PERMIT-SEOUL · sjk4618 · Feb 26, 2026 · Feb 7, 2026 · Feb 26, 2026 · Feb 26, 2026
diff --git a/.gitignore b/.gitignore
@@ -38,6 +38,7 @@ out/
 
 ### Mac ###
 .DS_Store
+.agent
 
 src/main/resources/application.yml
 src/main/resources/application-dev.yml

diff --git a/README.md b/README.md
@@ -9,7 +9,6 @@
 ## 📋 목차
 
 - [기술 스택](#-기술-스택)
-- [시스템 아키텍처](#-시스템-아키텍처)
 - [주요 기능](#-주요-기능)
 - [프로젝트 구조](#-프로젝트-구조)
 - [CI/CD](#cicd)
@@ -48,22 +47,10 @@
 
 ---
 
-## 🏗 시스템 아키텍처
 
-```
-┌─────────────┐     ┌─────────────┐     ┌────────────────────────┐
-│   Client    │────▶│   Nginx     │────▶│      Spring Boot       │
-│  (Frontend) │     │  (Reverse   │     │        Server          │
-└─────────────┘     │   Proxy)    │     └───────────┬────────────┘
-                    └─────────────┘                 │
-                                                    │
-    ┌─────────────│────────────│────────────────────│─────────────────│─────────────────│
-    │             │            │                    │                 │                 │                        
-┌───▼────┐  ┌─────▼────┐  ┌────▼─────┐      ┌───────▼───────┐  ┌──────▼───────┐  ┌──────▼───────┐
-│ MySQL  │  │  Redis   │  │  AWS S3  │      │ Toss Payments │  │    Google    │  │    Kakao     │
-│   DB   │  │  Cache   │  │ (Images) │      │      API      │  │    OAuth     │  │    OAuth     │
-└────────┘  └──────────┘  └──────────┘      └───────────────┘  └──────────────┘  └──────────────┘
-```
+
+
+
 
 ---
 

diff --git a/src/main/java/com/permitseoul/permitserver/domain/admin/base/api/service/AdminService.java b/src/main/java/com/permitseoul/permitserver/domain/admin/base/api/service/AdminService.java
@@ -3,6 +3,7 @@
 import com.permitseoul.permitserver.domain.admin.base.api.AdminProperties;
 import com.permitseoul.permitserver.domain.admin.base.api.dto.res.UserAuthorityGetResponse;
 import com.permitseoul.permitserver.domain.admin.base.api.exception.AdminAuthorizationException;
+import com.permitseoul.permitserver.domain.auth.core.jwt.RefreshTokenManager;
 import com.permitseoul.permitserver.domain.user.core.component.UserRetriever;
 import com.permitseoul.permitserver.domain.user.core.component.UserUpdater;
 import com.permitseoul.permitserver.domain.user.core.domain.User;
@@ -20,6 +21,7 @@ public class AdminService {
     private final AdminProperties adminProperties;
     private final UserRetriever userRetriever;
     private final UserUpdater userUpdater;
+    private final RefreshTokenManager refreshTokenManager;
 
     public void validateAdminCode(final String adminCode) {
         if(!(adminProperties.accessCode().equals(adminCode))){
@@ -44,6 +46,7 @@ public void updateUserAuthority(final long userId, final UserRole userRole) {
         try {
             userEntity = userRetriever.findUserEntityById(userId);
             userUpdater.updateUserRole(userEntity, userRole);
+            refreshTokenManager.deleteRefreshToken(userEntity.getUserId());
         } catch (UserNotFoundException e) {
             throw new AdminAuthorizationException(ErrorCode.NOT_FOUND_USER);
         }

diff --git a/src/main/java/com/permitseoul/permitserver/domain/auth/api/service/AuthService.java b/src/main/java/com/permitseoul/permitserver/domain/auth/api/service/AuthService.java
@@ -98,17 +98,17 @@ public TokenDto login(final SocialType socialType, final String authorizationCod
     public TokenDto reissue(final String refreshToken) {
         try {
             final long userId = jwtProvider.extractUserIdFromToken(refreshToken);
-           checkIsSameRefreshToken(userId, refreshToken);
+            final UserRole userRole = UserRole.valueOf(jwtProvider.extractUserRoleFromToken(refreshToken));
+            checkIsSameRefreshToken(userId, refreshToken);
 
-            final User user = userRetriever.findUserById(userId);
-            final Token newToken = getLoginOrReissueJwtToken(user.getUserId(), user.getUserRole());
+            final Token newToken = getLoginOrReissueJwtToken(userId, userRole);
 
-            saveRefreshTokenInRedis(user.getUserId(), newToken.getRefreshToken());
+            saveRefreshTokenInRedis(userId, newToken.getRefreshToken());
 
             return TokenDto.of(newToken.getAccessToken(), newToken.getRefreshToken());
-        } catch (AuthWrongJwtException | AuthRTNotFoundException e) {
+        } catch (AuthWrongJwtException e) {
             throw new AuthUnAuthorizedException(ErrorCode.UNAUTHORIZED_WRONG_RT);
-        } catch (AuthExpiredJwtException e) {
+        } catch (AuthExpiredJwtException |AuthRTNotFoundException e) {
             throw new AuthUnAuthorizedException(ErrorCode.UNAUTHORIZED_RT_EXPIRED);
         } catch (AuthRTException e) {
             throw new AuthUnAuthorizedException(ErrorCode.INTERNAL_RT_REDIS_ERROR);
@@ -125,7 +125,6 @@ public void logout(final long userId, final String refreshTokenFromCookie) {
         } catch (DataAccessException e) {
             throw new AuthRedisException(ErrorCode.INTERNAL_RT_REDIS_ERROR);
         }
-
     }
 
     private void checkIsSameRefreshToken(final long userId, final String refreshToken) {

diff --git a/src/main/java/com/permitseoul/permitserver/domain/auth/core/domain/RefreshToken.java b/src/main/java/com/permitseoul/permitserver/domain/auth/core/domain/RefreshToken.java
@@ -12,14 +12,11 @@
 @RedisHash("refreshToken")
 public class RefreshToken {
 
-    /** 사용자 식별자(키). 사용자당 1개 세션만 허용 모델 */
     @Id
     private Long userId;
 
-    /** 토큰 해시(SHA-256 등). 평문 저장 금지 */
     private String refreshToken;
 
-    /** 만료 시간(초 단위). @RedisHash 클래스 단위 TTL 대신 인스턴스별 TTL 추천 */
     @TimeToLive
     private long ttlSeconds;
 

diff --git a/src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/JwtProvider.java b/src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/JwtProvider.java
@@ -48,7 +48,11 @@ public long extractUserIdFromToken(final String token) {
 
     public String extractUserRoleFromToken(final String token) {
         final Jws<Claims> claims = parseToken(token);
-        return claims.getBody().get(Constants.USER_ROLE, String.class);
+        final String role = claims.getBody().get(Constants.USER_ROLE, String.class);
+        if(role == null) {
+            throw new AuthWrongJwtException();
+        }
+        return role;
     }
 
     //토큰 파싱

diff --git a/src/main/java/com/permitseoul/permitserver/global/filter/ExceptionHandlerFilter.java b/src/main/java/com/permitseoul/permitserver/global/filter/ExceptionHandlerFilter.java
@@ -32,10 +32,6 @@ protected void doFilterInternal(@NonNull final HttpServletRequest request,
         try {
             filterChain.doFilter(request, response);
         } catch (FilterException e) {
-            log.warn("[FilterException] code={}, ua={}",
-                    e.getErrorCode().name(),
-                    request.getHeader("User-Agent")
-            );
             handleUnauthorizedException(response, e);
         }
         catch (Exception e) {

diff --git a/...erver/global/filter/MDCLoggingFilter.java → ...al/filter/RequestObservabilityFilter.java b/...erver/global/filter/MDCLoggingFilter.java → ...al/filter/RequestObservabilityFilter.java
@@ -18,26 +18,30 @@
 
 @Component
 @Slf4j
-@Profile("!local")
+//@Profile("!local")
 @Order(Ordered.HIGHEST_PRECEDENCE)
-class MDCLoggingFilter extends OncePerRequestFilter {
+class RequestObservabilityFilter extends OncePerRequestFilter {
     private static final String NGINX_REQUEST_ID = "X-Request-ID";
     private static final String TRACE_ID = "trace_id";
 
     private static final String URI = "uri";
     private static final String METHOD = "method";
     private static final String STATUS = "status";
 
+    private static final long SLOW_REQUEST_THRESHOLD_MS = 1000L;
+
     @Override
     protected void doFilterInternal(@NonNull final HttpServletRequest request,
-                                    @NonNull final HttpServletResponse response,
-                                    @NonNull final FilterChain filterChain) throws ServletException, IOException {
+            @NonNull final HttpServletResponse response,
+            @NonNull final FilterChain filterChain) throws ServletException, IOException {
         final String uri = request.getRequestURI();
         // 헬스체크는 패스
         if (uri != null && uri.contains(Constants.HEALTH_CHECK_URL)) {
             filterChain.doFilter(request, response);
             return;
         }
+
+        final long start = System.currentTimeMillis();
         try {
             String traceId = request.getHeader(NGINX_REQUEST_ID);
             if (traceId == null || traceId.isBlank()) {
@@ -48,9 +52,17 @@ protected void doFilterInternal(@NonNull final HttpServletRequest request,
             MDC.put(METHOD, request.getMethod());
 
             filterChain.doFilter(request, response);
-
-            MDC.put(STATUS, String.valueOf(response.getStatus()));
         } finally {
+            final long duration = System.currentTimeMillis() - start;
+            final int status = response.getStatus();
+            final String method = request.getMethod();
+
+            if (duration >= SLOW_REQUEST_THRESHOLD_MS) {
+                log.warn("[SLOW] {} {} → {} ({}ms)", method, uri, status, duration);
+            } else {
+                log.info("{} {} → {} ({}ms)", method, uri, status, duration);
+            }
+
             MDC.remove(STATUS);
             MDC.remove(METHOD);
             MDC.remove(URI);

diff --git a/src/test/java/com/permitseoul/permitserver/auth/jwt/JwtGeneratorCacheTest.java b/src/test/java/com/permitseoul/permitserver/auth/jwt/JwtGeneratorCacheTest.java
@@ -15,6 +15,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 
+// TODO: RTCacheManager 클래스가 삭제되어 관련 테스트가 비활성화됨. 캐시 매니저 변경 후 테스트 복원 필요.
 @SpringBootTest
 class JwtGeneratorCacheTest {
 
@@ -27,42 +28,30 @@ class JwtGeneratorCacheTest {
     @Autowired
     private JwtProvider jwtProvider;
 
-    @Autowired
-    private RTCacheManager rtCacheManager;
+    // @Autowired
+    // private RTCacheManager rtCacheManager; // TODO: RTCacheManager 삭제됨 - 대체 구현 후
+    // 복원
 
-    //테스트 후 캐시 삭제
+    // 테스트 후 캐시 삭제
     @AfterEach
     void tearDown() {
         Objects.requireNonNull(cacheManager.getCache(Constants.REFRESH_TOKEN)).clear();
     }
 
-    @Test
-    void 리프레시_토큰_캐시에_정상_저장됨() {
-        // given
-        long userId = 1L;
-
-        // when
-        String token = jwtGenerator.generateRefreshToken(userId, UserRole.USER);
-
-        // then
-        String cachedToken = rtCacheManager.getRefreshTokenFromCache(userId);
-
-        assertThat(cachedToken).isEqualTo(token);
-    }
-
-    @Test
-    void 캐시에_userId_값이_없으면_null_반환() {
-        // given
-        long nonExistUserId = 999L;
-
-        // when
-        String token = rtCacheManager.getRefreshTokenFromCache(nonExistUserId);
-
-        // then
-        Assertions.assertNull(token);
-    }
-
-
-
+    // TODO: RTCacheManager 대체 이후 복원
+    // @Test
+    // void 리프레시_토큰_캐시에_정상_저장됨() {
+    // long userId = 1L;
+    // String token = jwtGenerator.generateRefreshToken(userId, UserRole.USER);
+    // String cachedToken = rtCacheManager.getRefreshTokenFromCache(userId);
+    // assertThat(cachedToken).isEqualTo(token);
+    // }
+
+    // @Test
+    // void 캐시에_userId_값이_없으면_null_반환() {
+    // long nonExistUserId = 999L;
+    // String token = rtCacheManager.getRefreshTokenFromCache(nonExistUserId);
+    // Assertions.assertNull(token);
+    // }
 
 }