Skip to content

MOSU fix: 화이트리스트 반영 #233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wlgns12370 merged 1 commit into from
Aug 7, 2025
Merged

MOSU fix: 화이트리스트 반영 #233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions src/main/java/life/mosu/mosuserver/global/filter/Whitelist.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ public enum Whitelist {
SWAGGER_UI("/api/v1/swagger-ui", WhitelistMethod.ALL),
VIRTUAL_ACCOUNT("/api/v1/virtual-account", WhitelistMethod.ALL),
ADMISSION_TICKET("/api/v1/admission-ticket", WhitelistMethod.ALL),
APPLICATION_GUEST("/api/v1/applications/guest", WhitelistMethod.ALL),

// 정적 리소스
CSS("/api/v1/css", WhitelistMethod.GET),
Expand All @@ -33,11 +32,17 @@ public enum Whitelist {
OAUTH2("/api/v1/oauth2", WhitelistMethod.ALL),
OAUTH("/api/v1/oauth", WhitelistMethod.ALL),

// 삭제 예정
MASTER("/api/v1/master", WhitelistMethod.ALL),

// 조회만 가능한 PATH
EVENT("/api/v1/event", WhitelistMethod.GET),
FAQ("/api/v1/faq", WhitelistMethod.GET),
NOTICE("/api/v1/notice", WhitelistMethod.GET);
NOTICE("/api/v1/notice", WhitelistMethod.GET),
USER_ID_CHECK("/api/v1/user/check-id", WhitelistMethod.GET),
CUSTOMER_KEY_CHECK("/api/v1/user/customer-key", WhitelistMethod.GET),
Copy link

@gemini-code-assist gemini-code-assist bot Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This line adds the /api/v1/user/customer-key endpoint to the whitelist, which is intended for public endpoints that don't require authentication. However, another change in this pull request adds a @PreAuthorize annotation to the getCustomerKey method in UserController, which is meant to secure this exact endpoint. These changes are contradictory. An endpoint cannot be both whitelisted (public) and require authentication. To fix this, please remove this line. The endpoint should be secured as per the change in UserController.


APPLICATION_GUEST("/api/v1/applications/guest", WhitelistMethod.ALL);
private final String path;
private final WhitelistMethod method;

Expand Down
1 change: 1 addition & 0 deletions src/main/java/life/mosu/mosuserver/presentation/user/UserController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ public ResponseEntity<ApiResponseWrapper<UserInfoResponse>> getUserInfo(
}

@GetMapping("/customer-key")
@PreAuthorize("isAuthenticated() and hasRole('USER')")
public ResponseEntity<ApiResponseWrapper<CustomerKeyResponse>> getCustomerKey(
@UserId final Long userId
) {
Expand Down