hotfix : Guest API 접근 제한 security 로직 수정

imscow11253 · imscow11253 · commit 5694df425816 · 2025-01-13T06:23:16.000+09:00
diff --git a/src/main/java/com/neighbors/tohero/common/ErrorResponseUtil.java b/src/main/java/com/neighbors/tohero/common/ErrorResponseUtil.java
@@ -13,7 +13,7 @@ public class ErrorResponseUtil {
 
     public static void setResponse(HttpServletResponse response, BaseResponseStatus responseStatus) throws IOException {
 
-        BaseResponse errorResponse = new BaseResponse(responseStatus, "JWT TOKEN 오류입니다.");
+        BaseResponse errorResponse = new BaseResponse(responseStatus, "THIS API NEED AUTHORIZED JWT TOKEN (MAYBE NOT GUEST TOKEN)");
 
         response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
         response.setContentType("application/json");
diff --git a/src/main/java/com/neighbors/tohero/common/security/AuthenticationUtil.java b/src/main/java/com/neighbors/tohero/common/security/AuthenticationUtil.java
@@ -2,6 +2,7 @@
 
 import com.neighbors.tohero.common.enums.Role;
 import com.neighbors.tohero.common.jwt.JwtProvider;
+import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -10,14 +11,32 @@
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 
-import java.util.Optional;
+import java.util.*;
 
 @Slf4j
 @Component
 @RequiredArgsConstructor
 public class AuthenticationUtil {
 
     private final JwtProvider jwtProvider;
+    private Map<String, List<String>> onlyUserRequest;
+
+    @PostConstruct
+    private void initOnlyUserRequest() {
+        onlyUserRequest = new HashMap<>();
+
+        // 초기화
+        addToOnlyUserRequest("PUT", "/user/name");
+        addToOnlyUserRequest("POST", "/user/signout");
+        addToOnlyUserRequest("POST", "/user/logout");
+        addToOnlyUserRequest("GET", "/letter");
+        addToOnlyUserRequest("PUT", "/letter");
+        addToOnlyUserRequest("GET", "/auth/refreshToken");
+    }
+
+    private void addToOnlyUserRequest(String method, String url) {
+        onlyUserRequest.computeIfAbsent(method, k -> new ArrayList<>()).add(url);
+    }
 
     public void setAuthenticationFromRequest(HttpServletRequest request) {
 
@@ -42,9 +61,11 @@ private Optional<UserAuthentication> makeAuthentication(HttpServletRequest reque
 
         if(isTokenValid(token)) {
             if (isRequestAvailableToGuest(token)) {
-                log.info("[AuthenticationUtil.makeAuthentication : Guest 권한 부여]");
-                String nickname = jwtProvider.getGuestJwtUserDetails(token).getNickname();
-                authentication = UserAuthentication.makeGuestAuthentication(nickname);
+                if(checkGuestAccessRequest(request)){
+                    log.info("[AuthenticationUtil.makeAuthentication : Guest 권한 부여]");
+                    String nickname = jwtProvider.getGuestJwtUserDetails(token).getNickname();
+                    authentication = UserAuthentication.makeGuestAuthentication(nickname);
+                }
             }
             else {
                 log.info("[AuthenticationUtil.makeAuthentication : User 권한 부여]");
@@ -59,6 +80,18 @@ private Optional<UserAuthentication> makeAuthentication(HttpServletRequest reque
         return Optional.ofNullable(authentication);
     }
 
+    private boolean checkGuestAccessRequest(HttpServletRequest request) {
+        List<String> urls = onlyUserRequest.get(request.getMethod());
+        if (urls != null) {
+            for (String url : urls) {
+                if (request.getRequestURI().contains(url)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
     private String getJwtFromRequest(HttpServletRequest request) {
         String bearerToken = request.getHeader("Authorization");
 
