Add admin authentication for version updates and enhance AppVersionService#44
Add admin authentication for version updates and enhance AppVersionService#44
Conversation
Test Results46 tests 46 ✅ 0s ⏱️ Results for commit d03c8ff. |
There was a problem hiding this comment.
Pull request overview
Adds an admin API-key gate for privileged endpoints and introduces an admin-only version update API for app version metadata.
Changes:
- Introduced
@AdminAuth+AdminAuthInterceptorand registered the interceptor viaWebConfig. - Added Swagger/OpenAPI API-key security scheme (
X-Admin-Key) and annotated the new endpoint with a security requirement. - Implemented app version update flow via
AppVersionUpdateRequest,AppVersionService.updateVersion, andPUT /version.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/resources/moa-secret | Updates the secrets submodule pointer to pick up new admin secret config. |
| src/main/resources/application.yml | Loads moa-secret/admin.yml into Spring config imports. |
| src/main/kotlin/com/moa/service/dto/AppVersionUpdateRequest.kt | Adds DTO for admin version update requests. |
| src/main/kotlin/com/moa/service/AppVersionService.kt | Adds transactional update method for app versions. |
| src/main/kotlin/com/moa/controller/VersionController.kt | Adds admin-protected PUT /version endpoint. |
| src/main/kotlin/com/moa/common/config/WebConfig.kt | Registers the new admin auth interceptor. |
| src/main/kotlin/com/moa/common/config/SwaggerConfig.kt | Documents the X-Admin-Key security scheme in OpenAPI. |
| src/main/kotlin/com/moa/common/auth/AdminProperties.kt | Adds @ConfigurationProperties holder for the admin key. |
| src/main/kotlin/com/moa/common/auth/AdminAuthInterceptor.kt | Implements header-based API key enforcement for @AdminAuth. |
| src/main/kotlin/com/moa/common/auth/AdminAuth.kt | Adds the annotation used to mark admin-only endpoints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @ConfigurationProperties(prefix = "admin") | ||
| data class AdminProperties( | ||
| val apiKey: String, | ||
| ) |
There was a problem hiding this comment.
@ConfigurationProperties classes are not automatically registered as beans unless the project has @ConfigurationPropertiesScan enabled (or uses @EnableConfigurationProperties(AdminProperties::class)). Since AdminAuthInterceptor injects AdminProperties, missing registration will fail app startup. Fix by registering this properties class via @ConfigurationPropertiesScan in the application/config package, adding @EnableConfigurationProperties(AdminProperties::class) in a @Configuration class, or annotating this class with a Spring stereotype (least preferred vs scan/enable).
There was a problem hiding this comment.
Application.kt에서 Scan 하는디?..
| override fun preHandle(request: HttpServletRequest, response: HttpServletResponse, handler: Any): Boolean { | ||
| if (handler is HandlerMethod && handler.hasMethodAnnotation(AdminAuth::class.java)) { | ||
| val key = request.getHeader(ADMIN_KEY_HEADER) | ||
| if (key != adminProperties.apiKey) { | ||
| throw UnauthorizedException() | ||
| } | ||
| } | ||
| return true | ||
| } |
There was a problem hiding this comment.
As written, admin-protected endpoints can fail CORS preflight requests because OPTIONS requests typically won't include X-Admin-Key, causing UnauthorizedException and blocking browsers. Consider bypassing auth for OPTIONS (or handling CORS at a higher level) before checking @AdminAuth.
| if (key != adminProperties.apiKey) { | ||
| throw UnauthorizedException() | ||
| } |
There was a problem hiding this comment.
Direct string comparison can leak timing information about the admin key (especially if this endpoint is exposed publicly). Use a constant-time comparison (e.g., compare byte arrays with a constant-time primitive) to reduce timing-attack surface.
| @@ -0,0 +1,5 @@ | |||
| package com.moa.common.auth | |||
|
|
|||
| @Target(AnnotationTarget.FUNCTION) | |||
There was a problem hiding this comment.
Limiting @AdminAuth to FUNCTION prevents protecting an entire controller/class with a single annotation. If you want class-level protection, include AnnotationTarget.CLASS in @Target and update the interceptor to also check the declaring class (e.g., handler.beanType) for the annotation.
| @Target(AnnotationTarget.FUNCTION) | |
| @Target(AnnotationTarget.FUNCTION, AnnotationTarget.CLASS) |
There was a problem hiding this comment.
이건 나중에 할게 필요할때...
This pull request introduces an admin API key authentication mechanism and adds an endpoint for updating app version information, restricted to admin users. It does so by implementing a custom annotation and interceptor for admin authentication, updating the Swagger configuration for API key documentation, and extending the version management functionality.
Admin Authentication Implementation:
@AdminAuthannotation andAdminAuthInterceptorto restrict certain endpoints to requests with a valid admin API key (X-Admin-Keyheader), with configuration properties loaded fromadmin.yml. [1] [2] [3] [4]AdminAuthInterceptorinWebConfigto enforce admin authentication on annotated endpoints.API Documentation Updates:
SwaggerConfigto document the newX-Admin-KeyAPI key security scheme, allowing API consumers to understand and test admin-protected endpoints.App Version Management Enhancements:
AppVersionUpdateRequestDTO and a newupdateVersionmethod inAppVersionServiceto allow updating app version data. [1] [2] [3]VersionControllerto include a newPUT /versionendpoint for updating app version information, protected by the new admin authentication mechanism. [1] [2]Configuration Changes:
moa-secret/admin.ymlfor admin API key configuration. [1] [2]…rvice