보안 강화: DB 자격증명(AppKey, Secret) 및 세션토큰(Access Token) 암호화 저장 구현 (AES-GCM/CBC), .env 정리

2026-02-03 00:08:15 +09:00
parent 4f0cc05f39
commit ed8fc0943b
15 changed files with 131 additions and 30 deletions
--- a/backend/app/services/kis_auth.py
+++ b/backend/app/services/kis_auth.py
@@ -3,6 +3,8 @@ from datetime import datetime, timedelta
 from sqlalchemy import select
 from app.db.database import SessionLocal
 from app.db.models import ApiSettings 
+from app.db.models import ApiSettings 
+from app.core.crypto import decrypt_str, encrypt_str

 class KisAuth:
    BASE_URL_REAL = "https://openapi.koreainvestment.com:9443"
@@ -29,21 +31,26 @@ class KisAuth:
            if not settings_obj or not settings_obj.appKey or not settings_obj.appSecret:
                raise ValueError("KIS API Credentials not configured.")

+            # 2. Check Expiry (Buffer 10 mins)
            # 2. Check Expiry (Buffer 10 mins)
            if settings_obj.accessToken and settings_obj.tokenExpiry:
-                 if settings_obj.tokenExpiry > datetime.now() + timedelta(minutes=10):
-                     return settings_obj.accessToken
+                 token_dec = decrypt_str(settings_obj.accessToken)
+                 if token_dec and token_dec != "[Decryption Failed]":
+                     if settings_obj.tokenExpiry > datetime.now() + timedelta(minutes=10):
+                         return token_dec
            
            # 3. Issue New Token
-            token_data = await self._issue_token(settings_obj.appKey, settings_obj.appSecret)
+            app_key_dec = decrypt_str(settings_obj.appKey)
+            app_secret_dec = decrypt_str(settings_obj.appSecret)
+            token_data = await self._issue_token(app_key_dec, app_secret_dec)
            
-            # 4. Save to DB
-            settings_obj.accessToken = token_data['access_token']
+            # 4. Save to DB (Encrypt Token)
+            settings_obj.accessToken = encrypt_str(token_data['access_token'])
            # expires_in is seconds (usually 86400)
            settings_obj.tokenExpiry = datetime.now() + timedelta(seconds=int(token_data['expires_in']))
            
            await db_session.commit()
-            return settings_obj.accessToken
+            return token_data['access_token']
            
        except Exception as e:
            await db_session.rollback()
@@ -83,12 +90,16 @@ class KisAuth:
                raise ValueError("KIS API Credentials not configured.")

            if settings_obj.websocketApprovalKey:
-                return settings_obj.websocketApprovalKey
+                approval_key_dec = decrypt_str(settings_obj.websocketApprovalKey)
+                if approval_key_dec and approval_key_dec != "[Decryption Failed]":
+                    return approval_key_dec

            # Issue New Key
-            approval_key = await self._issue_approval_key(settings_obj.appKey, settings_obj.appSecret)
+            app_key_dec = decrypt_str(settings_obj.appKey)
+            app_secret_dec = decrypt_str(settings_obj.appSecret)
+            approval_key = await self._issue_approval_key(app_key_dec, app_secret_dec)
            
-            settings_obj.websocketApprovalKey = approval_key
+            settings_obj.websocketApprovalKey = encrypt_str(approval_key)
            await db_session.commit()
            
            return approval_key