Skip to content

fix: protect-admin-api#697

Merged
daehyeong2 merged 1 commit into
mainfrom
hotfix/protect-admin-api
Apr 18, 2026
Merged

fix: protect-admin-api#697
daehyeong2 merged 1 commit into
mainfrom
hotfix/protect-admin-api

Conversation

@daehyeong2

Copy link
Copy Markdown
Member

변경사항

  • 기존에 /api/v2/admin/**에 해당하는 API의 인가 처리가 결여되어 있던 문제를 해결했습니다. (상당히 크리티컬;)

@daehyeong2 daehyeong2 merged commit 90009a4 into main Apr 18, 2026
1 check passed
@daehyeong2 daehyeong2 deleted the hotfix/protect-admin-api branch April 18, 2026 10:02

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the security configuration to include the /api/v2/admin/** path under the ADMIN role requirement. A review comment suggests using a more generic wildcard pattern, such as /api//admin/, to ensure all future versioned admin APIs are automatically covered and to simplify maintenance.

.requestMatchers("/api/config/public").permitAll()
.requestMatchers("/auth-login.html", "/auth-signup.html").permitAll()
.requestMatchers("/admin/**", "/api/admin/**").hasRole("ADMIN")
.requestMatchers("/admin/**", "/api/admin/**", "/api/v2/admin/**").hasRole("ADMIN")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

현재 /api/v2/admin/** 경로를 수동으로 추가하여 보안 취약점을 해결하셨습니다. 하지만 이러한 방식은 향후 /api/v3/admin/**와 같이 새로운 버전의 API가 추가될 때 다시 보안 설정이 누락될 위험이 있습니다. 관리자 API의 경로 패턴이 일정한 규칙(예: /api/{version}/admin/**)을 따른다면, /api/**/admin/**와 같은 와일드카드 패턴을 사용하여 모든 버전의 관리자 API를 일관되게 보호하고 유지보수성을 높이는 것을 권장합니다.

Suggested change
.requestMatchers("/admin/**", "/api/admin/**", "/api/v2/admin/**").hasRole("ADMIN")
.requestMatchers("/admin/**", "/api/**/admin/**").hasRole("ADMIN")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant