Skip to content

[feat] CORS 구현 완료#91

Merged
KiSeungMin merged 1 commit into
developfrom
feature/seungmin-cors
Aug 1, 2025
Merged

[feat] CORS 구현 완료#91
KiSeungMin merged 1 commit into
developfrom
feature/seungmin-cors

Conversation

@KiSeungMin

@KiSeungMin KiSeungMin commented Aug 1, 2025

Copy link
Copy Markdown
Member

✔️ 연관 이슈

📝 작업 내용

  • 2차 과제 제출 및 API 연동을 위해 CORS 기능을 구현했습니다.

스크린샷 (선택)

Summary by CodeRabbit

  • 신규 기능
    • CORS(교차 출처 리소스 공유) 설정이 추가되어 다양한 출처에서의 접근이 허용됩니다.
    • 관리자 관련 URL("/admin/**")에 대한 비인증 사용자 접근이 가능해졌습니다.

@KiSeungMin KiSeungMin self-assigned this Aug 1, 2025
@KiSeungMin KiSeungMin added the 💡 feature 기능 구현 및 개발 label Aug 1, 2025
@coderabbitai

coderabbitai Bot commented Aug 1, 2025

Copy link
Copy Markdown

Walkthrough

보안 설정이 강화되어 CORS 지원이 추가 및 구성되었습니다. 모든 오리진, GET/POST/PUT/DELETE/OPTIONS 메서드, 모든 헤더, 인증정보 허용 등으로 CORS가 전역 경로에 적용됩니다. "/admin/**" 경로는 인증 없이 접근이 허용되도록 변경되었습니다.

Changes

Cohort / File(s) Change Summary
Security Configuration
src/main/java/com/wayble/server/common/config/SecurityConfig.java
CORS 설정 소스 빈 추가, 모든 오리진/헤더/메서드/인증정보 허용, "/admin/**" 경로 인증 없이 허용, 필터 체인에 CORS 적용

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Server (Spring Security)
    participant CORS Config

    Client->>Server (Spring Security): HTTP Request (e.g., OPTIONS, GET)
    Server (Spring Security)->>CORS Config: Apply CORS rules
    alt Request matches "/admin/**"
        Server (Spring Security)-->>Client: Allow without authentication
    else
        Server (Spring Security)->>Client: Apply normal security rules
    end
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰
새벽의 서버에 바람이 분다,
모든 오리진 환영해, 문을 활짝 연다.
어드민 경로엔 자유가 흐르고,
CORS의 춤에 요청이 들썩인다.
토끼는 기뻐하며 귀를 쫑긋,
보안도 유연함도 오늘은 만점!

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/seungmin-cors

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai generate unit tests to generate unit tests for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2eae9b1 and a17dc10.

📒 Files selected for processing (1)
  • src/main/java/com/wayble/server/common/config/SecurityConfig.java (3 hunks)
🔇 Additional comments (2)
src/main/java/com/wayble/server/common/config/SecurityConfig.java (2)

16-20: CORS 관련 import 추가 확인완료

표준 Spring Framework CORS 기능을 위한 적절한 import문들입니다.


38-38: CORS 설정 통합 확인완료

Spring Security 필터 체인에 CORS 설정이 올바르게 통합되었습니다.

"/index",
"/index.html"
"/index.html",
"/admin/**"

@coderabbitai coderabbitai Bot Aug 1, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

관리자 경로에 대한 인증 없는 접근 허용 - 보안 위험

"/admin/**" 경로를 permitAll()에 추가하면 관리자 기능에 인증 없이 접근할 수 있게 됩니다. 이는 심각한 보안 위험을 초래할 수 있습니다.

관리자 경로는 적절한 인증과 권한 검증이 필요합니다.

다음과 같이 수정하는 것을 권장합니다:

-                                "/admin/**"

그리고 관리자 경로에 대한 별도의 보안 설정을 추가하세요:

.requestMatchers("/admin/**").hasRole("ADMIN")
🤖 Prompt for AI Agents
In src/main/java/com/wayble/server/common/config/SecurityConfig.java at line 53,
remove "/admin/**" from the permitAll() matcher list to prevent unauthenticated
access to admin paths. Instead, add a separate security rule that restricts
access to "/admin/**" by requiring the user to have the "ADMIN" role using
.requestMatchers("/admin/**").hasRole("ADMIN"). This ensures proper
authentication and authorization for admin routes.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

다음에 할게용

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KiSeungMin 알겠습니다! 보안 이슈이니 나중에 놓치지 않도록 GitHub 이슈로 등록해드릴까요? 관리자 경로 보안 강화에 대한 follow-up 작업으로 추적하면 좋을 것 같습니다.

필요하시면 말씀해 주세요! 🙂

Comment on lines +62 to +73
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(Arrays.asList("*")); // 모든 오리진 허용
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 허용할 HTTP 메서드
configuration.setAllowedHeaders(Arrays.asList("*")); // 모든 헤더 허용
configuration.setAllowCredentials(true); // 쿠키, 인증 정보 허용

UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration); // 모든 경로에 적용
return source;
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

과도하게 허용적인 CORS 설정 - 중대한 보안 위험

현재 CORS 설정이 매우 관대하여 보안 위험을 초래할 수 있습니다:

  1. 모든 오리진 허용 + 인증정보 허용: CSRF 공격에 취약
  2. 모든 헤더 및 메서드 허용: 공격 표면 확대
  3. 운영 환경에 부적합: 개발 환경에서만 사용해야 할 설정

다음과 같이 더 제한적인 설정으로 변경하는 것을 권장합니다:

-        configuration.setAllowedOriginPatterns(Arrays.asList("*")); // 모든 오리진 허용
+        configuration.setAllowedOriginPatterns(Arrays.asList("http://localhost:3000", "https://yourdomain.com")); // 특정 오리진만 허용
-        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 허용할 HTTP 메서드
+        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 필요한 메서드만 허용
-        configuration.setAllowedHeaders(Arrays.asList("*")); // 모든 헤더 허용
+        configuration.setAllowedHeaders(Arrays.asList("Authorization", "Content-Type", "X-Requested-With")); // 필요한 헤더만 허용

또는 환경별로 다른 설정을 사용하도록 프로파일을 구성하세요.

🤖 Prompt for AI Agents
In src/main/java/com/wayble/server/common/config/SecurityConfig.java lines 62 to
73, the CORS configuration is overly permissive by allowing all origins with
credentials, all headers, and all methods, which poses serious security risks.
To fix this, restrict allowed origins to specific trusted domains instead of
"*", limit allowed HTTP methods to only those necessary, and avoid allowing
credentials unless absolutely required. Additionally, configure different CORS
settings for development and production environments using Spring profiles to
ensure secure defaults in production.

@KiSeungMin KiSeungMin merged commit 404ecb9 into develop Aug 1, 2025
1 check passed
@KiSeungMin KiSeungMin deleted the feature/seungmin-cors branch August 1, 2025 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

💡 feature 기능 구현 및 개발

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant