Skip to content

Refactor/스프링 시큐리티 의존성 제거 #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
GoGradually merged 3 commits into from
Dec 31, 2025
Merged

Refactor/스프링 시큐리티 의존성 제거 #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
151ca03
refactor: JwtTokenProvider 의존성 제거
GoGradually Dec 31, 2025
3c539a8
refactor: application.yml에서 jwt 의존성 제거
GoGradually Dec 31, 2025
154df1f
refactor: build.gradle에서 Spring Security 및 JWT 의존성 제거
GoGradually Dec 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,6 @@ dependencies {
implementation("com.google.firebase:firebase-admin:9.7.0") {
exclude group: "commons-logging", module: "commons-logging"
}

// Spring Security
implementation 'org.springframework.boot:spring-boot-starter-security'

// JWT
implementation 'io.jsonwebtoken:jjwt-api:0.12.5'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.12.5'
runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.12.5'
}

protobuf {
Expand Down
50 changes: 0 additions & 50 deletions src/main/java/me/pinitnotification/infrastructure/authenticate/JwtAuthenticationFilter.java
View file
Open in desktop

This file was deleted.

40 changes: 0 additions & 40 deletions ...main/java/me/pinitnotification/infrastructure/authenticate/JwtAuthenticationProvider.java
View file
Open in desktop

This file was deleted.

45 changes: 0 additions & 45 deletions src/main/java/me/pinitnotification/infrastructure/authenticate/JwtAuthenticationToken.java
View file
Open in desktop

This file was deleted.

61 changes: 0 additions & 61 deletions src/main/java/me/pinitnotification/infrastructure/authenticate/JwtTokenProvider.java
View file
Open in desktop

This file was deleted.

36 changes: 0 additions & 36 deletions src/main/java/me/pinitnotification/infrastructure/authenticate/RsaKeyProvider.java
View file
Open in desktop

This file was deleted.

70 changes: 0 additions & 70 deletions src/main/java/me/pinitnotification/infrastructure/authenticate/config/SecurityConfig.java
View file
Open in desktop

This file was deleted.

6 changes: 0 additions & 6 deletions src/main/java/me/pinitnotification/infrastructure/web/MemberIdArgumentResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
import lombok.extern.slf4j.Slf4j;
import me.pinitnotification.domain.member.MemberId;
import me.pinitnotification.domain.member.exception.MemberNotFoundException;
import me.pinitnotification.infrastructure.authenticate.JwtTokenProvider;
import org.springframework.core.MethodParameter;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.support.WebDataBinderFactory;
Expand All @@ -15,11 +14,6 @@
@Slf4j
@Component
public class MemberIdArgumentResolver implements HandlerMethodArgumentResolver {
private final JwtTokenProvider jwtTokenProvider;

public MemberIdArgumentResolver(JwtTokenProvider jwtTokenProvider) {
this.jwtTokenProvider = jwtTokenProvider;
}

@Override
public boolean supportsParameter(MethodParameter parameter) {
Comment on lines 14 to 19
Copy link

Copilot AI Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(1) 문제점: JwtTokenProvider 의존성이 제거되면서 MemberIdArgumentResolver가 검증되지 않은 HTTP 헤더(X-Member-Id)를 직접 읽어 사용하게 됩니다. 이는 클라이언트가 임의의 헤더 값을 설정하여 다른 사용자로 위장할 수 있는 심각한 보안 취약점을 만듭니다.

(2) 영향: 인증되지 않은 사용자가 다른 사용자의 푸시 토큰을 등록/삭제하거나 구독 상태를 조회할 수 있어, 사용자 데이터 무결성과 개인정보 보호에 치명적인 문제가 발생합니다.

(3) 수정 제안: JWT 검증 로직을 제거하기 전에 다음 중 하나를 먼저 적용해야 합니다:

  • API Gateway에서 인증 후 설정한 X-Member-Id 헤더만 신뢰할 수 있도록 서비스 레벨 네트워크 격리 및 클라이언트 요청의 해당 헤더 제거 정책 구현
  • 또는 내부 통신용 서명/암호화된 헤더를 사용하고 이를 검증하는 로직 추가
  • 또는 요청이 신뢰할 수 있는 API Gateway에서 왔는지 검증하는 메커니즘 구현 (예: 공유 시크릿 기반 서명)

Copilot uses AI. Check for mistakes.
Expand Down
4 changes: 1 addition & 3 deletions src/main/resources/application-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,4 @@ spring:

path:
key:
firebase: ${HOME}/pinit/keys/pinit-firebase-key.json
jwt:
public: ${HOME}/pinit/keys/jwt-public-key.pem
firebase: ${HOME}/pinit/keys/pinit-firebase-key.json
4 changes: 1 addition & 3 deletions src/main/resources/application-prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,4 @@ spring:

path:
key:
firebase: /etc/keys/pinit-firebase-key.json
jwt:
public: /etc/keys/jwt-public-key.pem
firebase: /etc/keys/pinit-firebase-key.json
3 changes: 0 additions & 3 deletions src/test/java/me/pinitnotification/PinitNotificationApplicationTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

import com.google.firebase.FirebaseApp;
import com.google.firebase.messaging.FirebaseMessaging;
import me.pinitnotification.infrastructure.authenticate.JwtTokenProvider;
import org.junit.jupiter.api.Test;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.ActiveProfiles;
Expand All @@ -17,8 +16,6 @@ class PinitNotificationApplicationTests {
FirebaseApp firebaseApp;
@MockitoBean
FirebaseMessaging firebaseMessaging;
@MockitoBean
JwtTokenProvider jwtTokenProvider;
@Test
void contextLoads() {
}
Expand Down
Loading