refactor(server): update auth, user, and recruit member domains with …

.github/workflows/ci.yml

@@ -35,7 +35,14 @@ jobs:
           gradle-home-cache-cleanup: true
 
       - name: Create dummy .env for CI
-        run: echo "# ci dummy" > .env
+        env:
+          AUDIENCE_SECRET: ${{ secrets.JWT_AUDIENCE }}
+        run: |
+          AUDIENCE_VALUE="${AUDIENCE_SECRET:-ci-audience}"
+          cat > .env <<EOF
+          # ci dummy
+          JWT_AUDIENCE=${AUDIENCE_VALUE}
+          EOF
 
       - name: Gradle build (skip tests)
         id: assemble

.github/workflows/deploy-dev.yml

@@ -37,10 +37,12 @@ jobs:
           DB_USERNAME=${{ secrets.DB_USERNAME }}
           DB_PASSWORD=${{ secrets.DB_PASSWORD }}
           GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }}
-          GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }}
-          GOOGLE_REDIRECT_URI=${{ secrets.GOOGLE_REDIRECT_URI }}
           GOOGLE_ISSUER=${{ secrets.GOOGLE_ISSUER }}
           SELF_ISSUER=${{ secrets.SELF_ISSUER }}
+          JWT_AUDIENCE=${{ secrets.JWT_AUDIENCE }}
+          REFRESH_COOKIE_SECURE=${{ secrets.REFRESH_COOKIE_SECURE || 'false' }}
+          REFRESH_COOKIE_SAME_SITE=${{ secrets.REFRESH_COOKIE_SAME_SITE || 'Lax' }}
+          REFRESH_COOKIE_DOMAIN=${{ secrets.REFRESH_COOKIE_DOMAIN }}
           SECRET_KEY=${{ secrets.SECRET_KEY }}
           AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/deploy-prod.yml

@@ -40,10 +40,12 @@ jobs:
           DB_USERNAME=${{ secrets.DB_USERNAME }}
           DB_PASSWORD=${{ secrets.DB_PASSWORD }}
           GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }}
-          GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }}
-          GOOGLE_REDIRECT_URI=${{ secrets.GOOGLE_REDIRECT_URI }}
           GOOGLE_ISSUER=${{ secrets.GOOGLE_ISSUER }}
           SELF_ISSUER=${{ secrets.SELF_ISSUER }}
+          JWT_AUDIENCE=${{ secrets.JWT_AUDIENCE }}
+          REFRESH_COOKIE_SECURE=${{ secrets.REFRESH_COOKIE_SECURE || 'false' }}
+          REFRESH_COOKIE_SAME_SITE=${{ secrets.REFRESH_COOKIE_SAME_SITE || 'Lax' }}
+          REFRESH_COOKIE_DOMAIN=${{ secrets.REFRESH_COOKIE_DOMAIN }}
           SECRET_KEY=${{ secrets.SECRET_KEY }}
           AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}

build.gradle

@@ -34,6 +34,7 @@ ext {
     dotenvVersion = '5.2.2'
     querydslVersion = '6.10.1'
     jjwtVersion = '0.13.0'
+    googleApiClientVersion = '2.6.0'
 }
 
 /* ===== Vulnerability Pins (정확한 CVE 기반 대응) ===== */
@@ -104,7 +105,7 @@ dependencies {
     testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 
     //Google API Client
-    implementation 'com.google.api-client:google-api-client:2.2.0'
+    implementation "com.google.api-client:google-api-client:${googleApiClientVersion}"
 }
 
 dependencyManagement {

src/main/java/inha/gdgoc/domain/user/controller/UserAdminController.java → src/main/java/inha/gdgoc/domain/admin/user/controller/UserAdminController.java

@@ -1,23 +1,31 @@
-package inha.gdgoc.domain.user.controller;
+package inha.gdgoc.domain.admin.user.controller;
 
-import inha.gdgoc.domain.user.dto.request.UpdateRoleRequest;
-import inha.gdgoc.domain.user.dto.request.UpdateUserRoleTeamRequest;
-import inha.gdgoc.domain.user.dto.response.UserSummaryResponse;
-import inha.gdgoc.domain.user.enums.TeamType;
-import inha.gdgoc.domain.user.enums.UserRole;
-import inha.gdgoc.domain.user.service.UserAdminService;
+import inha.gdgoc.domain.admin.user.dto.request.UpdateRoleRequest;
+import inha.gdgoc.domain.admin.user.dto.request.UpdateUserRoleTeamRequest;
+import inha.gdgoc.domain.admin.user.dto.response.UserSummaryResponse;
+import inha.gdgoc.domain.admin.user.service.UserAdminService;
 import inha.gdgoc.global.config.jwt.TokenProvider.CustomUserDetails;
 import inha.gdgoc.global.dto.response.ApiResponse;
 import inha.gdgoc.global.dto.response.PageMeta;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
-import org.springframework.data.domain.*;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.domain.Sort;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
 
 @RequiredArgsConstructor
 @RestController
@@ -28,7 +36,7 @@ public class UserAdminController {
             "@accessGuard.check(authentication,"
                     + " T(inha.gdgoc.global.security.AccessGuard$AccessCondition).atLeast("
                     + "T(inha.gdgoc.domain.user.enums.UserRole).LEAD),"
-                    + " T(inha.gdgoc.global.security.AccessGuard$AccessCondition).atLeast("
+                    + " T(inha.gdgoc.global.security.AccessGuard$AccessCondition).of("
                     + "T(inha.gdgoc.domain.user.enums.UserRole).CORE,"
                     + " T(inha.gdgoc.domain.user.enums.TeamType).HR))";
     private static final String LEAD_OR_HIGHER_RULE =
@@ -38,7 +46,6 @@ public class UserAdminController {
 
     private final UserAdminService userAdminService;
 
-    // q(검색) + role/team(필터) + pageable
     @Operation(summary = "사용자 요약 목록 조회", security = {@SecurityRequirement(name = "BearerAuth")})
     @PreAuthorize(LEAD_OR_HR_RULE)
     @GetMapping

src/main/java/inha/gdgoc/domain/user/dto/request/UpdateRoleRequest.java → src/main/java/inha/gdgoc/domain/admin/user/dto/request/UpdateRoleRequest.java

@@ -1,8 +1,8 @@
-package inha.gdgoc.domain.user.dto.request;
+package inha.gdgoc.domain.admin.user.dto.request;
 
 import inha.gdgoc.domain.user.enums.UserRole;
 import jakarta.validation.constraints.NotNull;
 
 public record UpdateRoleRequest(
         @NotNull UserRole role
-) {}
+) {}

src/main/java/inha/gdgoc/domain/admin/user/dto/request/UpdateUserRoleTeamRequest.java

@@ -0,0 +1,9 @@
+package inha.gdgoc.domain.admin.user.dto.request;
+
+import inha.gdgoc.domain.user.enums.TeamType;
+import inha.gdgoc.domain.user.enums.UserRole;
+
+public record UpdateUserRoleTeamRequest(
+        UserRole role,
+        TeamType team
+) {}

src/main/java/inha/gdgoc/domain/user/dto/response/UserSummaryResponse.java → src/main/java/inha/gdgoc/domain/admin/user/dto/response/UserSummaryResponse.java

@@ -1,4 +1,4 @@
-package inha.gdgoc.domain.user.dto.response;
+package inha.gdgoc.domain.admin.user.dto.response;
 
 import inha.gdgoc.domain.user.enums.TeamType;
 import inha.gdgoc.domain.user.enums.UserRole;
@@ -11,4 +11,4 @@ public record UserSummaryResponse(
         String email,
         UserRole userRole,
         TeamType team
-) {}
+) {}

src/main/java/inha/gdgoc/domain/user/service/UserAdminService.java → src/main/java/inha/gdgoc/domain/admin/user/service/UserAdminService.java

@@ -1,7 +1,7 @@
-package inha.gdgoc.domain.user.service;
+package inha.gdgoc.domain.admin.user.service;
 
-import inha.gdgoc.domain.user.dto.request.UpdateUserRoleTeamRequest;
-import inha.gdgoc.domain.user.dto.response.UserSummaryResponse;
+import inha.gdgoc.domain.admin.user.dto.request.UpdateUserRoleTeamRequest;
+import inha.gdgoc.domain.admin.user.dto.response.UserSummaryResponse;
 import inha.gdgoc.domain.user.entity.User;
 import inha.gdgoc.domain.user.enums.TeamType;
 import inha.gdgoc.domain.user.enums.UserRole;
@@ -26,8 +26,6 @@ public class UserAdminService {
 
     private final UserRepository userRepository;
 
-    /* ======================= 목록 ======================= */
-
     @Transactional(readOnly = true)
     public Page<UserSummaryResponse> listUsers(String q, Pageable pageable) {
         Pageable fixed = rewriteSort(pageable);
@@ -36,7 +34,9 @@ public Page<UserSummaryResponse> listUsers(String q, Pageable pageable) {
 
     private Pageable rewriteSort(Pageable pageable) {
         Sort original = pageable.getSort();
-        if (original.isUnsorted()) return pageable;
+        if (original.isUnsorted()) {
+            return pageable;
+        }
 
         Sort composed = Sort.unsorted();
         boolean hasUserRoleOrder = false;
@@ -50,6 +50,7 @@ private Pageable rewriteSort(Pageable pageable) {
                         " WHEN u.userRole = 'ORGANIZER' THEN 4 " +
                         " WHEN u.userRole = 'ADMIN'     THEN 5 " +
                         " ELSE -1 END)";
+
         for (Sort.Order o : original) {
             String prop = o.getProperty();
             Sort.Direction dir = o.getDirection();
@@ -73,11 +74,10 @@ private Pageable rewriteSort(Pageable pageable) {
             composed = composed.and(JpaSort.unsafe(Sort.Direction.DESC, roleRankCase));
             composed = composed.and(Sort.by("name").ascending());
         }
+
         return PageRequest.of(pageable.getPageNumber(), pageable.getPageSize(), composed);
     }
 
-    /* ======================= 수정 ======================= */
-
     @Transactional
     public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, UpdateUserRoleTeamRequest req) {
         User editorUser = getEditor(editor);
@@ -90,10 +90,8 @@ public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, Updat
         UserRole newRole = (req.role() != null ? req.role() : targetCurrentRole);
         TeamType requestedTeam = (req.team() != null ? req.team() : target.getTeam());
 
-        // 팀 보유 가능한 역할만 팀 허용 (CORE, LEAD)
         TeamType newTeam = isTeamAssignableRole(newRole) ? requestedTeam : null;
 
-        // 공통: 에디터는 대상의 현재/신규 role보다 엄격히 높아야 함
         if (!(editorRole.rank() > targetCurrentRole.rank())) {
             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "동급/상위 사용자의 정보는 변경할 수 없습니다.");
         }
@@ -124,7 +122,6 @@ public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, Updat
                 }
 
                 if (editor.getTeam() == TeamType.HR) {
-                    // HR-LEAD: 본인 제외 타인지원 팀 변경 가능
                     if (editorUser.getId().equals(target.getId())) {
                         if (req.team() != null && !Objects.equals(req.team(), target.getTeam())) {
                             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "HR-LEAD도 자기 자신의 팀은 변경할 수 없습니다.");
@@ -159,12 +156,13 @@ public void updateUserRoleWithRules(CustomUserDetails me, Long targetUserId, Use
 
         UserRole current = target.getUserRole();
 
-        // HR-CORE 특례: GUEST -> MEMBER
         boolean isHrCore = (meRole == UserRole.CORE) && (meTeam == TeamType.HR);
         if (isHrCore) {
             if (current == UserRole.GUEST && newRole == UserRole.MEMBER) {
                 target.changeRole(UserRole.MEMBER);
-                if (!isTeamAssignableRole(UserRole.MEMBER)) target.changeTeam(null);
+                if (!isTeamAssignableRole(UserRole.MEMBER)) {
+                    target.changeTeam(null);
+                }
                 userRepository.save(target);
                 return;
             }
@@ -178,7 +176,9 @@ public void updateUserRoleWithRules(CustomUserDetails me, Long targetUserId, Use
         }
 
         target.changeRole(newRole);
-        if (!isTeamAssignableRole(newRole)) target.changeTeam(null);
+        if (!isTeamAssignableRole(newRole)) {
+            target.changeTeam(null);
+        }
         userRepository.save(target);
     }
 
@@ -203,18 +203,22 @@ public void deleteUserWithRules(CustomUserDetails me, Long targetUserId) {
         }
 
         switch (editorRole) {
-            case ADMIN -> {}
+            case ADMIN -> {
+            }
             case ORGANIZER -> {
                 if (targetRole == UserRole.ADMIN) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "ADMIN 사용자는 삭제할 수 없습니다.");
                 }
             }
             case LEAD -> {
+                if (editorTeam == null) {
+                    throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "LEAD 토큰에 팀 정보가 없습니다.");
+                }
                 if (!(targetRole == UserRole.MEMBER || targetRole == UserRole.CORE)) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "LEAD는 MEMBER/CORE만 삭제할 수 있습니다.");
                 }
                 if (editorTeam != TeamType.HR) {
-                    if (editorTeam == null || targetTeam != editorTeam) {
+                    if (targetTeam != editorTeam) {
                         throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "다른 팀 사용자는 삭제할 수 없습니다.");
                     }
                 }
@@ -225,19 +229,21 @@ public void deleteUserWithRules(CustomUserDetails me, Long targetUserId) {
         userRepository.delete(target);
     }
 
+    private User getEditor(CustomUserDetails editor) {
+        return userRepository.findById(editor.getUserId())
+                .orElseThrow(() -> new BusinessException(GlobalErrorCode.UNAUTHORIZED_USER));
+    }
+
     private void targetChange(User target, UserRole newRole, TeamType newTeam) {
         target.changeRole(newRole);
-        if (!isTeamAssignableRole(newRole)) newTeam = null;
+        if (!isTeamAssignableRole(newRole)) {
+            newTeam = null;
+        }
         target.changeTeam(newTeam);
         userRepository.save(target);
     }
 
-    private User getEditor(CustomUserDetails editor) {
-        return userRepository.findById(editor.getUserId())
-                .orElseThrow(() -> new BusinessException(GlobalErrorCode.UNAUTHORIZED_USER));
-    }
-
     private boolean isTeamAssignableRole(UserRole role) {
         return role == UserRole.CORE || role == UserRole.LEAD;
     }
-}
+}