Skip to content

refactor: 권한 부여 API 수정 #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lsh2613 merged 1 commit into from
Jul 15, 2025
Merged

refactor: 권한 부여 API 수정 #206

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/main/java/com/pitchain/common/config/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
auth.requestMatchers(SWAGGER_PATTERNS).permitAll();
auth.requestMatchers(STATIC_RESOURCES_PATTERNS).permitAll();
auth.requestMatchers(PUBLIC_ENDPOINTS).permitAll();
auth.anyRequest().permitAll();
Copy link

@coderabbitai coderabbitai bot Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

심각한 보안 취약점: 모든 요청을 무조건 허용하는 설정

auth.anyRequest().permitAll()는 이전에 정의된 모든 보안 규칙을 무력화시키고, 매칭되지 않은 모든 요청에 대해 인증 없이 접근을 허용합니다. 이는 심각한 보안 위험을 초래할 수 있습니다.

다음 중 하나로 수정하는 것을 권장합니다:

-            auth.anyRequest().permitAll();
+            auth.anyRequest().authenticated();

또는 개발 환경에서만 이 설정을 사용하려면:

-            auth.anyRequest().permitAll();
+            auth.anyRequest().authenticated();
+            // TODO: 개발 환경에서만 사용하는 경우 프로필 기반 조건부 설정 추가

이 변경사항이 의도된 것인지 확인하고, 프로덕션 환경에서는 절대 사용하지 않도록 주의해야 합니다.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
auth.anyRequest().permitAll();
auth.anyRequest().authenticated();
🤖 Prompt for AI Agents 
In src/main/java/com/pitchain/common/config/SecurityConfig.java at line 81, the
use of auth.anyRequest().permitAll() disables all security by allowing
unrestricted access to all requests. To fix this, replace permitAll() with
appropriate security constraints such as authenticated() or role-based access
controls to enforce authentication and authorization. If this is intended only
for development, wrap this configuration in a conditional check for the
development environment to prevent it from being applied in production.

});
http.exceptionHandling(exception -> {
exception.authenticationEntryPoint(customAuthenticationEntryPoint());
Expand Down