[FIX] refresh 수정 (#369)

[lingard1234]

Summary

헤더에 refresh만 보냄

Changes

EXCLUDED_PATHS에 refresh경로 추가

Type of Change

• Bug fix (기존 기능에 영향을 주지 않는 버그 수정)
• New feature (기존 기능에 영향을 주지 않는 새로운 기능 추가)
• Breaking change (기존 기능에 영향을 주는 수정)
• Refactoring (기능 변경 없는 코드 개선)
• Documentation (문서 수정)
• Chore (빌드, 설정 등 기타 변경)
• Release (develop → main 배포)

Related Issues

참고 사항

[gemini-code-assist]

Summary of Changes

Hello @lingard1234, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

이 PR은 JWT 인증 필터가 refresh 엔드포인트를 처리하여 발생할 수 있는 문제를 해결합니다. 해당 경로를 제외 목록에 추가함으로써, 토큰 갱신 요청이 불필요한 인증 검사를 우회하도록 하여 토큰 갱신 흐름을 개선합니다.

Highlights

• refresh 경로 제외: JwtAuthenticationFilter의 EXCLUDED_PATHS 목록에 /api/v1/auth/refresh 경로를 추가하여 JWT 인증 필터에서 제외되도록 수정되었습니다.

Changelog

• src/main/java/com/example/RealMatch/global/config/jwt/JwtAuthenticationFilter.java
  • refresh 엔드포인트가 JWT 인증 필터에서 제외되도록 EXCLUDED_PATHS에 추가되었습니다.

Activity

• 이 PR에 대한 활동은 아직 기록되지 않았습니다.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR adds the /api/v1/auth/refresh path to the JWT authentication filter's exclusion list for token reissuance. However, the current implementation introduces a critical security vulnerability: the path matching logic in the filter uses startsWith, which is insecure and can lead to authentication bypasses. Additionally, the SecurityConfig.java file has not been updated to allow public access to this endpoint, which will prevent the token refresh functionality from working as intended.

[gemini-code-assist]

Adding /api/v1/auth/refresh to the EXCLUDED_PATHS list using startsWith in the shouldNotFilter method is insecure. This can lead to authentication bypasses via path traversal (e.g., /api/v1/auth/refresh/..;/protected-endpoint) or unintentionally match other endpoints (e.g., /api/v1/auth/refresh-admin). It is recommended to use exact matching or a robust path matcher like AntPathMatcher. Furthermore, this change alone is insufficient; the SecurityConfig.java file must also be updated to allow public access to this endpoint by adding "/api/v1/auth/refresh" to PERMIT_ALL_URL_ARRAY. Without this, the endpoint will be blocked by Spring Security's anyRequest().authenticated() rule, preventing token reissuance.