CLAP-425 Fix: 비밀번호 재설정 경로에도 잠금 계정 여부를 확인하도록 수정

joowojr · joowojr · commit dbc602907528 · 2025-02-13T16:30:17.000+09:00
<footer> - #554
diff --git a/src/main/java/clap/server/adapter/inbound/security/WebSecurityUrl.java b/src/main/java/clap/server/adapter/inbound/security/WebSecurityUrl.java
@@ -15,4 +15,5 @@ private WebSecurityUrl() {
     public static final String REISSUANCE_ENDPOINT = "/api/auths/reissuance";
     public static final String PASSWORD_EMAIL_ENDPOINT = "/api/new-password";
     public static final String TEMPORARY_TOKEN_ALLOWED_ENDPOINT = "/api/members/initial-password";
+    public static final String[] ANONYMOUS_ENDPOINTS = {LOGIN_ENDPOINT, PASSWORD_EMAIL_ENDPOINT};
 }
diff --git a/src/main/java/clap/server/adapter/inbound/security/filter/JwtAuthenticationFilter.java b/src/main/java/clap/server/adapter/inbound/security/filter/JwtAuthenticationFilter.java
@@ -49,8 +49,6 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
             SWAGGER_ENDPOINTS
     ).flatMap(Arrays::stream).toArray(String[]::new);
 
-    public static final String[] ANONYMOUS_ENDPOINTS = {LOGIN_ENDPOINT, PASSWORD_EMAIL_ENDPOINT};
-
     @Override
     protected void doFilterInternal(
             @NotNull HttpServletRequest request,
diff --git a/src/main/java/clap/server/adapter/inbound/security/filter/LoginAttemptFilter.java b/src/main/java/clap/server/adapter/inbound/security/filter/LoginAttemptFilter.java
@@ -12,14 +12,16 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.util.AntPathMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.util.ContentCachingRequestWrapper;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Arrays;
 
-import static clap.server.adapter.inbound.security.WebSecurityUrl.LOGIN_ENDPOINT;
+import static clap.server.adapter.inbound.security.WebSecurityUrl.ANONYMOUS_ENDPOINTS;
 import static clap.server.common.utils.ClientIpParseUtil.getClientIp;
 
 
@@ -33,10 +35,10 @@ public class LoginAttemptFilter extends OncePerRequestFilter {
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
             throws ServletException, IOException {
         try {
-            if (request.getRequestURI().equals(LOGIN_ENDPOINT)) {
+            if (Arrays.stream(ANONYMOUS_ENDPOINTS)
+                    .anyMatch(endpoint -> new AntPathMatcher().match(endpoint, request.getRequestURI()))) {
                 String nickname = request.getParameter("nickname");
                 checkAccountLockStatusUseCase.checkAccountIsLocked(nickname);
-
             }
         } catch (AuthException e) {
             log.warn("Authentication failed for IP: {}. Error: {}", getClientIp(request), e.getMessage());

Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,5 @@ private WebSecurityUrl() {`
`15`	`15`	`public static final String REISSUANCE_ENDPOINT = "/api/auths/reissuance";`
`16`	`16`	`public static final String PASSWORD_EMAIL_ENDPOINT = "/api/new-password";`
`17`	`17`	`public static final String TEMPORARY_TOKEN_ALLOWED_ENDPOINT = "/api/members/initial-password";`
	`18`	`+ public static final String[] ANONYMOUS_ENDPOINTS = {LOGIN_ENDPOINT, PASSWORD_EMAIL_ENDPOINT};`
`18`	`19`	`}`