@ahhaohho/auth-middleware 1.0.0

package/README.md

@@ -0,0 +1,214 @@
+# @ahhaohho/auth-middleware
+
+Shared authentication middleware with Passport.js for ahhaohho microservices.
+
+## Features
+
+- ✅ Passport.js JWT authentication strategy
+- ✅ Multi-key JWT verification with fallback support
+- ✅ Redis-based token blacklist
+- ✅ AWS Secrets Manager integration
+- ✅ Express middleware ready
+
+## Installation
+
+### Using Git (recommended for private packages)
+
+```bash
+npm install git+ssh://git@github.com:ahhaohho/auth-middleware.git#v1.0.0
+```
+
+Or add to `package.json`:
+
+```json
+{
+  "dependencies": {
+    "@ahhaohho/auth-middleware": "git+ssh://git@github.com:ahhaohho/auth-middleware.git#v1.0.0"
+  }
+}
+```
+
+## Usage
+
+### Basic Setup
+
+```javascript
+const express = require('express');
+const { authenticateJWT, authenticateRefresh } = require('@ahhaohho/auth-middleware');
+
+const app = express();
+
+// Environment variables required
+// AWS_REGION=ap-northeast-2
+// REDIS_HOST=your-redis-host
+// REDIS_PORT=6379
+// JWT_SECRET_NAME=your-secret-name
+
+// Protected routes
+app.get('/api/verify', authenticateJWT, (req, res) => {
+  res.json({
+    userId: req.user.userId,
+    userRole: req.user.userRole
+  });
+});
+
+app.get('/api/refresh', authenticateRefresh, (req, res) => {
+  // Generate new access token
+  res.json({ newAccessToken: '...' });
+});
+
+app.listen(3000);
+```
+
+### Environment Variables
+
+```bash
+# Required
+AWS_REGION=ap-northeast-2
+REDIS_HOST=your-redis-host
+REDIS_PORT=6379
+JWT_SECRET_NAME=your-secret-name
+
+# Optional
+ELASTICACHE_ENDPOINT=your-elasticache-endpoint  # If using ElastiCache
+```
+
+## Architecture
+
+### JWT Verification Flow
+
+```
+Request with JWT
+    ↓
+authenticateJWT middleware
+    ↓
+Extract token from Authorization header
+    ↓
+Verify with current JWT key
+    ↓ (if fails)
+Fallback to previous JWT key
+    ↓
+Check Redis blacklist
+    ↓
+Inject user data to req.user
+    ↓
+Next middleware
+```
+
+### Multi-Key Support
+
+Supports seamless JWT key rotation:
+- Verifies with current key first
+- Falls back to previous key if current fails
+- Allows zero-downtime key rotation
+
+### Token Blacklist
+
+Uses Redis to maintain revoked tokens:
+- Stores blacklisted tokens per user
+- Automatically expires with token TTL
+- Checked on every authentication
+
+## API Reference
+
+### `authenticateJWT(req, res, next)`
+
+Passport.js middleware for JWT authentication.
+
+**Headers:**
+- `Authorization: Bearer <access_token>`
+
+**Sets:**
+- `req.user`: `{ userId, userRole, phoneNumber }`
+
+**Errors:**
+- 401: Unauthorized (invalid or expired token)
+- 500: Authentication error
+
+### `authenticateRefresh(req, res, next)`
+
+Passport.js middleware for refresh token authentication.
+
+**Headers:**
+- `Refresh-Token: Bearer <refresh_token>`
+
+**Sets:**
+- `req.user`: `{ userId, userRole, phoneNumber }`
+
+**Errors:**
+- 401: Invalid refresh token
+- 500: Token refresh error
+
+## Development
+
+### Project Structure
+
+```
+auth-middleware/
+├── src/
+│   ├── index.js                 # Main export
+│   ├── strategies/
+│   │   ├── jwt.strategy.js      # Passport JWT strategy
+│   │   └── refresh.strategy.js  # Refresh token strategy
+│   ├── middleware/
+│   │   └── auth.js              # Express middleware
+│   ├── utils/
+│   │   ├── jwtValidator.js      # Multi-key verification
+│   │   ├── blacklist.js         # Redis blacklist
+│   │   └── secretManager.js     # AWS Secrets Manager
+│   └── config/
+│       └── redis.js             # Redis client singleton
+├── package.json
+└── README.md
+```
+
+### Testing Locally
+
+```bash
+# Clone the repository
+git clone git@github.com:ahhaohho/auth-middleware.git
+cd auth-middleware
+
+# Install dependencies
+npm install
+
+# Link locally for testing
+npm link
+
+# In your service directory
+npm link @ahhaohho/auth-middleware
+```
+
+## Versioning
+
+This package follows [Semantic Versioning](https://semver.org/).
+
+### Creating a New Version
+
+```bash
+# Update version in package.json
+npm version patch  # 1.0.0 -> 1.0.1
+npm version minor  # 1.0.0 -> 1.1.0
+npm version major  # 1.0.0 -> 2.0.0
+
+# Push with tags
+git push origin main --tags
+```
+
+### Using Specific Versions
+
+```json
+{
+  "dependencies": {
+    "@ahhaohho/auth-middleware": "git+ssh://git@github.com:ahhaohho/auth-middleware.git#v1.0.0"
+  }
+}
+```
+
+## Migration Guide
+
+See [MIGRATION.md](./MIGRATION.md) for detailed migration guide from HTTP-based authentication to Passport.js.
+
+## License
+
+MIT

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@ahhaohho/auth-middleware",
+  "version": "1.0.0",
+  "description": "Shared authentication middleware with Passport.js for ahhaohho microservices",
+  "main": "src/index.js",
+  "scripts": {
+    "test": "echo \"Warning: no test specified\" && exit 0",
+    "prepublishOnly": "echo \"Publishing package...\""
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ahhaohho/auth-middleware.git"
+  },
+  "bugs": {
+    "url": "https://github.com/ahhaohho/auth-middleware/issues"
+  },
+  "homepage": "https://github.com/ahhaohho/auth-middleware#readme",
+  "publishConfig": {
+    "access": "public"
+  },
+  "keywords": [
+    "passport",
+    "jwt",
+    "authentication",
+    "middleware",
+    "ahhaohho"
+  ],
+  "author": "ahhaohho",
+  "license": "MIT",
+  "dependencies": {
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
+    "jsonwebtoken": "^9.0.2",
+    "ioredis": "^5.4.1",
+    "@aws-sdk/client-secrets-manager": "^3.552.0"
+  },
+  "peerDependencies": {
+    "express": "^4.x"
+  },
+  "engines": {
+    "node": ">=16.0.0"
+  }
+}

package/src/config/redis.js

@@ -0,0 +1,70 @@
+const Redis = require('ioredis');
+
+/**
+ * Redis 클라이언트 싱글톤
+ * 모든 서비스에서 하나의 Redis 연결만 사용
+ */
+class RedisManager {
+  constructor() {
+    this.clients = {};
+  }
+
+  /**
+   * Redis 클라이언트 가져오기
+   * @param {string} type - 클라이언트 타입 (session, token, keys)
+   * @returns {Redis} Redis 클라이언트 인스턴스
+   */
+  getClient(type = 'default') {
+    if (!this.clients[type]) {
+      this.clients[type] = this.createClient(type);
+    }
+    return this.clients[type];
+  }
+
+  /**
+   * Redis 클라이언트 생성
+   * @param {string} type - 클라이언트 타입
+   * @returns {Redis} Redis 클라이언트
+   */
+  createClient(type) {
+    const config = {
+      host: process.env.REDIS_HOST || process.env.ELASTICACHE_ENDPOINT || 'localhost',
+      port: parseInt(process.env.REDIS_PORT || '6379', 10),
+      connectTimeout: 10000,
+      retryDelayOnFailover: 100,
+      enableReadyCheck: false,
+      maxRetriesPerRequest: null
+    };
+
+    // ElastiCache 사용 시 TLS 활성화
+    if (process.env.ELASTICACHE_ENDPOINT) {
+      config.tls = {};
+    }
+
+    const client = new Redis(config);
+
+    client.on('error', (err) => {
+      console.error(`[@ahhaohho/auth-middleware] Redis (${type}) error:`, err.message);
+    });
+
+    client.on('connect', () => {
+      console.log(`[@ahhaohho/auth-middleware] Redis (${type}) connected`);
+    });
+
+    return client;
+  }
+
+  /**
+   * 모든 클라이언트 연결 종료
+   */
+  async closeAll() {
+    const closePromises = Object.values(this.clients).map(client => client.quit());
+    await Promise.all(closePromises);
+    this.clients = {};
+  }
+}
+
+// 싱글톤 인스턴스
+const redisManager = new RedisManager();
+
+module.exports = redisManager;

package/src/index.js

@@ -0,0 +1,35 @@
+/**
+ * @ahhaohho/auth-middleware
+ *
+ * Shared authentication middleware with Passport.js
+ * for ahhaohho microservices
+ */
+
+const { authenticateJWT, authenticateRefresh, optionalAuth } = require('./middleware/auth');
+const { verifyTokenWithFallback, signToken, getCurrentSigningKey } = require('./utils/jwtValidator');
+const { isBlacklisted, addToBlacklist, clearBlacklist } = require('./utils/blacklist');
+const { getJwtKeys, invalidateCache } = require('./utils/secretManager');
+const redisManager = require('./config/redis');
+
+// 메인 export - Express 미들웨어
+module.exports = {
+  // 미들웨어
+  authenticateJWT,
+  authenticateRefresh,
+  optionalAuth,
+
+  // 유틸리티 함수 (필요시 직접 사용)
+  utils: {
+    verifyTokenWithFallback,
+    signToken,
+    getCurrentSigningKey,
+    isBlacklisted,
+    addToBlacklist,
+    clearBlacklist,
+    getJwtKeys,
+    invalidateCache
+  },
+
+  // Redis 관리자 (필요시 직접 접근)
+  redisManager
+};

package/src/middleware/auth.js

@@ -0,0 +1,121 @@
+const passport = require('passport');
+const createJwtStrategy = require('../strategies/jwt.strategy');
+const createRefreshStrategy = require('../strategies/refresh.strategy');
+
+/**
+ * Passport 초기화 상태
+ */
+let initialized = false;
+
+/**
+ * Passport 전략 초기화
+ * 한 번만 실행됨
+ */
+function initializePassport() {
+  if (!initialized) {
+    console.log('[@ahhaohho/auth-middleware] Initializing Passport strategies...');
+
+    passport.use('jwt', createJwtStrategy());
+    passport.use('refresh', createRefreshStrategy());
+
+    initialized = true;
+    console.log('[@ahhaohho/auth-middleware] Passport strategies initialized');
+  }
+}
+
+/**
+ * JWT Access Token 인증 미들웨어
+ *
+ * @example
+ * router.get('/verify', authenticateJWT, (req, res) => {
+ *   res.json({ userId: req.user.userId });
+ * });
+ */
+function authenticateJWT(req, res, next) {
+  initializePassport();
+
+  passport.authenticate('jwt', { session: false }, (err, user, info) => {
+    if (err) {
+      console.error('[@ahhaohho/auth-middleware] Authentication error:', err.message);
+      return res.status(500).json({
+        error: 'Authentication error',
+        message: err.message
+      });
+    }
+
+    if (!user) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: info?.message || 'Invalid or expired token'
+      });
+    }
+
+    // req.user에 사용자 정보 주입
+    req.user = user;
+    next();
+  })(req, res, next);
+}
+
+/**
+ * Refresh Token 인증 미들웨어
+ *
+ * @example
+ * router.get('/refresh', authenticateRefresh, (req, res) => {
+ *   // Generate new access token
+ *   res.json({ newAccessToken: '...' });
+ * });
+ */
+function authenticateRefresh(req, res, next) {
+  initializePassport();
+
+  passport.authenticate('refresh', { session: false }, (err, user, info) => {
+    if (err) {
+      console.error('[@ahhaohho/auth-middleware] Refresh token error:', err.message);
+      return res.status(500).json({
+        error: 'Token refresh error',
+        message: err.message
+      });
+    }
+
+    if (!user) {
+      return res.status(401).json({
+        error: 'Invalid refresh token',
+        message: info?.message || 'Invalid or expired refresh token'
+      });
+    }
+
+    req.user = user;
+    next();
+  })(req, res, next);
+}
+
+/**
+ * 선택적 인증 미들웨어 (인증 실패해도 통과)
+ * req.user가 있으면 인증된 사용자, 없으면 비인증 사용자
+ *
+ * @example
+ * router.get('/public', optionalAuth, (req, res) => {
+ *   if (req.user) {
+ *     res.json({ message: 'Authenticated', userId: req.user.userId });
+ *   } else {
+ *     res.json({ message: 'Anonymous' });
+ *   }
+ * });
+ */
+function optionalAuth(req, res, next) {
+  initializePassport();
+
+  passport.authenticate('jwt', { session: false }, (err, user) => {
+    // 에러나 인증 실패해도 통과
+    if (user) {
+      req.user = user;
+    }
+    next();
+  })(req, res, next);
+}
+
+module.exports = {
+  authenticateJWT,
+  authenticateRefresh,
+  optionalAuth
+};

package/src/strategies/jwt.strategy.js

@@ -0,0 +1,96 @@
+const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt');
+const { getJwtKeys } = require('../utils/secretManager');
+const { isBlacklisted } = require('../utils/blacklist');
+const jwt = require('jsonwebtoken');
+
+/**
+ * Passport JWT 전략 생성
+ * Access Token 검증용
+ */
+function createJwtStrategy() {
+  const options = {
+    jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+    // 다중 키 지원을 위한 secretOrKeyProvider 사용
+    secretOrKeyProvider: async (request, rawJwtToken, done) => {
+      try {
+        const keys = await getJwtKeys();
+
+        // 다중 키 검증 로직
+        let decoded;
+        let keyUsed;
+        let actualKey;
+
+        // 1. 현재 키로 검증 시도
+        try {
+          decoded = jwt.verify(rawJwtToken, keys.current);
+          keyUsed = 'current';
+          actualKey = keys.current;
+        } catch (currentKeyError) {
+          // 2. 이전 키가 있으면 fallback 검증 시도
+          if (keys.previous) {
+            try {
+              decoded = jwt.verify(rawJwtToken, keys.previous);
+              keyUsed = 'previous';
+              actualKey = keys.previous;
+              console.warn(
+                '[@ahhaohho/auth-middleware] ⚠️ Token verified with previous key (fallback)'
+              );
+            } catch (previousKeyError) {
+              return done(currentKeyError, false);
+            }
+          } else {
+            return done(currentKeyError, false);
+          }
+        }
+
+        // 검증 성공 시 decoded와 keyUsed를 request에 임시 저장
+        request._jwtDecoded = decoded;
+        request._jwtKeyUsed = keyUsed;
+
+        // Passport에게 사용된 실제 키 반환 (이미 검증 완료되었으므로 다시 검증해도 성공)
+        done(null, actualKey);
+      } catch (error) {
+        console.error('[@ahhaohho/auth-middleware] ❌ JWT verification failed:', error.message);
+        done(error, false);
+      }
+    },
+    passReqToCallback: true // request 객체를 verify 콜백으로 전달
+  };
+
+  return new JwtStrategy(options, async (request, jwtPayload, done) => {
+    try {
+      // request에서 미리 검증된 decoded 가져오기
+      const decoded = request._jwtDecoded;
+      const keyUsed = request._jwtKeyUsed;
+
+      if (!decoded || !decoded.userId) {
+        return done(new Error('Invalid token payload'), false);
+      }
+
+      // 블랙리스트 확인
+      const token = ExtractJwt.fromAuthHeaderAsBearerToken()(request);
+      const blacklisted = await isBlacklisted(decoded.userId, 'access', token);
+      if (blacklisted) {
+        return done(new Error('Token has been revoked'), false);
+      }
+
+      console.log(
+        `[@ahhaohho/auth-middleware] ✅ JWT verified with ${keyUsed} key for user ${decoded.userId}`
+      );
+
+      // req.user에 주입할 사용자 정보 반환
+      const user = {
+        userId: decoded.userId,
+        userRole: decoded.userRole,
+        phoneNumber: decoded.phoneNumber
+      };
+
+      return done(null, user);
+    } catch (error) {
+      console.error('[@ahhaohho/auth-middleware] Error in JWT strategy:', error.message);
+      return done(error, false);
+    }
+  });
+}
+
+module.exports = createJwtStrategy;

package/src/strategies/refresh.strategy.js

@@ -0,0 +1,71 @@
+const { Strategy: JwtStrategy } = require('passport-jwt');
+const { verifyTokenWithFallback } = require('../utils/jwtValidator');
+const { isBlacklisted } = require('../utils/blacklist');
+
+/**
+ * Refresh Token 헤더에서 토큰 추출
+ */
+function extractRefreshToken(req) {
+  let token = null;
+
+  if (req && req.headers && req.headers['refresh-token']) {
+    let refreshToken = req.headers['refresh-token'];
+
+    // Bearer 접두사 제거
+    if (refreshToken.startsWith('Bearer ')) {
+      refreshToken = refreshToken.substring(7);
+    }
+
+    token = refreshToken.trim();
+  }
+
+  return token;
+}
+
+/**
+ * Passport Refresh Token 전략 생성
+ */
+function createRefreshStrategy() {
+  const options = {
+    jwtFromRequest: extractRefreshToken,
+    secretOrKeyProvider: async (request, rawJwtToken, done) => {
+      try {
+        // 1. 다중 키로 토큰 검증
+        const { decoded, keyUsed } = await verifyTokenWithFallback(rawJwtToken);
+
+        if (!decoded || !decoded.userId) {
+          return done(new Error('Invalid refresh token payload'), false);
+        }
+
+        // 2. 블랙리스트 확인 (refresh 타입)
+        const blacklisted = await isBlacklisted(decoded.userId, 'refresh', rawJwtToken);
+        if (blacklisted) {
+          return done(new Error('Refresh token has been revoked'), false);
+        }
+
+        // 3. 검증 성공
+        console.log(
+          `[@ahhaohho/auth-middleware] ✅ Refresh token verified with ${keyUsed} key for user ${decoded.userId}`
+        );
+
+        done(null, decoded);
+      } catch (error) {
+        console.error('[@ahhaohho/auth-middleware] ❌ Refresh token verification failed:', error.message);
+        done(error, false);
+      }
+    },
+    passReqToCallback: false
+  };
+
+  return new JwtStrategy(options, (jwtPayload, done) => {
+    const user = {
+      userId: jwtPayload.userId,
+      userRole: jwtPayload.userRole,
+      phoneNumber: jwtPayload.phoneNumber
+    };
+
+    return done(null, user);
+  });
+}
+
+module.exports = createRefreshStrategy;

package/src/utils/blacklist.js

@@ -0,0 +1,84 @@
+const redisManager = require('../config/redis');
+
+/**
+ * Redis 기반 토큰 블랙리스트 관리
+ */
+
+/**
+ * 토큰이 블랙리스트에 있는지 확인
+ * @param {string} userId - 사용자 ID
+ * @param {string} tokenType - 토큰 타입 ('access' | 'refresh')
+ * @param {string} token - JWT 토큰
+ * @returns {Promise<boolean>} 블랙리스트에 있으면 true
+ */
+async function isBlacklisted(userId, tokenType, token) {
+  try {
+    const redisClient = redisManager.getClient('token');
+    const key = `blacklist:${userId}:${tokenType}`;
+
+    const tokens = await redisClient.smembers(key);
+    return tokens.includes(token);
+  } catch (error) {
+    console.error('[@ahhaohho/auth-middleware] Error checking blacklist:', error.message);
+    // Redis 에러 시 안전하게 false 반환 (통과시킴)
+    return false;
+  }
+}
+
+/**
+ * 토큰을 블랙리스트에 추가
+ * @param {string} userId - 사용자 ID
+ * @param {string} tokenType - 토큰 타입 ('access' | 'refresh')
+ * @param {string} token - JWT 토큰
+ * @param {number} ttl - TTL (초 단위, 기본값: 토큰 만료 시간)
+ * @returns {Promise<void>}
+ */
+async function addToBlacklist(userId, tokenType, token, ttl = null) {
+  try {
+    const redisClient = redisManager.getClient('token');
+    const key = `blacklist:${userId}:${tokenType}`;
+
+    await redisClient.sadd(key, token);
+
+    // TTL 설정
+    if (ttl) {
+      await redisClient.expire(key, ttl);
+    } else {
+      // 기본 TTL: Access Token 1시간, Refresh Token 90일
+      const defaultTtl = tokenType === 'access' ? 60 * 60 : 90 * 24 * 60 * 60;
+      await redisClient.expire(key, defaultTtl);
+    }
+
+    console.log(`[@ahhaohho/auth-middleware] Token added to blacklist: ${userId}:${tokenType}`);
+  } catch (error) {
+    console.error('[@ahhaohho/auth-middleware] Error adding to blacklist:', error.message);
+    throw error;
+  }
+}
+
+/**
+ * 사용자의 모든 토큰을 블랙리스트에서 제거
+ * @param {string} userId - 사용자 ID
+ * @returns {Promise<void>}
+ */
+async function clearBlacklist(userId) {
+  try {
+    const redisClient = redisManager.getClient('token');
+
+    await Promise.all([
+      redisClient.del(`blacklist:${userId}:access`),
+      redisClient.del(`blacklist:${userId}:refresh`)
+    ]);
+
+    console.log(`[@ahhaohho/auth-middleware] Blacklist cleared for user: ${userId}`);
+  } catch (error) {
+    console.error('[@ahhaohho/auth-middleware] Error clearing blacklist:', error.message);
+    throw error;
+  }
+}
+
+module.exports = {
+  isBlacklisted,
+  addToBlacklist,
+  clearBlacklist
+};

package/src/utils/jwtValidator.js

@@ -0,0 +1,68 @@
+const jwt = require('jsonwebtoken');
+const { getJwtKeys } = require('./secretManager');
+
+/**
+ * 다중 키를 사용한 JWT 토큰 검증
+ * 현재 키로 검증 실패 시 이전 키로 fallback 검증
+ *
+ * @param {string} token - JWT 토큰
+ * @returns {Promise<{decoded: object, keyUsed: string}>}
+ */
+async function verifyTokenWithFallback(token) {
+  const keys = await getJwtKeys();
+
+  // 1. 현재 키로 검증 시도
+  try {
+    const decoded = jwt.verify(token, keys.current);
+    return { decoded, keyUsed: 'current' };
+  } catch (currentKeyError) {
+    // 2. 이전 키가 있으면 fallback 검증 시도
+    if (keys.previous) {
+      try {
+        const decoded = jwt.verify(token, keys.previous);
+        console.warn(
+          '[@ahhaohho/auth-middleware] ⚠️ Token verified with previous key (fallback) for userId:',
+          decoded.userId
+        );
+        return { decoded, keyUsed: 'previous' };
+      } catch (previousKeyError) {
+        // 두 키 모두 실패한 경우 현재 키의 에러를 던짐 (더 중요한 에러)
+        throw currentKeyError;
+      }
+    } else {
+      // 이전 키가 없으면 현재 키 에러를 그대로 던짐
+      throw currentKeyError;
+    }
+  }
+}
+
+/**
+ * 토큰 서명을 위한 현재 키 가져오기
+ * @returns {Promise<string>}
+ */
+async function getCurrentSigningKey() {
+  const keys = await getJwtKeys();
+  return keys.current;
+}
+
+/**
+ * JWT 토큰 생성 (항상 현재 키 사용)
+ * @param {object} payload - JWT payload
+ * @param {object} options - JWT options (expiresIn 등)
+ * @returns {Promise<string>} JWT 토큰
+ */
+async function signToken(payload, options = {}) {
+  const signingKey = await getCurrentSigningKey();
+
+  if (!signingKey) {
+    throw new Error('JWT signing key is not available');
+  }
+
+  return jwt.sign(payload, signingKey, options);
+}
+
+module.exports = {
+  verifyTokenWithFallback,
+  getCurrentSigningKey,
+  signToken
+};

package/src/utils/secretManager.js

@@ -0,0 +1,79 @@
+const { SecretsManagerClient, GetSecretValueCommand } = require('@aws-sdk/client-secrets-manager');
+const redisManager = require('../config/redis');
+
+/**
+ * AWS Secrets Manager에서 JWT 키 가져오기
+ */
+class SecretManager {
+  constructor() {
+    this.client = new SecretsManagerClient({
+      region: process.env.AWS_REGION || 'ap-northeast-2'
+    });
+    this.secretName = process.env.JWT_SECRET_NAME;
+  }
+
+  /**
+   * JWT 키 가져오기 (Redis 캐싱 포함)
+   * @returns {Promise<{current: string, previous: string|null}>}
+   */
+  async getJwtKeys() {
+    if (!this.secretName) {
+      throw new Error('JWT_SECRET_NAME environment variable is not set');
+    }
+
+    try {
+      // 1. Redis 캐시 확인
+      const redisClient = redisManager.getClient('keys');
+      const cachedKeys = await redisClient.get(`jwt-keys:${this.secretName}`);
+
+      if (cachedKeys) {
+        console.log('[@ahhaohho/auth-middleware] Using cached JWT keys from Redis');
+        return JSON.parse(cachedKeys);
+      }
+
+      // 2. AWS Secrets Manager에서 가져오기
+      console.log('[@ahhaohho/auth-middleware] Fetching JWT keys from AWS Secrets Manager');
+      const command = new GetSecretValueCommand({ SecretId: this.secretName });
+      const response = await this.client.send(command);
+
+      if (!response.SecretString) {
+        throw new Error('Secret value is empty');
+      }
+
+      const secret = JSON.parse(response.SecretString);
+      const keys = {
+        current: secret.current || secret.jwt_secret_key || secret.dev,
+        previous: secret.previous || null
+      };
+
+      // 3. Redis에 캐싱 (5분 TTL)
+      await redisClient.set(
+        `jwt-keys:${this.secretName}`,
+        JSON.stringify(keys),
+        'EX',
+        300 // 5분
+      );
+
+      return keys;
+    } catch (error) {
+      console.error('[@ahhaohho/auth-middleware] Error fetching JWT keys:', error.message);
+      throw new Error('Failed to fetch JWT keys from AWS Secrets Manager');
+    }
+  }
+
+  /**
+   * 캐시 무효화
+   */
+  async invalidateCache() {
+    const redisClient = redisManager.getClient('keys');
+    await redisClient.del(`jwt-keys:${this.secretName}`);
+    console.log('[@ahhaohho/auth-middleware] JWT keys cache invalidated');
+  }
+}
+
+const secretManager = new SecretManager();
+
+module.exports = {
+  getJwtKeys: () => secretManager.getJwtKeys(),
+  invalidateCache: () => secretManager.invalidateCache()
+};