Skip to content

[#24] Fix: 여행 계획 API 인증 구조(JWT) 원복 #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Yujin1219 merged 1 commit into from
Dec 12, 2025
Merged

[#24] Fix: 여행 계획 API 인증 구조(JWT) 원복 #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 3 additions & 7 deletions src/main/java/com/example/triptalk/domain/tripPlan/controller/TripPlanController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,10 @@ public ApiResponse<TripPlanResponse.TripPlanDTO> createTripPlanFromFastAPI(
) {

// 인증이 없어도 동작하도록 변경
Copy link

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

주석이 실제 변경 내용과 모순됩니다.

Line 82의 주석은 "인증이 없어도 동작하도록 변경"이라고 되어 있지만, 실제로는 JWT 인증을 필수로 요구하도록 원복하는 것이 이번 PR의 목적입니다. 이 주석은 완전히 잘못되었으며 향후 개발자에게 혼란을 줄 수 있습니다.

다음 diff를 적용하여 주석을 제거하세요:

-        // 인증이 없어도 동작하도록 변경
         Long userId = authUtil.getUserIdFromRequest(httpRequest);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// 인증이 없어도 동작하도록 변경
Long userId = authUtil.getUserIdFromRequest(httpRequest);
🤖 Prompt for AI Agents 
In
src/main/java/com/example/triptalk/domain/tripPlan/controller/TripPlanController.java
around line 82, the inline comment "// 인증이 없어도 동작하도록 변경" contradicts the PR
which restores mandatory JWT authentication; remove that incorrect comment and
any other misleading notes on or immediately around line 82 so the code and
comments accurately reflect that JWT authentication is required.

Long userId = null;
try {
userId = authUtil.getUserIdFromRequest(httpRequest);
} catch (Exception e) {
// 인증 없음 → 익명 사용자로 처리하거나 무시
}
Long userId = authUtil.getUserIdFromRequest(httpRequest);
TripPlanResponse.TripPlanDTO response =
tripPlanService.createTripPlanFromFastAPI(userId, request);
Comment on lines +83 to +85
Copy link

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find SecurityConfig file
echo "=== Finding SecurityConfig file ==="
find . -name "*SecurityConfig*" -type f

echo ""
echo "=== Checking for /api/trip-plan/from-fastapi in SecurityConfig ==="
rg -n "from-fastapi" --type=java

echo ""
echo "=== Checking for AuthUtil file ==="
find . -name "*AuthUtil*" -type f

Repository: TripTalk/BE_SpringBoot

Length of output: 466

🏁 Script executed:

#!/bin/bash
echo "=== Reading SecurityConfig.java ==="
cat -n ./src/main/java/com/example/triptalk/global/config/SecurityConfig.java

echo ""
echo "=== Reading AuthUtil.java ==="
cat -n ./src/main/java/com/example/triptalk/global/security/AuthUtil.java

echo ""
echo "=== Reading TripPlanController around lines 60-90 ==="
sed -n '55,95p' -n ./src/main/java/com/example/triptalk/domain/tripPlan/controller/TripPlanController.java

Repository: TripTalk/BE_SpringBoot

Length of output: 7617

코드 주석과 실제 구현이 불일치합니다.

코드의 81번 줄 주석("인증이 없어도 동작하도록 변경")은 실제 구현과 맞지 않습니다. SecurityConfig에서 /api/trip-plan/from-fastapi는 permitAll() 목록에 없으며, 57번 줄의 .anyRequest().authenticated()에 의해 모든 요청이 인증을 요구합니다. 또한 AuthUtil.getUserIdFromRequest()는 토큰이 없거나 유효하지 않을 때 _UNAUTHORIZED 예외를 발생시키므로 인증이 올바르게 강제됩니다. 주석을 제거하거나 실제 구현과 일치하도록 수정하세요.

🤖 Prompt for AI Agents 
In
src/main/java/com/example/triptalk/domain/tripPlan/controller/TripPlanController.java
around lines 83 to 85, the inline comment stating "인증이 없어도 동작하도록 변경" conflicts
with the actual behavior (SecurityConfig requires authentication and AuthUtil
throws on missing/invalid tokens); remove or replace that comment so it
correctly states that this endpoint requires authentication, and optionally
mention that AuthUtil.getUserIdFromRequest(...) will throw if the token is
absent/invalid so callers must be authenticated.


TripPlanResponse.TripPlanDTO response = tripPlanService.createTripPlanFromFastAPI(userId, request);
return ApiResponse.onSuccess(response);
}
}
2 changes: 0 additions & 2 deletions src/main/java/com/example/triptalk/global/config/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,6 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
.requestMatchers("/api/flights/**").permitAll()
// 호텔 조회는 비회원도 가능
.requestMatchers("/api/accommodations/**").permitAll()
// 여행 일정 생성용 FastAPI 연동 엔드포인트 허용
.requestMatchers("/api/trip-plan/from-fastapi").permitAll()
// Swagger UI 접근 허용
.requestMatchers(
"/swagger-ui/**",
Expand Down
Loading