✨ Feat: [#101] 비밀번호 재설정 기능 구현 완료

2026-01-09 17:18:14 +09:00
parent 41c1aa7013
commit a4fa5d152b
5 changed files with 103 additions and 6 deletions
--- a/users/permissions.py
+++ b/users/permissions.py
@@ -8,4 +8,14 @@ class IsGithubLinked(BasePermission):
        if token_obj := getattr(user, 'github_token', None):
            if token := getattr(token_obj, 'access_token', None):
                return True
-        return False
+        return False
+    
+class IsPasswordResetToken(BasePermission):
+    message = "Password reset token required."
+
+    def has_permission(self, request, view):
+        token = getattr(request, "auth", None)
+        if not token:
+            return False
+
+        return token.get("purpose") == "password_reset"
--- a/users/urls.py
+++ b/users/urls.py
@@ -24,4 +24,5 @@ urlpatterns = [
    path('mypage/my-info/', MyPageMemberInfoAPIView.as_view()),
    path("github/", include(router.urls)),
    path("portfolio/", UserInfoAPIView.as_view()),
+    path("reset-password/", PasswordResetAPIView.as_view()),
 ]
--- a/users/views.py
+++ b/users/views.py
@@ -40,6 +40,7 @@ from github import Github, GithubException

 CACHE_TIMEOUT = 60 * 60
 PAGE_SIZE = 20
+PASSWORD_RESET_USED_JTI_TTL = 60 * 10

 class RefreshAPIView(APIView):
    permission_classes = [AllowAny]
@@ -388,6 +389,48 @@ class LoginAPIView(APIView):
        else: # id, 비번 둘 중 하나가 틀렸을 때
            return Response({"message": "아이디 혹은 비밀번호가 맞지 않습니다."}, status=status.HTTP_400_BAD_REQUEST)

+
+class PasswordResetAPIView(APIView):
+    permission_classes = [IsAuthenticated, IsPasswordResetToken]
+
+    # 비밀번호 재설정
+    @transaction.atomic
+    def post(self, request):
+        new_password = request.data.get("new_password")
+
+        if not new_password:
+            return Response({"message": "no new_password", "is_new_password": None})
+
+        token = request.auth
+        jti = token.get("jti")
+        user_id = token.get("user_id")
+
+        if not jti or not user_id:
+            return Response({"message": "invalid token"}, status=status.HTTP_400_BAD_REQUEST)
+
+        # 1회성 방지
+        used_key = f"pwreset-used:{jti}"
+        if cache.get(used_key):
+            return Response({"message": "token already used"}, status=status.HTTP_400_BAD_REQUEST)
+        cache.set(used_key, True, timeout=PASSWORD_RESET_USED_JTI_TTL)
+
+        user = get_object_or_404(User, id=user_id)
+
+        user.set_password(new_password)
+        user.save(update_fields=["password"])
+
+        # 쿠키에 있는 리프레시 토큰 무효화
+        try:
+            refresh = request.COOKIES.get('refresh')
+            if refresh:
+                refresh_token = RefreshToken(refresh)
+                refresh_token.blacklist()
+        except TokenError as e:
+            pass
+
+        return Response({"message": "password updated successfully"}, status=status.HTTP_200_OK)
+
+
 class CheckUserFieldDuplicateAPIView(APIView):
    permission_classes = [AllowAny]
    # 유저 필드 중복 확인