken, OAuth2TokenData tokenData)
+        {
+            _exchangeTokens[exchangeToken] = JsonSerializer.Serialize(tokenData);
+            await Task.CompletedTask;
+        }
+
+        public async Task<OAuth2TokenData?> ExchangeTokenAsync(string exchangeToken, Microsoft.AspNetCore.Http.HttpContext httpContext)
+        {
+            if (!_exchangeTokens.TryGetValue(exchangeToken, out var json))
+            {
+                return null;
+            }
+
+            var tokenData = JsonSerializer.Deserialize<OAuth2TokenData>(json);
+            if (tokenData == null || tokenData.IsUsed)
+            {
+                return null;
+            }
+
+            if (DateTime.UtcNow > tokenData.CreatedAt.AddMinutes(5))
+            {
+                _exchangeTokens.Remove(exchangeToken);
+                return null;
+            }
+
+            _exchangeTokens.Remove(exchangeToken);
+
+            return tokenData;
+        }
+
     }
 }

test-clients/oauth2-test-client.html

@@ -289,21 +289,35 @@ <h1>🔐 OAuth2 Test Client</h1>
             document.getElementById('oauthBtn').disabled = true;
         }
 
-        // 페이지 로드 시 URL 파라미터 확인 (OAuth2 callback 처리)
+        // 페이지 로드 시 URL Fragment 확인 (OAuth2 callback 처리)
         window.onload = async function() {
             const urlParams = new URLSearchParams(window.location.search);
+            const hash = window.location.hash.substring(1);
+            const hashParams = new URLSearchParams(hash);
 
-            if (urlParams.has('success') && urlParams.has('state')) {
-                // OAuth2 성공 - state로 토큰 요청
-                const success = urlParams.get('success');
-                const state = urlParams.get('state');
+            if (hashParams.has('exchange_token')) {
+                // OAuth2 성공 - exchange token으로 실제 토큰 요청
+                const exchangeToken = hashParams.get('exchange_token');
 
-                if (success === 'true' && state) {
+                if (exchangeToken) {
                     try {
-                        showResult('🔄 토큰 요청 중...', 'info');
+                        showResult('🔄 토큰 교환 중...', 'info');
+                        
+                        // Fragment 즉시 정리 (보안)
+                        window.location.hash = '';
 
                         const serverUrl = document.getElementById('serverUrl').value;
-                        const tokenResponse = await fetch(`${serverUrl}/auth/oauth2/token?state=${encodeURIComponent(state)}`);
+                        const tokenResponse = await fetch(`${serverUrl}/auth/oauth2/exchange`, {
+                            method: 'POST',
+                            headers: {
+                                'Content-Type': 'application/json'
+                            },
+                            body: JSON.stringify({
+                                exchangeToken: exchangeToken,
+                                clientFingerprint: generateBrowserFingerprint()
+                            })
+                        });
+                        
                         const tokenData = await tokenResponse.json();
 
                         if (tokenData.success) {
@@ -319,20 +333,33 @@ <h1>🔐 OAuth2 Test Client</h1>
                                 `Refresh Token: ${refreshToken}\n` +
                                 `Expires In: ${expiresIn}초`, 'success');
                         } else {
-                            showResult(`❌ 토큰 요청 실패: ${tokenData.message}`, 'error');
+                            showResult(`❌ 토큰 교환 실패: ${tokenData.message}`, 'error');
                         }
                     } catch (error) {
-                        showResult(`❌ 토큰 요청 중 오류: ${error.message}`, 'error');
+                        showResult(`❌ 토큰 교환 중 오류: ${error.message}`, 'error');
                     }
-                } else {
-                    const error = urlParams.get('error');
-                    showResult(`❌ OAuth2 로그인 실패: ${error}`, 'error');
                 }
-
+            }
+            
+            // URL 파라미터에서 에러 확인
+            if (urlParams.has('error')) {
+                const error = urlParams.get('error');
+                showResult(`❌ OAuth2 로그인 실패: ${error}`, 'error');
+                
                 // URL에서 파라미터 제거
                 window.history.replaceState({}, document.title, window.location.pathname);
             }
         };
+
+        // 간단한 브라우저 핑거프린트 생성
+        function generateBrowserFingerprint() {
+            const screen = `${window.screen.width}x${window.screen.height}`;
+            const timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
+            const language = navigator.language;
+            const userAgent = navigator.userAgent.substring(0, 100);
+            
+            return btoa(`${screen}-${timezone}-${language}-${userAgent}`).substring(0, 32);
+        }
     </script>
 </body>
 </html>