fix: 관리자 인증 불가 버그 수정

woowacourse-teams · Sep 19, 2024 · a2b9114 · a2b9114
1 parent ce74287
commit a2b9114
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 3 deletions.
diff --git a/server/src/main/java/server/haengdong/config/AdminInterceptor.java b/server/src/main/java/server/haengdong/config/AdminInterceptor.java
@@ -2,6 +2,8 @@
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpMethod;
 import org.springframework.web.servlet.HandlerInterceptor;
@@ -13,6 +15,10 @@
 @Slf4j
 public class AdminInterceptor implements HandlerInterceptor {
 
+    private static final String ADMIN_URI_REGEX = "/api/admin/events/([^/]+)";
+    private static final Pattern ADMIN_URI_PATTERN = Pattern.compile(ADMIN_URI_REGEX);
+    private static final int EVENT_TOKEN_MATCHER_INDEX = 1;
+
     private final AuthService authService;
     private final AuthenticationExtractor authenticationExtractor;
 
@@ -34,9 +40,16 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
     private void validateToken(HttpServletRequest request) {
         String token = authenticationExtractor.extract(request, authService.getTokenName());
         String tokenEventId = authService.findEventIdByToken(token);
-        String eventId = request.getRequestURI().split("/")[3];
-        if (!tokenEventId.equals(eventId)) {
-            log.warn("[행사 접근 불가] Cookie EventId = {}, URL EventId = {}", tokenEventId, eventId);
+        String uri = request.getRequestURI();
+
+        Matcher matcher = ADMIN_URI_PATTERN.matcher(uri);
+        if (!matcher.find()) {
+            throw new AuthenticationException(HaengdongErrorCode.FORBIDDEN);
+        }
+
+        String eventToken = matcher.group(EVENT_TOKEN_MATCHER_INDEX);
+        if (!tokenEventId.equals(eventToken)) {
+            log.warn("[행사 접근 불가] Cookie EventId = {}, URL EventId = {}", tokenEventId, eventToken);
             throw new AuthenticationException(HaengdongErrorCode.FORBIDDEN);
         }
     }

diff --git a/server/src/test/java/server/haengdong/config/AdminInterceptorTest.java b/server/src/test/java/server/haengdong/config/AdminInterceptorTest.java
@@ -0,0 +1,53 @@
+package server.haengdong.config;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import server.haengdong.application.AuthService;
+import server.haengdong.exception.AuthenticationException;
+import server.haengdong.infrastructure.auth.AuthenticationExtractor;
+
+class AdminInterceptorTest {
+
+    private AuthService authService;
+    private AuthenticationExtractor authenticationExtractor;
+    private AdminInterceptor adminInterceptor;
+
+    @BeforeEach
+    public void setUp() {
+        authService = mock(AuthService.class);
+        authenticationExtractor = mock(AuthenticationExtractor.class);
+        adminInterceptor = new AdminInterceptor(authService, authenticationExtractor);
+    }
+
+    @DisplayName("쿠키의 JWT 에서 eventToken 과 uri 의 eventToken 이 일치하면 관리자이다.")
+    @Test
+    void validateToken1() {
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/api/admin/events/12345");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        when(authService.findEventIdByToken(any())).thenReturn("12345");
+
+        boolean preHandle = adminInterceptor.preHandle(request, response, new Object());
+
+        assertThat(preHandle).isTrue();
+    }
+
+    @DisplayName("쿠키의 JWT 에서 eventToken 과 uri 의 eventToken 이 일치하지 않으면 거절당한다.")
+    @Test
+    void validateToken2() {
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/api/admin/events/12345");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        when(authService.findEventIdByToken(any())).thenReturn("125");
+
+        assertThatThrownBy(() -> adminInterceptor.preHandle(request, response, new Object()))
+                .isInstanceOf(AuthenticationException.class);
+    }
+}