feature : 랜덤 변수 생성 관련 보안 이슈 응대 (#40)

everymeals · Sep 28, 2023 · 3638608 · 3638608
1 parent ac8d1d2
commit 3638608
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/src/main/java/everymeal/server/user/service/UserServiceImpl.java b/src/main/java/everymeal/server/user/service/UserServiceImpl.java
@@ -14,6 +14,8 @@
 import jakarta.mail.MessagingException;
 import jakarta.mail.internet.MimeMessage;
 import jakarta.mail.internet.MimeMessage.RecipientType;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Random;
 import lombok.RequiredArgsConstructor;
 import org.springframework.mail.javamail.JavaMailSender;
@@ -28,7 +30,6 @@ public class UserServiceImpl implements UserService {
     private final UserRepository userRepository;
     private final JwtUtil jwtUtil;
     private final JavaMailSender javaMailSender;
-    private final Random random = new Random();
 
     @Override
     @Transactional
@@ -61,21 +62,22 @@ public Boolean isAuth(AuthenticatedUser authenticatedUser) {
     @Override
     public UserEmailAuthRes emailAuth(
             UserEmailAuthReq request, AuthenticatedUser authenticatedUser) {
-        int authCode = random.nextInt(900000) + 100000;
-        String mailJwt =
-                jwtUtil.generateEmailToken(
-                        authenticatedUser.getIdx(), request.getEmail(), Integer.toString(authCode));
         try {
+            Random random = SecureRandom.getInstanceStrong();
+            int authCode = random.nextInt(900000) + 100000;
+            String mailJwt =
+                jwtUtil.generateEmailToken(
+                    authenticatedUser.getIdx(), request.getEmail(), Integer.toString(authCode));
             MimeMessage mimeMessage = javaMailSender.createMimeMessage();
             mimeMessage.setSubject("[에브리밀] 대학교 이메일 인증");
             mimeMessage.setText("인증번호 : " + authCode);
             mimeMessage.setRecipients(RecipientType.TO, request.getEmail());
             javaMailSender.send(mimeMessage);
-        } catch (MessagingException e) {
+            return UserEmailAuthRes.builder().emailAuthToken(mailJwt).build();
+        } catch (MessagingException | NoSuchAlgorithmException e) {
             e.printStackTrace();
             return null;
         }
-        return UserEmailAuthRes.builder().emailAuthToken(mailJwt).build();
     }
 
     @Override