Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import java.util.Arrays;

@Configuration
@RequiredArgsConstructor
Expand All @@ -30,6 +35,7 @@ public PasswordEncoder passwordEncoder() {
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
Expand All @@ -43,12 +49,26 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
"/v3/api-docs/**",
"/",
"/index",
"/index.html"
"/index.html",
"/admin/**"

@coderabbitai coderabbitai Bot Aug 1, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

관리자 경로에 대한 인증 없는 접근 허용 - 보안 위험

"/admin/**" 경로를 permitAll()에 추가하면 관리자 기능에 인증 없이 접근할 수 있게 됩니다. 이는 심각한 보안 위험을 초래할 수 있습니다.

관리자 경로는 적절한 인증과 권한 검증이 필요합니다.

다음과 같이 수정하는 것을 권장합니다:

-                                "/admin/**"

그리고 관리자 경로에 대한 별도의 보안 설정을 추가하세요:

.requestMatchers("/admin/**").hasRole("ADMIN")
🤖 Prompt for AI Agents
In src/main/java/com/wayble/server/common/config/SecurityConfig.java at line 53,
remove "/admin/**" from the permitAll() matcher list to prevent unauthenticated
access to admin paths. Instead, add a separate security rule that restricts
access to "/admin/**" by requiring the user to have the "ADMIN" role using
.requestMatchers("/admin/**").hasRole("ADMIN"). This ensures proper
authentication and authorization for admin routes.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

다음에 할게용

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KiSeungMin 알겠습니다! 보안 이슈이니 나중에 놓치지 않도록 GitHub 이슈로 등록해드릴까요? 관리자 경로 보안 강화에 대한 follow-up 작업으로 추적하면 좋을 것 같습니다.

필요하시면 말씀해 주세요! 🙂

).permitAll()
.anyRequest().authenticated()
)
.addFilterBefore(new JwtAuthenticationFilter(jwtProvider), UsernamePasswordAuthenticationFilter.class);

return http.build();
}

@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(Arrays.asList("*")); // 모든 오리진 허용
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 허용할 HTTP 메서드
configuration.setAllowedHeaders(Arrays.asList("*")); // 모든 헤더 허용
configuration.setAllowCredentials(true); // 쿠키, 인증 정보 허용

UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration); // 모든 경로에 적용
return source;
}
Comment on lines +62 to +73

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

과도하게 허용적인 CORS 설정 - 중대한 보안 위험

현재 CORS 설정이 매우 관대하여 보안 위험을 초래할 수 있습니다:

  1. 모든 오리진 허용 + 인증정보 허용: CSRF 공격에 취약
  2. 모든 헤더 및 메서드 허용: 공격 표면 확대
  3. 운영 환경에 부적합: 개발 환경에서만 사용해야 할 설정

다음과 같이 더 제한적인 설정으로 변경하는 것을 권장합니다:

-        configuration.setAllowedOriginPatterns(Arrays.asList("*")); // 모든 오리진 허용
+        configuration.setAllowedOriginPatterns(Arrays.asList("http://localhost:3000", "https://yourdomain.com")); // 특정 오리진만 허용
-        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 허용할 HTTP 메서드
+        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); // 필요한 메서드만 허용
-        configuration.setAllowedHeaders(Arrays.asList("*")); // 모든 헤더 허용
+        configuration.setAllowedHeaders(Arrays.asList("Authorization", "Content-Type", "X-Requested-With")); // 필요한 헤더만 허용

또는 환경별로 다른 설정을 사용하도록 프로파일을 구성하세요.

🤖 Prompt for AI Agents
In src/main/java/com/wayble/server/common/config/SecurityConfig.java lines 62 to
73, the CORS configuration is overly permissive by allowing all origins with
credentials, all headers, and all methods, which poses serious security risks.
To fix this, restrict allowed origins to specific trusted domains instead of
"*", limit allowed HTTP methods to only those necessary, and avoid allowing
credentials unless absolutely required. Additionally, configure different CORS
settings for development and production environments using Spring profiles to
ensure secure defaults in production.

}