From f33c302f9fedbe40d55365966d2c12feb10d6a22 Mon Sep 17 00:00:00 2001 From: gimgisu Date: Mon, 6 Oct 2025 12:55:24 +0900 Subject: [PATCH 1/2] =?UTF-8?q?fix(security):=20permitAll=20=EA=B2=BD?= =?UTF-8?q?=EB=A1=9C=EC=97=90=EC=84=9C=EB=8F=84=20=ED=86=A0=ED=81=B0?= =?UTF-8?q?=EC=9D=B4=20=EC=9E=88=EC=9C=BC=EB=A9=B4=20=EC=9D=B8=EC=A6=9D=20?= =?UTF-8?q?=EC=84=B8=ED=8C=85=EB=90=98=EB=8F=84=EB=A1=9D=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../security/filter/JwtAuthenticationFilter.java | 14 +++++++++----- .../codin/common/security/service/JwtService.java | 8 +++++++- .../domain/post/domain/hits/entity/HitsEntity.java | 4 +--- .../post/service/PostInteractionService.java | 3 ++- 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/src/main/java/inu/codin/codin/common/security/filter/JwtAuthenticationFilter.java b/src/main/java/inu/codin/codin/common/security/filter/JwtAuthenticationFilter.java index e8087769..0238da97 100644 --- a/src/main/java/inu/codin/codin/common/security/filter/JwtAuthenticationFilter.java +++ b/src/main/java/inu/codin/codin/common/security/filter/JwtAuthenticationFilter.java @@ -9,6 +9,7 @@ import lombok.RequiredArgsConstructor; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.util.AntPathMatcher; +import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter; import java.io.IOException; @@ -36,10 +37,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse String requestURI = request.getRequestURI(); - if (permitAllProperties.getUrls().stream().anyMatch(url -> pathMatcher.match(url, requestURI))) { - filterChain.doFilter(request, response); - return; - } + final boolean isPermitAll = permitAllProperties.getUrls().stream() + .anyMatch(url -> pathMatcher.match(url, requestURI)); String token = null; if (Arrays.stream(SWAGGER_AUTH_PATHS).anyMatch(url -> pathMatcher.match(url, requestURI))) { @@ -49,10 +48,15 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse } // Access Token이 있는 경우 - if (token != null) { + if (StringUtils.hasText(token)) { jwtService.getUserDetailsAndSetAuthentication(token); } else { SecurityContextHolder.clearContext(); + + if (isPermitAll) { + filterChain.doFilter(request, response); + return; + } } filterChain.doFilter(request, response); diff --git a/src/main/java/inu/codin/codin/common/security/service/JwtService.java b/src/main/java/inu/codin/codin/common/security/service/JwtService.java index 05c440d2..98a9a269 100644 --- a/src/main/java/inu/codin/codin/common/security/service/JwtService.java +++ b/src/main/java/inu/codin/codin/common/security/service/JwtService.java @@ -16,10 +16,10 @@ import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; -import org.springframework.http.server.ServletServerHttpRequest; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Service; +import org.springframework.util.StringUtils; /** * JWT 토큰 관련 비즈니스 로직을 처리하는 서비스 @@ -192,6 +192,12 @@ public void getUserDetailsAndSetAuthentication(String token) { public String getAccessToken(HttpServletRequest request) { String accessToken = jwtUtils.getAccessToken(request); + log.info("token: {}", accessToken); + + if (!StringUtils.hasText(accessToken)) { + return null; + } + if (!jwtTokenProvider.validType(accessToken, "access")) { log.error("[getAccessToken] Access Token이 아닙니다."); throw new JwtException(SecurityErrorCode.INVALID_TYPE, "Access Token이 아닙니다."); diff --git a/src/main/java/inu/codin/codin/domain/post/domain/hits/entity/HitsEntity.java b/src/main/java/inu/codin/codin/domain/post/domain/hits/entity/HitsEntity.java index 6f00726f..c4cbc429 100644 --- a/src/main/java/inu/codin/codin/domain/post/domain/hits/entity/HitsEntity.java +++ b/src/main/java/inu/codin/codin/domain/post/domain/hits/entity/HitsEntity.java @@ -14,13 +14,11 @@ @NoArgsConstructor(access = AccessLevel.PROTECTED) public class HitsEntity { - @Id @NotBlank + @Id private ObjectId _id; - @NotBlank private ObjectId userId; - @NotBlank private ObjectId postId; @Builder diff --git a/src/main/java/inu/codin/codin/domain/post/service/PostInteractionService.java b/src/main/java/inu/codin/codin/domain/post/service/PostInteractionService.java index ff7f810f..21b939b3 100644 --- a/src/main/java/inu/codin/codin/domain/post/service/PostInteractionService.java +++ b/src/main/java/inu/codin/codin/domain/post/service/PostInteractionService.java @@ -47,8 +47,9 @@ public void deletePostImageInternal(PostEntity post, String imageUrl) { } // [HitsService] - 조회수 증가 처리 + // 비로그인(null) → 무조건 증가, 로그인 → 중복 아닐 때만 증가 public void increaseHits(PostEntity post, ObjectId userId) { - if (!hitsService.validateHits(post.get_id(), userId)) { + if (userId==null || !hitsService.validateHits(post.get_id(), userId)) { hitsService.addHits(post.get_id(), userId); log.info("조회수 업데이트. PostId: {}, UserId: {}", post.get_id(), userId); } From 6ad0e54a65f3cf0f9c94829a8c6030574bcb98a1 Mon Sep 17 00:00:00 2001 From: gimgisu Date: Mon, 6 Oct 2025 13:03:52 +0900 Subject: [PATCH 2/2] =?UTF-8?q?chore=20:=20log=20=EC=A0=95=EB=A6=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/inu/codin/codin/common/security/service/JwtService.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/java/inu/codin/codin/common/security/service/JwtService.java b/src/main/java/inu/codin/codin/common/security/service/JwtService.java index 98a9a269..6e419603 100644 --- a/src/main/java/inu/codin/codin/common/security/service/JwtService.java +++ b/src/main/java/inu/codin/codin/common/security/service/JwtService.java @@ -192,7 +192,6 @@ public void getUserDetailsAndSetAuthentication(String token) { public String getAccessToken(HttpServletRequest request) { String accessToken = jwtUtils.getAccessToken(request); - log.info("token: {}", accessToken); if (!StringUtils.hasText(accessToken)) { return null;