Skip to content

[codex] Add request validation hardening #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jjoonleo merged 1 commit into from
May 8, 2026
Merged

[codex] Add request validation hardening #300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ontime-back/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ dependencies {
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-validation'
implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
compileOnly 'org.projectlombok:lombok'
Expand Down
10 changes: 6 additions & 4 deletions ontime-back/src/main/java/devkor/ontime_back/config/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import devkor.ontime_back.global.oauth.google.GoogleLoginFilter;
import devkor.ontime_back.repository.UserAlarmSettingRepository;
import devkor.ontime_back.repository.UserRepository;
import jakarta.validation.Validator;
import lombok.RequiredArgsConstructor;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
Expand Down Expand Up @@ -54,6 +55,7 @@ public class SecurityConfig {
private final UserRepository userRepository;
private final UserAlarmSettingRepository userAlarmSettingRepository;
private final ObjectMapper objectMapper;
private final Validator validator;
private final AppleLoginService appleLoginService;
private final GoogleLoginService googleLoginService;

Expand All @@ -77,11 +79,11 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
.requestMatchers("/health").permitAll() // 로드밸런서 연결 확인용 url
.anyRequest().authenticated()
)
.addFilterBefore(new KakaoLoginFilter("/oauth2/kakao/login", jwtTokenProvider, userRepository, userAlarmSettingRepository),
.addFilterBefore(new KakaoLoginFilter("/oauth2/kakao/login", objectMapper, validator, jwtTokenProvider, userRepository, userAlarmSettingRepository),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new GoogleLoginFilter("/oauth2/google/login", googleLoginService, userRepository),
.addFilterBefore(new GoogleLoginFilter("/oauth2/google/login", objectMapper, validator, googleLoginService, userRepository),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(new AppleLoginFilter("/oauth2/apple/login", appleLoginService, userRepository),
.addFilterBefore(new AppleLoginFilter("/oauth2/apple/login", objectMapper, validator, appleLoginService, userRepository),
UsernamePasswordAuthenticationFilter.class)
.addFilterAfter(customJsonUsernamePasswordAuthenticationFilter(), LogoutFilter.class)
.addFilterBefore(jwtAuthenticationProcessingFilter(), CustomJsonUsernamePasswordAuthenticationFilter.class);
Expand Down Expand Up @@ -121,7 +123,7 @@ public LoginFailureHandler loginFailureHandler() {
@Bean
public CustomJsonUsernamePasswordAuthenticationFilter customJsonUsernamePasswordAuthenticationFilter() {
CustomJsonUsernamePasswordAuthenticationFilter customJsonUsernamePasswordLoginFilter
= new CustomJsonUsernamePasswordAuthenticationFilter(objectMapper);
= new CustomJsonUsernamePasswordAuthenticationFilter(objectMapper, validator);
customJsonUsernamePasswordLoginFilter.setAuthenticationManager(authenticationManager());
customJsonUsernamePasswordLoginFilter.setAuthenticationSuccessHandler(loginSuccessHandler());
customJsonUsernamePasswordLoginFilter.setAuthenticationFailureHandler(loginFailureHandler());
Expand Down
11 changes: 5 additions & 6 deletions ontime-back/src/main/java/devkor/ontime_back/controller/AlarmController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,12 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;

import java.util.Map;

@RestController
@RequiredArgsConstructor
public class AlarmController {
Expand Down Expand Up @@ -60,7 +59,7 @@ public ResponseEntity<ApiResponseForm<AlarmSettingsResponseDto>> getAlarmSetting
@PatchMapping("/users/me/alarm-settings")
public ResponseEntity<ApiResponseForm<AlarmSettingsResponseDto>> patchAlarmSettings(
HttpServletRequest request,
@RequestBody Map<String, Object> requestBody) {
@Valid @RequestBody AlarmSettingsPatchDto requestBody) {
Long userId = userAuthService.getUserIdFromToken(request);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponseForm.success(alarmService.patchAlarmSettings(userId, requestBody)));
Expand All @@ -87,7 +86,7 @@ public ResponseEntity<ApiResponseForm<AlarmSettingsResponseDto>> patchAlarmSetti
@PutMapping("/users/me/devices/current")
public ResponseEntity<ApiResponseForm<AlarmDeviceCurrentResponseDto>> registerCurrentDevice(
HttpServletRequest request,
@RequestBody AlarmDeviceCurrentRequestDto requestDto) {
@Valid @RequestBody AlarmDeviceCurrentRequestDto requestDto) {
Long userId = userAuthService.getUserIdFromToken(request);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponseForm.success(alarmService.registerCurrentDevice(
Expand Down Expand Up @@ -117,7 +116,7 @@ public ResponseEntity<ApiResponseForm<AlarmDeviceCurrentResponseDto>> registerCu
@DeleteMapping("/users/me/devices/current")
public ResponseEntity<ApiResponseForm<AlarmDeviceUnregisterResponseDto>> unregisterCurrentDevice(
HttpServletRequest request,
@RequestBody(required = false) AlarmDeviceUnregisterRequestDto requestDto) {
@Valid @RequestBody(required = false) AlarmDeviceUnregisterRequestDto requestDto) {
Long userId = userAuthService.getUserIdFromToken(request);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponseForm.success(alarmService.unregisterCurrentDevice(
Expand Down Expand Up @@ -147,7 +146,7 @@ public ResponseEntity<ApiResponseForm<AlarmDeviceUnregisterResponseDto>> unregis
@PostMapping("/users/me/alarm-status")
public ResponseEntity<ApiResponseForm<AlarmStatusReportResponseDto>> reportAlarmStatus(
HttpServletRequest request,
@RequestBody AlarmStatusReportRequestDto requestDto) {
@Valid @RequestBody AlarmStatusReportRequestDto requestDto) {
Long userId = userAuthService.getUserIdFromToken(request);
return ResponseEntity.status(HttpStatus.OK)
.body(ApiResponseForm.success(alarmService.reportAlarmStatus(
Expand Down
5 changes: 3 additions & 2 deletions ontime-back/src/main/java/devkor/ontime_back/controller/FeedbackController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
Expand Down Expand Up @@ -47,12 +48,12 @@ public class FeedbackController {
@ApiResponse(responseCode = "4XX", description = "피드백 저장 실패", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PostMapping("")
public ResponseEntity<ApiResponseForm<?>> saveFeedback(HttpServletRequest request, @RequestBody FeedbackAddDto feedbackAddDto) {
public ResponseEntity<ApiResponseForm<?>> saveFeedback(HttpServletRequest request, @Valid @RequestBody FeedbackAddDto feedbackAddDto) {
Long userId = userAuthService.getUserIdFromToken(request);

feedbackService.saveFeedback(userId, feedbackAddDto);

String message = "피드백이 성공적으로 저장되었습니다!";
return ResponseEntity.ok(ApiResponseForm.success(null, message));
}
}
}
3 changes: 2 additions & 1 deletion ontime-back/src/main/java/devkor/ontime_back/controller/FirebaseTokenController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
Expand Down Expand Up @@ -47,7 +48,7 @@ public class FirebaseTokenController {
@ApiResponse(responseCode = "4XX", description = "FCM 토큰 저장 실패", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PostMapping("")
public ResponseEntity<ApiResponseForm<String>> registerFirebaseToken(HttpServletRequest request, @RequestBody FirebaseTokenAddDto firebaseTokenAddDto) {
public ResponseEntity<ApiResponseForm<String>> registerFirebaseToken(HttpServletRequest request, @Valid @RequestBody FirebaseTokenAddDto firebaseTokenAddDto) {
Long userId = userAuthService.getUserIdFromToken(request);

firebaseTokenService.registerFirebaseToken(
Expand Down
9 changes: 5 additions & 4 deletions ontime-back/src/main/java/devkor/ontime_back/controller/FriendShipController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
Expand Down Expand Up @@ -85,10 +86,10 @@ public ResponseEntity<ApiResponseForm<CreateFriendshipLinkResponse>> createFrien
@ApiResponse(responseCode = "4XX", description = "친구추가 요청자 조회 실패", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@GetMapping("/{uuid}/requests") // 친구 추가 요청자 조회
public ResponseEntity<ApiResponseForm<GetFriendshipRequesterResponse>> getFriendShipRequester(HttpServletRequest request, @PathVariable String uuid) {
public ResponseEntity<ApiResponseForm<GetFriendshipRequesterResponse>> getFriendShipRequester(HttpServletRequest request, @PathVariable UUID uuid) {
Long userId = userAuthService.getUserIdFromToken(request);

User requester = friendShipService.getFriendShipRequester(userId, UUID.fromString(uuid));
User requester = friendShipService.getFriendShipRequester(userId, uuid);
GetFriendshipRequesterResponse getFriendshipRequesterResponse = GetFriendshipRequesterResponse.builder()
.requesterId(requester.getId())
.requesterName(requester.getName())
Expand Down Expand Up @@ -122,10 +123,10 @@ public ResponseEntity<ApiResponseForm<GetFriendshipRequesterResponse>> getFriend
@ApiResponse(responseCode = "4XX", description = "친구추가 수락상태 업데이트 실패", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PostMapping("/{uuid}/approve") // 친구 추가 요청 수락
public ResponseEntity<ApiResponseForm<String>> updateAcceptStatus(HttpServletRequest request, @PathVariable String uuid, @RequestBody UpdateAcceptStatusDto updateAcceptStatusDto) {
public ResponseEntity<ApiResponseForm<String>> updateAcceptStatus(HttpServletRequest request, @PathVariable UUID uuid, @Valid @RequestBody UpdateAcceptStatusDto updateAcceptStatusDto) {
Long userId = userAuthService.getUserIdFromToken(request);

friendShipService.updateAcceptStatus(userId, UUID.fromString(uuid), updateAcceptStatusDto.getAcceptStatus());
friendShipService.updateAcceptStatus(userId, uuid, updateAcceptStatusDto.getAcceptStatus());

String status = updateAcceptStatusDto.getAcceptStatus().equals("ACCEPTED") ? "수락" : "거절";
String message = "친구추가 요청 " + status + " 성공";
Expand Down
8 changes: 6 additions & 2 deletions ontime-back/src/main/java/devkor/ontime_back/controller/PreparationScheduleController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,12 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;

import java.util.List;
Expand All @@ -22,6 +25,7 @@
@RestController
@RequestMapping("/schedules")
@RequiredArgsConstructor
@Validated
public class PreparationScheduleController {

private final PreparationScheduleService preparationScheduleService;
Expand All @@ -45,7 +49,7 @@ public class PreparationScheduleController {
@ApiResponse(responseCode = "4XX", description = "잘못된 요청", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PostMapping("/{scheduleId}/preparations")
public ResponseEntity<ApiResponseForm<Void>> createPreparationSchedule(HttpServletRequest request, @Parameter(description = "스케줄 ID (UUID 형식)", required = true, example = "3fa85f64-5717-4562-b3fc-2c963f66afe5") @PathVariable UUID scheduleId, @RequestBody List<PreparationDto> preparationDtoList) {
public ResponseEntity<ApiResponseForm<Void>> createPreparationSchedule(HttpServletRequest request, @Parameter(description = "스케줄 ID (UUID 형식)", required = true, example = "3fa85f64-5717-4562-b3fc-2c963f66afe5") @PathVariable UUID scheduleId, @NotEmpty(message = "준비과정은 하나 이상 필요합니다.") @RequestBody List<@Valid PreparationDto> preparationDtoList) {
Long userId = userAuthService.getUserIdFromToken(request);

preparationScheduleService.makePreparationSchedules(userId, scheduleId, preparationDtoList);
Expand All @@ -70,7 +74,7 @@ public ResponseEntity<ApiResponseForm<Void>> createPreparationSchedule(HttpServl
@ApiResponse(responseCode = "4XX", description = "잘못된 요청", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PutMapping("/{scheduleId}/preparations")
public ResponseEntity<ApiResponseForm<Void>> modifyPreparationSchedule(HttpServletRequest request, @Parameter(description = "스케줄 ID (UUID 형식)", required = true, example = "3fa85f64-5717-4562-b3fc-2c963f66afe5") @PathVariable UUID scheduleId, @RequestBody List<PreparationDto> preparationDtoList) {
public ResponseEntity<ApiResponseForm<Void>> modifyPreparationSchedule(HttpServletRequest request, @Parameter(description = "스케줄 ID (UUID 형식)", required = true, example = "3fa85f64-5717-4562-b3fc-2c963f66afe5") @PathVariable UUID scheduleId, @NotEmpty(message = "준비과정은 하나 이상 필요합니다.") @RequestBody List<@Valid PreparationDto> preparationDtoList) {
Long userId = userAuthService.getUserIdFromToken(request);

preparationScheduleService.updatePreparationSchedules(userId, scheduleId, preparationDtoList);
Expand Down
6 changes: 5 additions & 1 deletion ontime-back/src/main/java/devkor/ontime_back/controller/PreparationUserController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,20 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import lombok.RequiredArgsConstructor;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;

import java.util.List;

@RestController
@RequestMapping("/users")
@RequiredArgsConstructor
@Validated
public class PreparationUserController {


Expand All @@ -44,7 +48,7 @@ public class PreparationUserController {
@ApiResponse(responseCode = "4XX", description = "잘못된 요청", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PutMapping("/preparations")
public ResponseEntity<ApiResponseForm<Void>> modifyPreparationUser(HttpServletRequest request, @RequestBody List<PreparationDto> preparationDtoList) {
public ResponseEntity<ApiResponseForm<Void>> modifyPreparationUser(HttpServletRequest request, @NotEmpty(message = "준비과정은 하나 이상 필요합니다.") @RequestBody List<@Valid PreparationDto> preparationDtoList) {
Long userId = userAuthService.getUserIdFromToken(request);

preparationUserService.updatePreparationUsers(userId, preparationDtoList);
Expand Down
7 changes: 4 additions & 3 deletions ontime-back/src/main/java/devkor/ontime_back/controller/ScheduleController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.format.annotation.DateTimeFormat;
import org.springframework.http.HttpStatus;
Expand Down Expand Up @@ -185,7 +186,7 @@ public ResponseEntity<ApiResponseForm<Void>> deleteSchedule(HttpServletRequest r
@ApiResponse(responseCode = "4XX", description = "잘못된 요청", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PutMapping("/{scheduleId}")
public ResponseEntity<ApiResponseForm<Void>> modifySchedule(HttpServletRequest request, @PathVariable UUID scheduleId, @RequestBody ScheduleModDto scheduleModDto) {
public ResponseEntity<ApiResponseForm<Void>> modifySchedule(HttpServletRequest request, @PathVariable UUID scheduleId, @Valid @RequestBody ScheduleModDto scheduleModDto) {
Long userId = userAuthService.getUserIdFromToken(request);
scheduleService.modifySchedule(userId, scheduleId, scheduleModDto);
return ResponseEntity.status(HttpStatus.OK).body(ApiResponseForm.success(null));
Expand All @@ -210,7 +211,7 @@ public ResponseEntity<ApiResponseForm<Void>> modifySchedule(HttpServletRequest r
@ApiResponse(responseCode = "4XX", description = "잘못된 요청", content = @Content(mediaType = "application/json", schema = @Schema(example = "실패 메세지(정확히 어떤 메세지인지는 모름)")))
})
@PostMapping("")
public ResponseEntity<ApiResponseForm<Void>> addSchedule(HttpServletRequest request, @RequestBody ScheduleAddDto scheduleAddDto) {
public ResponseEntity<ApiResponseForm<Void>> addSchedule(HttpServletRequest request, @Valid @RequestBody ScheduleAddDto scheduleAddDto) {
Long userId = userAuthService.getUserIdFromToken(request);
scheduleService.addSchedule(scheduleAddDto, userId);
return ResponseEntity.status(HttpStatus.OK).body(ApiResponseForm.success(null));
Expand Down Expand Up @@ -300,7 +301,7 @@ public ResponseEntity<ApiResponseForm<List<PreparationDto>>> getPreparation(Http
public ResponseEntity<ApiResponseForm<?>> finishSchedule(
HttpServletRequest request,
@PathVariable UUID scheduleId,
@RequestBody FinishPreparationDto finishPreparationDto) {
@Valid @RequestBody FinishPreparationDto finishPreparationDto) {

Long userId = userAuthService.getUserIdFromToken(request);
scheduleService.finishSchedule(userId, scheduleId, finishPreparationDto);
Expand Down
Loading
Loading