PERMIT-SEOUL · sjk4618 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026
diff --git a/src/main/java/com/permitseoul/permitserver/domain/admin/base/api/service/AdminService.java b/src/main/java/com/permitseoul/permitserver/domain/admin/base/api/service/AdminService.java
@@ -3,6 +3,7 @@
 import com.permitseoul.permitserver.domain.admin.base.api.AdminProperties;
 import com.permitseoul.permitserver.domain.admin.base.api.dto.res.UserAuthorityGetResponse;
 import com.permitseoul.permitserver.domain.admin.base.api.exception.AdminAuthorizationException;
+import com.permitseoul.permitserver.domain.auth.core.jwt.RefreshTokenManager;
 import com.permitseoul.permitserver.domain.user.core.component.UserRetriever;
 import com.permitseoul.permitserver.domain.user.core.component.UserUpdater;
 import com.permitseoul.permitserver.domain.user.core.domain.User;
@@ -20,6 +21,7 @@ public class AdminService {
     private final AdminProperties adminProperties;
     private final UserRetriever userRetriever;
     private final UserUpdater userUpdater;
+    private final RefreshTokenManager refreshTokenManager;
 
     public void validateAdminCode(final String adminCode) {
         if(!(adminProperties.accessCode().equals(adminCode))){
@@ -44,6 +46,7 @@ public void updateUserAuthority(final long userId, final UserRole userRole) {
         try {
             userEntity = userRetriever.findUserEntityById(userId);
             userUpdater.updateUserRole(userEntity, userRole);
+            refreshTokenManager.deleteRefreshToken(userEntity.getUserId());
         } catch (UserNotFoundException e) {
             throw new AdminAuthorizationException(ErrorCode.NOT_FOUND_USER);
         }

diff --git a/src/main/java/com/permitseoul/permitserver/domain/auth/api/service/AuthService.java b/src/main/java/com/permitseoul/permitserver/domain/auth/api/service/AuthService.java
@@ -98,17 +98,17 @@ public TokenDto login(final SocialType socialType, final String authorizationCod
     public TokenDto reissue(final String refreshToken) {
         try {
             final long userId = jwtProvider.extractUserIdFromToken(refreshToken);
-           checkIsSameRefreshToken(userId, refreshToken);
+            final UserRole userRole = UserRole.valueOf(jwtProvider.extractUserRoleFromToken(refreshToken));
+            checkIsSameRefreshToken(userId, refreshToken);
 
-            final User user = userRetriever.findUserById(userId);
-            final Token newToken = getLoginOrReissueJwtToken(user.getUserId(), user.getUserRole());
+            final Token newToken = getLoginOrReissueJwtToken(userId, userRole);
 
-            saveRefreshTokenInRedis(user.getUserId(), newToken.getRefreshToken());
+            saveRefreshTokenInRedis(userId, newToken.getRefreshToken());
 
             return TokenDto.of(newToken.getAccessToken(), newToken.getRefreshToken());
-        } catch (AuthWrongJwtException | AuthRTNotFoundException e) {
+        } catch (AuthWrongJwtException e) {
             throw new AuthUnAuthorizedException(ErrorCode.UNAUTHORIZED_WRONG_RT);
-        } catch (AuthExpiredJwtException e) {
+        } catch (AuthExpiredJwtException |AuthRTNotFoundException e) {
             throw new AuthUnAuthorizedException(ErrorCode.UNAUTHORIZED_RT_EXPIRED);
         } catch (AuthRTException e) {
             throw new AuthUnAuthorizedException(ErrorCode.INTERNAL_RT_REDIS_ERROR);
@@ -125,7 +125,6 @@ public void logout(final long userId, final String refreshTokenFromCookie) {
         } catch (DataAccessException e) {
             throw new AuthRedisException(ErrorCode.INTERNAL_RT_REDIS_ERROR);
         }
-
     }
 
     private void checkIsSameRefreshToken(final long userId, final String refreshToken) {

diff --git a/src/main/java/com/permitseoul/permitserver/domain/auth/core/domain/RefreshToken.java b/src/main/java/com/permitseoul/permitserver/domain/auth/core/domain/RefreshToken.java
@@ -12,14 +12,11 @@
 @RedisHash("refreshToken")
 public class RefreshToken {
 
-    /** 사용자 식별자(키). 사용자당 1개 세션만 허용 모델 */
     @Id
     private Long userId;
 
-    /** 토큰 해시(SHA-256 등). 평문 저장 금지 */
     private String refreshToken;
 
-    /** 만료 시간(초 단위). @RedisHash 클래스 단위 TTL 대신 인스턴스별 TTL 추천 */
     @TimeToLive
     private long ttlSeconds;
 

diff --git a/src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/JwtProvider.java b/src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/JwtProvider.java
@@ -48,7 +48,11 @@ public long extractUserIdFromToken(final String token) {
 
     public String extractUserRoleFromToken(final String token) {
         final Jws<Claims> claims = parseToken(token);
-        return claims.getBody().get(Constants.USER_ROLE, String.class);
+        final String role = claims.getBody().get(Constants.USER_ROLE, String.class);
+        if(role == null) {
+            throw new AuthWrongJwtException();
+        }
+        return role;
     }
 
     //토큰 파싱

diff --git a/...erver/global/filter/MDCLoggingFilter.java → ...al/filter/RequestObservabilityFilter.java b/...erver/global/filter/MDCLoggingFilter.java → ...al/filter/RequestObservabilityFilter.java
@@ -18,26 +18,30 @@
 
 @Component
 @Slf4j
-@Profile("!local")
+//@Profile("!local")
 @Order(Ordered.HIGHEST_PRECEDENCE)
-class MDCLoggingFilter extends OncePerRequestFilter {
+class RequestObservabilityFilter extends OncePerRequestFilter {
     private static final String NGINX_REQUEST_ID = "X-Request-ID";
     private static final String TRACE_ID = "trace_id";
 
     private static final String URI = "uri";
     private static final String METHOD = "method";
     private static final String STATUS = "status";
 
+    private static final long SLOW_REQUEST_THRESHOLD_MS = 1000L;
+
     @Override
     protected void doFilterInternal(@NonNull final HttpServletRequest request,
-                                    @NonNull final HttpServletResponse response,
-                                    @NonNull final FilterChain filterChain) throws ServletException, IOException {
+            @NonNull final HttpServletResponse response,
+            @NonNull final FilterChain filterChain) throws ServletException, IOException {
         final String uri = request.getRequestURI();
         // 헬스체크는 패스
         if (uri != null && uri.contains(Constants.HEALTH_CHECK_URL)) {
             filterChain.doFilter(request, response);
             return;
         }
+
+        final long start = System.currentTimeMillis();
         try {
             String traceId = request.getHeader(NGINX_REQUEST_ID);
             if (traceId == null || traceId.isBlank()) {
@@ -48,9 +52,17 @@ protected void doFilterInternal(@NonNull final HttpServletRequest request,
             MDC.put(METHOD, request.getMethod());
 
             filterChain.doFilter(request, response);
-
-            MDC.put(STATUS, String.valueOf(response.getStatus()));
         } finally {
+            final long duration = System.currentTimeMillis() - start;
+            final int status = response.getStatus();
+            final String method = request.getMethod();
+
+            if (duration >= SLOW_REQUEST_THRESHOLD_MS) {
+                log.warn("[SLOW] {} {} → {} ({}ms)", method, uri, status, duration);
+            } else {
+                log.info("{} {} → {} ({}ms)", method, uri, status, duration);
+            }
+
             MDC.remove(STATUS);
             MDC.remove(METHOD);
             MDC.remove(URI);