fix(oauth): naver oauth token revocation에서 인코딩으로 인한 에러 수정

[huhdy32]

문제

query param으로 전달되는 access token에 + 문자가 존재할 시,
네이버 oauth 서버의 디코딩 과정에서 access token의 +이 공백으로 치환됨.

이에 따라 토큰 폐기 실패하는 문제가 있었음.

ex) 
원본 access token: `aaa+aaa`
디코딩 된 access token: `aaa aaa`

-> `aaa+aaa`을 삭제해야 하나, `aaa aaa` 삭제 처리
따라서 폐기 실패

해결

RestClient에서 당연히 인코딩 처리해줄줄 알았으나,
문서 내용을 읽어보니, ASCII 위반 문자만 개별적으로 인코딩하도록 함 ㅠ

• 문자 또한 ASCII에 포함되어 있음으로, 인코딩하지 않았음

-> UTF-8인코딩 후, 퍼센트 인코딩으로 해결

Summary by CodeRabbit

• Bug Fixes

  • Improved OAuth token revocation to properly encode special characters in authentication credentials when sending requests to the authentication server.

• Tests

  • Added test coverage to validate character encoding behavior in URI parameters, with focus on correct handling of special characters.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The Naver OAuth client now URL-encodes the access token parameter (using UTF-8) in its revoke flow. A new unit test was added to verify UriUtils encoding/decoding behavior for the plus character.

Changes

Cohort / File(s)	Summary
OAuth Token Revocation Encoding domain/mathrank-auth-domain/src/main/java/kr/co/mathrank.domain/auth/client/NaverOAuthClient.java	Added imports for StandardCharsets and UriUtils. In the revoke flow, the access_token query parameter is encoded with UriUtils.encode(..., StandardCharsets.UTF_8) before sending, replacing the previous raw token usage.
URI Encoding Verification Tests domain/mathrank-auth-domain/src/test/java/kr/co/mathrank.domain/auth/util/UriUtilEncodeTest.java	New unit test class verifying Spring's UriUtils encoding/decoding for the plus character (+). Asserts that encoding "+" does not return "+" and that decoding "+" returns "+". Uses JUnit 5 and UTF-8 charset semantics.

Sequence Diagram(s)

sequenceDiagram
    participant Client as NaverOAuthClient
    participant Revocation as Naver Revocation Endpoint

    rect rgb(240,248,255)
    Note left of Client: Revoke(token)
    end

    alt Before (previous)
        Client->>Revocation: GET /revoke?access_token=<raw_token>
        Revocation-->>Client: revocation response
    else After (this change)
        Client->>Client: encoded = UriUtils.encode(token, StandardCharsets.UTF_8)
        Client->>Revocation: GET /revoke?access_token=<encoded>
        Revocation-->>Client: revocation response
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check correct use of StandardCharsets.UTF_8 and consistent charset handling.
• Verify encoding invocation location and that downstream request-building preserves encoding.
• Confirm the test covers the relevant encoding scenario; consider additional edge cases if needed.

Poem

🐰 I hop and I encode each token bright,

Plus signs tucked safe in UTF‑8 light,
UriUtils wraps them neat and small,
Tests cheer softly — no plus left to fall. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: fixing an encoding issue in Naver OAuth token revocation, which matches the PR's core objective of addressing token corruption from unencoded '+' characters.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/oauth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @huhdy32, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

이 PR은 Naver OAuth 토큰 폐기 과정에서 발생하는 인코딩 관련 버그를 수정합니다. 기존에는 액세스 토큰 내의 '+' 문자가 URL 디코딩 시 공백으로 잘못 해석되어 토큰 폐기 요청이 실패했습니다. 이를 해결하기 위해, 액세스 토큰을 쿼리 파라미터로 전송하기 전에 UriUtils.encode를 사용하여 명시적으로 인코딩하도록 변경하고, 관련 테스트 케이스를 추가하여 인코딩 동작을 검증합니다.

Highlights

• 네이버 OAuth 토큰 폐기 오류 수정: 쿼리 파라미터에 '+' 문자가 포함된 Naver OAuth 액세스 토큰이 디코딩 과정에서 공백으로 치환되어 토큰 폐기가 실패하는 문제를 해결했습니다.
• 액세스 토큰 인코딩 적용: UriUtils.encode를 사용하여 액세스 토큰을 명시적으로 UTF-8 퍼센트 인코딩하도록 변경하여, '+' 문자가 올바르게 처리되도록 했습니다.
• 인코딩 동작 테스트 추가: UriUtils.encode가 '+' 문자를 올바르게 인코딩하는지 확인하는 단위 테스트를 추가했습니다.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

이 PR은 네이버 OAuth 토큰 폐기 시 access token에 + 문자가 포함될 경우 발생하는 인코딩 문제를 올바르게 수정합니다. + 문자가 공백으로 치환되는 문제를 해결하기 위해 UriUtils.encode를 사용하여 명시적으로 인코딩한 점이 좋습니다. 다만, 코드의 안정성과 테스트의 명확성을 높이기 위해 몇 가지 개선점을 제안합니다.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9380bd9 and 375b584.

📒 Files selected for processing (2)

• domain/mathrank-auth-domain/src/main/java/kr/co/mathrank/domain/auth/client/NaverOAuthClient.java (2 hunks)
• domain/mathrank-auth-domain/src/test/java/kr/co/mathrank/domain/auth/util/UriUtilEncodeTest.java (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (1)

domain/mathrank-auth-domain/src/test/java/kr/co/mathrank/domain/auth/util/UriUtilEncodeTest.java (1)

12-13: Let me verify the StringUtils.uriDecode behavior to be completely certain:

Use StandardCharsets.UTF_8 instead of Charset.defaultCharset() for consistency.

UriUtils.decode replaces "%xy" sequences while "letting other characters unchanged", so the "+" character is passed through unchanged during decoding. Line 13's assertion is correct as-is. The only issue is the charset: URL encoding should use explicit UTF-8 rather than relying on system-dependent defaults.

Apply this diff:

 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
@@ -9,7 +10,7 @@ import org.springframework.web.util.UriUtils;
 class UriUtilEncodeTest {
 	@Test
 	void plus_문자_인코딩_테스트() {
-		Assertions.assertNotEquals("+", UriUtils.encode("+", Charset.defaultCharset()));
-		Assertions.assertEquals("+", UriUtils.decode("+", Charset.defaultCharset()));
+		Assertions.assertNotEquals("+", UriUtils.encode("+", StandardCharsets.UTF_8));
+		Assertions.assertEquals("+", UriUtils.decode("+", StandardCharsets.UTF_8));
 	}
 }

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

domain/mathrank-auth-domain/src/main/java/kr/co/mathrank/domain/auth/client/NaverOAuthClient.java (1)

3-3: Remove unused import.

The Charset import is no longer used since the code now correctly references StandardCharsets.UTF_8 directly on line 71. This import should be removed to keep the code clean.

Apply this diff:

-import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 375b584 and 685c585.

📒 Files selected for processing (2)

• domain/mathrank-auth-domain/src/main/java/kr/co/mathrank/domain/auth/client/NaverOAuthClient.java (2 hunks)
• domain/mathrank-auth-domain/src/test/java/kr/co/mathrank/domain/auth/util/UriUtilEncodeTest.java (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• domain/mathrank-auth-domain/src/test/java/kr/co/mathrank/domain/auth/util/UriUtilEncodeTest.java

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (1)

domain/mathrank-auth-domain/src/main/java/kr/co/mathrank/domain/auth/client/NaverOAuthClient.java (1)

71-71: Encoding fix correctly addresses the '+' character issue in token revocation flow.

The manual encoding using UriUtils.encode() with StandardCharsets.UTF_8 on line 71 correctly solves the problem where '+' characters in access tokens were being converted to spaces. This approach is necessary because Spring's queryParam() method doesn't percent-encode legal RFC 3986 characters like '+'.

While verification confirms that code, state, and refresh_token parameters in getAccessToken() and refreshAccessToken() also use queryParam(), no encoding issues have been reported for these parameters. Since the PR scope is specifically fixing the token revocation flow, extending encoding to other OAuth methods is optional follow-up work outside this change's intended scope.