[FIX] 채팅방이 없으면 생성 후 시스템 메시지 전송

[1000hyehyang]

Summary

Changes

Type of Change

• Bug fix (기존 기능에 영향을 주지 않는 버그 수정)
• New feature (기존 기능에 영향을 주지 않는 새로운 기능 추가)
• Breaking change (기존 기능에 영향을 주는 수정)
• Refactoring (기능 변경 없는 코드 개선)
• Documentation (문서 수정)
• Chore (빌드, 설정 등 기타 변경)
• Release (develop → main 배포)

Related Issues

참고 사항

[gemini-code-assist]

Summary of Changes

Hello @1000hyehyang, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

이 PR은 캠페인 지원 및 제안과 관련된 시스템 메시지를 보낼 때, 해당 메시지가 전송될 채팅방이 아직 생성되지 않은 경우 자동으로 채팅방을 생성하도록 하여 시스템의 견고성을 높입니다. 이는 메시지 전송 실패를 방지하고 사용자 경험을 개선하는 데 기여합니다.

Highlights

• 채팅방 자동 생성 로직 추가: 캠페인 지원 및 제안 이벤트 발생 시, 해당 사용자 쌍에 대한 채팅방이 존재하지 않으면 자동으로 채팅방을 생성하도록 로직이 추가되었습니다. 이를 통해 시스템 메시지 전송 전에 채팅방이 반드시 존재하도록 보장합니다.
• 서비스 의존성 변경: 기존에 채팅방 조회를 담당하던 ChatRoomQueryService 대신, 채팅방 생성 및 조회를 함께 처리하는 ChatRoomCommandService를 사용하도록 변경되었습니다.
• 헬퍼 메서드 도입: 채팅방 존재 여부를 확인하고 필요 시 생성하여 roomId를 반환하는 ensureRoomAndGetId 프라이빗 헬퍼 메서드가 도입되어 코드의 가독성과 재사용성이 향상되었습니다.

Changelog

• src/main/java/com/example/RealMatch/chat/application/event/apply/CampaignApplySentEventListener.java
  • 불필요한 java.util.Optional import를 제거했습니다.
  • ChatRoomQueryService 의존성을 ChatRoomCommandService로 변경했습니다.
  • handleCampaignApplySent 메서드에서 채팅방 존재 여부 확인 및 생성 로직을 ensureRoomAndGetId 헬퍼 메서드를 사용하도록 수정했습니다.
  • 채팅방을 생성하거나 기존 채팅방 ID를 반환하는 ensureRoomAndGetId 프라이빗 메서드를 추가했습니다.
• src/main/java/com/example/RealMatch/chat/application/event/proposal/CampaignProposalSentEventListener.java
  • 불필요한 java.util.Optional import를 제거했습니다.
  • ChatRoomQueryService 의존성을 ChatRoomCommandService로 변경했습니다.
  • handleCampaignProposalSent 메서드에서 채팅방 존재 여부 확인 및 생성 로직을 ensureRoomAndGetId 헬퍼 메서드를 사용하도록 수정했습니다.
  • 채팅방을 생성하거나 기존 채팅방 ID를 반환하는 ensureRoomAndGetId 프라이빗 메서드를 추가했습니다.

Activity

• 제공된 정보에 따르면, 이 PR에 대한 특정 활동(댓글, 검토 등)은 아직 없습니다.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR adds logic to create chat rooms when they don't exist. However, a security audit identified two medium-severity Broken Access Control vulnerabilities. These issues stem from newly introduced helper methods that incorrectly determine the actor's ID when calling createOrGetRoom, leading to authorization checks being performed against the wrong user identity. For CampaignApplySentEvent, the creatorUserId should always be the actor, and for CampaignProposalSentEvent, the actor needs to be dynamically determined based on proposalDirection. Please refer to the specific comments for refactoring details.

[gemini-code-assist]

ensureRoomAndGetId 메소드가 올바른 행위자(actor)로 채팅방을 생성하려면 proposalDirection 정보가 필요합니다. event.proposalDirection()을 메소드에 전달해주세요.

Suggested change

	Long roomId = ensureRoomAndGetId(event.brandUserId(), event.creatorUserId());
	Long roomId = ensureRoomAndGetId(event.brandUserId(), event.creatorUserId(), event.proposalDirection());

[gemini-code-assist]

This ensureRoomAndGetId method has a logical flaw leading to a Broken Access Control vulnerability. It incorrectly passes brandUserId as the actor's ID to createOrGetRoom. In the context of a CampaignApplySentEvent, the creatorUserId is the actual actor, meaning authorization checks are performed against the wrong user identity. This should be corrected to pass creatorUserId as the actor.

Suggested change

	private Long ensureRoomAndGetId(Long brandUserId, Long creatorUserId) {
	return chatRoomCommandService
	.createOrGetRoom(brandUserId, brandUserId, creatorUserId)
	.roomId();
	}
	private Long ensureRoomAndGetId(Long brandUserId, Long creatorUserId) {
	return chatRoomCommandService
	.createOrGetRoom(creatorUserId, brandUserId, creatorUserId)
	.roomId();
	}

[gemini-code-assist]

This ensureRoomAndGetId method incorrectly hardcodes brandUserId as the actor for createOrGetRoom, leading to a Broken Access Control vulnerability. For a CampaignProposalSentEvent, the actor should be dynamically determined based on the proposalDirection. The current implementation performs authorization using the wrong user identity when the creator sends a proposal. The proposalDirection should be used to correctly identify the actor.

Suggested change

	private Long ensureRoomAndGetId(Long brandUserId, Long creatorUserId) {
	return chatRoomCommandService
	.createOrGetRoom(brandUserId, brandUserId, creatorUserId)
	.roomId();
	}
	private Long ensureRoomAndGetId(Long brandUserId, Long creatorUserId, ProposalDirection direction) {
	Long actorId = ProposalDirection.CREATOR_TO_BRAND.equals(direction) ? creatorUserId : brandUserId;
	return chatRoomCommandService
	.createOrGetRoom(actorId, brandUserId, creatorUserId)
	.roomId();
	}