🔀 Merge pull request #136 from qkrwogk/feat/board-security

[BE] Board모듈 보안 : 게시글 본문 암복호화,Entity 관계적용, AuthGuard 적용, 게시글 생성 시 author 서버가 삽입

packages/server/package.json

@@ -33,6 +33,7 @@
 		"class-transformer": "^0.5.1",
 		"class-validator": "^0.14.0",
 		"cookie-parser": "^1.4.6",
+		"crypto": "^1.0.1",
 		"dotenv": "^16.3.1",
 		"ioredis": "^5.3.2",
 		"mysql2": "^3.6.3",

packages/server/src/auth/auth.module.ts

@@ -7,6 +7,7 @@ import { PassportModule } from '@nestjs/passport';
 import { JwtModule } from '@nestjs/jwt';
 import { jwtConfig } from '../config/jwt.config';
 import { RedisRepository } from './redis.repository';
+import { CookieAuthGuard } from './cookie-auth.guard';
 
 @Module({
 	imports: [
@@ -15,6 +16,7 @@ import { RedisRepository } from './redis.repository';
 		TypeOrmModule.forFeature([User]),
 	],
 	controllers: [AuthController],
-	providers: [AuthService, RedisRepository],
+	providers: [AuthService, CookieAuthGuard, RedisRepository],
+	exports: [JwtModule, CookieAuthGuard, RedisRepository],
 })
 export class AuthModule {}

packages/server/src/auth/entities/user.entity.ts

@@ -1,7 +1,9 @@
+import { Board } from 'src/board/entities/board.entity';
 import {
 	Column,
 	CreateDateColumn,
 	Entity,
+	OneToMany,
 	PrimaryGeneratedColumn,
 } from 'typeorm';
 
@@ -21,4 +23,7 @@ export class User {
 
 	@CreateDateColumn()
 	created_at: Date;
+
+	@OneToMany(() => Board, (board) => board.user)
+	boards: Board[];
 }

packages/server/src/board/board.controller.ts

@@ -12,6 +12,8 @@ import {
 	UsePipes,
 	ValidationPipe,
 	ParseIntPipe,
+	UseGuards,
+	Req,
 } from '@nestjs/common';
 import { BoardService } from './board.service';
 import { CreateBoardDto } from './dto/create-board.dto';
@@ -28,25 +30,33 @@ import {
 } from '@nestjs/swagger';
 import { FileInterceptor } from '@nestjs/platform-express';
 import { CreateImageDto } from './dto/create-image.dto';
+import { CookieAuthGuard } from 'src/auth/cookie-auth.guard';
 
 @Controller('board')
 @ApiTags('게시글 API')
 export class BoardController {
 	constructor(private readonly boardService: BoardService) {}
 
 	@Post()
+	@UseGuards(CookieAuthGuard)
 	@UsePipes(ValidationPipe)
 	@ApiOperation({ summary: '게시글 작성', description: '게시글을 작성합니다.' })
 	@ApiCreatedResponse({ status: 201, description: '게시글 작성 성공' })
 	@ApiBadRequestResponse({
 		status: 400,
 		description: '잘못된 요청으로 게시글 작성 실패',
 	})
-	createBoard(@Body() createBoardDto: CreateBoardDto): Promise<Board> {
+	createBoard(
+		@Req() req,
+		@Body() createBoardDto: CreateBoardDto,
+	): Promise<Board> {
+		if (req.user && req.user.nickname)
+			createBoardDto.author = req.user.nickname;
 		return this.boardService.createBoard(createBoardDto);
 	}
 
 	@Get()
+	@UseGuards(CookieAuthGuard)
 	@ApiOperation({ summary: '게시글 조회', description: '게시글을 조회합니다.' })
 	@ApiOkResponse({ status: 200, description: '게시글 조회 성공' })
 	@ApiBadRequestResponse({
@@ -58,6 +68,7 @@ export class BoardController {
 	}
 
 	@Get('by-author')
+	@UseGuards(CookieAuthGuard)
 	@ApiOperation({
 		summary: '작성자별 게시글 조회',
 		description: '작성자별 게시글을 조회합니다.',
@@ -72,6 +83,7 @@ export class BoardController {
 	}
 
 	@Get(':id')
+	@UseGuards(CookieAuthGuard)
 	@ApiOperation({
 		summary: '게시글 상세 조회',
 		description: '게시글을 상세 조회합니다.',
@@ -86,6 +98,7 @@ export class BoardController {
 	}
 
 	@Patch(':id')
+	@UseGuards(CookieAuthGuard)
 	@UsePipes(ValidationPipe)
 	@ApiOperation({ summary: '게시글 수정', description: '게시글을 수정합니다.' })
 	@ApiOkResponse({ status: 200, description: '게시글 수정 성공' })
@@ -94,13 +107,17 @@ export class BoardController {
 		description: '잘못된 요청으로 게시글 수정 실패',
 	})
 	updateBoard(
+		@Req() req,
 		@Param('id', ParseIntPipe) id: number,
 		@Body() updateBoardDto: UpdateBoardDto,
 	) {
+		if (req.user && req.user.nickname)
+			updateBoardDto.author = req.user.nickname;
 		return this.boardService.updateBoard(id, updateBoardDto);
 	}
 
 	@Patch(':id/like')
+	@UseGuards(CookieAuthGuard)
 	@ApiOperation({
 		summary: '게시글 좋아요',
 		description: '게시글에 좋아요를 합니다.',
@@ -115,6 +132,7 @@ export class BoardController {
 	}
 
 	@Patch(':id/unlike')
+	@UseGuards(CookieAuthGuard)
 	@ApiOperation({
 		summary: '게시글 좋아요 취소',
 		description: '게시글에 좋아요를 취소합니다.',
@@ -129,6 +147,7 @@ export class BoardController {
 	}
 
 	@Delete(':id')
+	@UseGuards(CookieAuthGuard)
 	@ApiOperation({ summary: '게시글 삭제', description: '게시글을 삭제합니다.' })
 	@ApiOkResponse({ status: 200, description: '게시글 삭제 성공' })
 	@ApiNotFoundResponse({
@@ -140,6 +159,7 @@ export class BoardController {
 	}
 
 	@Post(':id/image')
+	@UseGuards(CookieAuthGuard)
 	@UseInterceptors(FileInterceptor('file', { dest: './uploads' }))
 	@UsePipes(ValidationPipe)
 	@ApiOperation({

packages/server/src/board/board.module.ts

@@ -4,9 +4,10 @@ import { BoardController } from './board.controller';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { Board } from './entities/board.entity';
 import { Image } from './entities/image.entity';
+import { AuthModule } from 'src/auth/auth.module';
 
 @Module({
-	imports: [TypeOrmModule.forFeature([Board, Image])],
+	imports: [TypeOrmModule.forFeature([Board, Image]), AuthModule],
 	controllers: [BoardController],
 	providers: [BoardService],
 })

packages/server/src/board/board.service.ts

@@ -12,6 +12,7 @@ import { Repository } from 'typeorm';
 import { unlinkSync } from 'fs';
 import { CreateImageDto } from './dto/create-image.dto';
 import { Image } from './entities/image.entity';
+import { encryptAes, decryptAes } from 'src/utils/aes.util';
 
 @Injectable()
 export class BoardService {
@@ -27,7 +28,7 @@ export class BoardService {
 
 		const board = this.boardRepository.create({
 			title,
-			content,
+			content: encryptAes(content), // AES 암호화하여 저장
 			author,
 		});
 		const created: Board = await this.boardRepository.save(board);
@@ -50,12 +51,20 @@ export class BoardService {
 		if (!found) {
 			throw new NotFoundException(`Not found board with id: ${id}`);
 		}
+		if (found.content) {
+			found.content = decryptAes(found.content); // AES 복호화하여 반환
+		}
 		return found;
 	}
 
 	async updateBoard(id: number, updateBoardDto: UpdateBoardDto) {
 		const board: Board = await this.findBoardById(id);
 
+		// updateBoardDto.content가 존재하면 AES 암호화하여 저장
+		if (updateBoardDto.content) {
+			updateBoardDto.content = encryptAes(updateBoardDto.content);
+		}
+
 		const updatedBoard: Board = await this.boardRepository.save({
 			...board,
 			...updateBoardDto,
@@ -102,7 +111,7 @@ export class BoardService {
 		}
 
 		// 이미 파일이 존재하는지 확인
-		if (board.image_id) {
+		if (board.image) {
 			unlinkSync(file.path); // 파일 삭제
 		}
 
@@ -115,7 +124,7 @@ export class BoardService {
 		});
 		const updatedImage = await this.imageRepository.save(image);
 
-		board.image_id = updatedImage.id;
+		board.image = updatedImage.id;
 		const updatedBoard = await this.boardRepository.save(board);
 
 		return updatedBoard;

packages/server/src/board/dto/create-board.dto.ts

@@ -21,13 +21,14 @@ export class CreateBoardDto {
 	})
 	content: string;
 
-	@IsNotEmpty({ message: '게시글 작성자는 필수 입력입니다.' })
-	@IsString({ message: '게시글 작성자는 문자열로 입력해야 합니다.' })
-	@MaxLength(50, { message: '게시글 작성자는 50자 이내로 입력해야 합니다.' })
-	@ApiProperty({
-		description: '게시글 작성자',
-		example: 'test author',
-		required: true,
-	})
+	// 서버에서 직접 삽입해주도록 변경 (validation 제거)
+	// @IsNotEmpty({ message: '게시글 작성자는 필수 입력입니다.' })
+	// @IsString({ message: '게시글 작성자는 문자열로 입력해야 합니다.' })
+	// @MaxLength(50, { message: '게시글 작성자는 50자 이내로 입력해야 합니다.' })
+	// @ApiProperty({
+	// 	description: '게시글 작성자',
+	// 	example: 'test author',
+	// 	required: true,
+	// })
 	author: string;
 }

packages/server/src/board/entities/board.entity.ts

@@ -3,9 +3,14 @@ import {
 	Column,
 	CreateDateColumn,
 	Entity,
+	JoinColumn,
+	ManyToOne,
+	OneToOne,
 	PrimaryGeneratedColumn,
 	UpdateDateColumn,
 } from 'typeorm';
+import { Image } from './image.entity';
+import { User } from 'src/auth/entities/user.entity';
 
 @Entity()
 export class Board extends BaseEntity {
@@ -30,6 +35,10 @@ export class Board extends BaseEntity {
 	@Column({ type: 'int', default: 0 })
 	like_cnt: number;
 
-	@Column({ type: 'int', nullable: true })
-	image_id: number;
+	@OneToOne(() => Image, { nullable: true })
+	@JoinColumn()
+	image: number;
+
+	@ManyToOne(() => User, (user) => user.boards, { onDelete: 'CASCADE' })
+	user: User;
 }

packages/server/src/config/aes.config.ts

@@ -0,0 +1,8 @@
+import { configDotenv } from 'dotenv';
+configDotenv();
+
+export const aesConfig = {
+	password: process.env.AES_PASSWORD,
+	salt: process.env.AES_SALT,
+	iv: Buffer.alloc(16, 0),
+};

packages/server/src/utils/aes.util.ts

@@ -0,0 +1,26 @@
+import * as crypto from 'crypto';
+import { aesConfig } from '../config/aes.config';
+
+const encryptAes = (plainText) => {
+	const algorithm = 'aes-256-cbc'; // 암호 알고리즘
+	const key = crypto.scryptSync(aesConfig.password, aesConfig.salt, 32); // 암호화 키
+	const iv = aesConfig.iv; // 초기화 벡터
+
+	const cipher = crypto.createCipheriv(algorithm, key, iv);
+	let cipherText = cipher.update(plainText, 'utf8', 'base64');
+	cipherText += cipher.final('base64');
+	return cipherText;
+};
+
+const decryptAes = (cipherText) => {
+	const algorithm = 'aes-256-cbc'; // 암호 알고리즘
+	const key = crypto.scryptSync(aesConfig.password, aesConfig.salt, 32); // 암호화 키
+	const iv = aesConfig.iv; // 초기화 벡터
+
+	const decipher = crypto.createDecipheriv(algorithm, key, iv);
+	let plainText = decipher.update(cipherText, 'base64', 'utf8');
+	plainText += decipher.final('utf8');
+	return plainText;
+};
+
+export { encryptAes, decryptAes };

yarn.lock

@@ -3456,6 +3456,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"crypto@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "crypto@npm:1.0.1"
+  checksum: fcf7dbd68ac5415b7fde7d7208fe203038e92e83e8a8fcf6e86ab4771ce3dd026d6967a990ba56b9d1c771378210814d5c90d907d3739fbd1723d552ad6c8ab8
+  languageName: node
+  linkType: hard
+
 "csstype@npm:^3.0.2":
   version: 3.1.2
   resolution: "csstype@npm:3.1.2"
@@ -7703,6 +7710,7 @@ __metadata:
     class-transformer: "npm:^0.5.1"
     class-validator: "npm:^0.14.0"
     cookie-parser: "npm:^1.4.6"
+    crypto: "npm:^1.0.1"
     dotenv: "npm:^16.3.1"
     eslint: "npm:^8.42.0"
     eslint-config-prettier: "npm:^9.0.0"