[fix] SecurityConfig permitAll에 restore/purge-and-register 경로 누락 수정#186
Merged
Conversation
JPA @Version 필드는 낙관적 잠금을 위해 항상 non-null이어야 하므로 NOT NULL 제약 조건을 추가. DEFAULT 0이 설정되어 있어 기존 행은 안전하게 0으로 초기화됨. CodeRabbit 리뷰 반영.
- POST /api/auth/kakao/login 응답 변경: 탈퇴 계정 발견 시 예외 대신 status=WITHDRAWN_PENDING 페이로드 반환하여 클라이언트가 사용자 선택 안내 가능 - POST /api/auth/kakao/restore 신규: User.deletedAt=null로 복구 (탈퇴 취소). 사업장/계약/근무기록은 다른 사용자 데이터 일관성 보호 위해 자동 복구 안 함 - POST /api/auth/kakao/purge-and-register 신규: 30일 스케줄러와 동일 경로 (UserHardDeleteService.hardDeleteUser)로 영구 삭제 후 신규 가입 - UserWithdrawService.cleanupCommonData에서 UserSettings 삭제 제거 → 복구 시 사용자 알림 설정 그대로 유지. 30일 hard delete 시점에 정리됨
- KakaoLoginResult를 평탄 구조로 재설계: status + accessToken/refreshToken/userId/name/userType 를 top-level에 두어 기존 클라이언트(data.accessToken 등)와 호환 유지. 탈퇴 케이스는 status=WITHDRAWN_PENDING + withdrawnAccount만 채움. - purgeAndRegisterWithKakao에 @transactional 추가하여 hardDelete + register를 하나의 트랜잭션으로 묶음. register 실패 시 hardDelete도 함께 롤백되어 데이터 영구 손실 방지. - hardDeleteUser 직후 userRepository.flush() 명시 호출. JPA 기본 flush 순서(INSERT→DELETE) 로 인한 unique kakao_id 제약 충돌을 회피. - AuthServiceTest: 평탄 응답 접근 방식으로 수정, hardDelete→flush→register 호출 순서 검증, register 실패 시 예외 전파 검증 추가. - docs/API_SPECIFICATION.md: 1.1 카카오 로그인 응답을 평탄 구조로 동기화하고 1.5 탈퇴 계정 복구, 1.6 완전삭제 후 재가입 항목 신규 추가.
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
WalkthroughKakao 인증 흐름을 탈퇴 계정 지원으로 확장하고 계정 복구/재가입 기능을 구현하는 변경사항입니다. 로그인 시 탈퇴 계정은 WITHDRAWN_PENDING 상태로 응답하며, 새로운 복구 및 완전삭제 후 재가입 엔드포인트를 통해 사용자가 계정을 복구하거나 새로 가입할 수 있게 됩니다. Changes탈퇴 계정 Kakao 인증 흐름
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/main/java/com/example/paycheck/domain/auth/service/AuthService.java (1)
108-120: ⚡ Quick win내부 헬퍼를 public API에서 분리해주세요.
buildLoginResponse가 public 서비스 메서드 사이에 들어가 있고,registerWithKakaoInternal은 중복 검사/OAuth 검증이 선행된다는 전제를 가진 내부용 로직인데public으로 열려 있습니다. helper들은 private 섹션으로 내리고registerWithKakaoInternal가시성도 줄이는 편이 안전합니다.♻️ 최소 변경 예시
- `@Transactional` - public AuthDto.LoginResponse registerWithKakaoInternal( + private AuthDto.LoginResponse registerWithKakaoInternal( AuthDto.KakaoRegisterRequest request, KakaoUserInfo userInfo) {As per coding guidelines, "In Java services, organize imports, class declaration, field declarations, constructors, public methods, and private methods in that order".
Also applies to: 264-273
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/main/java/com/example/paycheck/domain/auth/service/AuthService.java` around lines 108 - 120, The helper buildLoginResponse should be moved into the private methods section and declared private; likewise reduce the visibility of registerWithKakaoInternal from public to private (or package-private) so internal-only logic isn't exposed as a public API; reorder the class so public methods come before private helpers per the Java service organization guideline and apply the same change for any other internal helper methods in this class (move them into the private section and adjust visibility).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/main/java/com/example/paycheck/domain/auth/service/AuthService.java`:
- Around line 132-150: The restore paths currently only check user.isDeleted();
add a shared helper (e.g., validateRestorable(User user)) that verifies deleted
flag AND that deletedAt is within the 30-day cutoff (compare user.getDeletedAt()
to Instant.now().minus(30, ChronoUnit.DAYS)), and call it from restoreWithKakao
(and the other restore method that currently uses isDeleted()) before calling
user.restore(); keep existing error types
(BadRequestException/ErrorCode.USER_NOT_WITHDRAWN or create a new ErrorCode like
USER_RECOVERY_WINDOW_EXPIRED) and return buildLoginResponse(user) on success.
---
Nitpick comments:
In `@src/main/java/com/example/paycheck/domain/auth/service/AuthService.java`:
- Around line 108-120: The helper buildLoginResponse should be moved into the
private methods section and declared private; likewise reduce the visibility of
registerWithKakaoInternal from public to private (or package-private) so
internal-only logic isn't exposed as a public API; reorder the class so public
methods come before private helpers per the Java service organization guideline
and apply the same change for any other internal helper methods in this class
(move them into the private section and adjust visibility).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 6a81c1ec-ee68-40b2-8501-2ea655d31885
📒 Files selected for processing (11)
docs/API_SPECIFICATION.mdsrc/main/java/com/example/paycheck/api/auth/AuthController.javasrc/main/java/com/example/paycheck/common/exception/ErrorCode.javasrc/main/java/com/example/paycheck/domain/auth/dto/AuthDto.javasrc/main/java/com/example/paycheck/domain/auth/service/AuthService.javasrc/main/java/com/example/paycheck/domain/user/entity/User.javasrc/main/java/com/example/paycheck/domain/user/service/UserWithdrawService.javasrc/main/java/com/example/paycheck/global/security/SecurityConfig.javasrc/main/resources/db/migration/V20260505__Add_version_column_to_users.sqlsrc/test/java/com/example/paycheck/domain/auth/service/AuthServiceTest.javasrc/test/java/com/example/paycheck/domain/user/service/UserWithdrawServiceTest.java
- UserHardDeleteScheduler.RETENTION_DAYS를 public으로 공개 (SSOT) - ErrorCode에 RECOVERY_PERIOD_EXPIRED 추가 - AuthService에 assertWithinRecoveryPeriod() helper 추가 - restoreWithKakao, purgeAndRegisterWithKakao 양쪽에 30일 컷오프 검사 적용 (스케줄러 지연 시에도 만료 계정 복구/재가입 차단)
- ErrorCode.java: RECOVERY_PERIOD_EXPIRED 유지 - AuthService.java: assertWithinRecoveryPeriod helper 및 호출부 유지
geunyong16
force-pushed
the
fix/183-restore-or-purge-on-kakao-relogin
branch
from
bb2a91a to
e9acd6d
Compare
This was referenced May 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔖 관련 GitHub Issue
📝 변경 사항
주요 변경 내용
SecurityConfig의permitAll화이트리스트에/api/auth/kakao/restore,/api/auth/kakao/purge-and-register경로 추가상세 설명
이전 커밋(
d6c47e8)에서 탈퇴 후 카카오 재로그인 플로우를 위한 두 엔드포인트가 추가됐지만,SecurityConfig의permitAll목록에 등록되지 않아 JWT 없이 호출 시 403 Forbidden이 반환되는 문제가 있었습니다.두 경로 모두 로그인 전 단계(JWT 미보유 상태)에서 앱이 호출하는 인증 엔드포인트이므로,
/kakao/login,/kakao/register와 동일하게permitAll처리가 필요합니다.수정 파일:
SecurityConfig.java📸 스크린샷 (선택사항)
스크린샷 보기
Before
해당 없음 (Security 설정 변경)
After
해당 없음 (Security 설정 변경)
✅ 체크리스트
🔗 관련 PR
Summary by CodeRabbit
릴리스 노트
신규 기능
문서