fix(be)

Author: yeongbin1999

backend/src/main/java/com/deliveranything/global/config/WebSocketConfig.java

@@ -15,6 +15,7 @@
 import com.deliveranything.global.security.handler.StompErrorHandler;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.MessageChannel;
@@ -29,13 +30,15 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.config.annotation.web.socket.EnableWebSocketSecurity;
 import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
 import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
 import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;
 
 @Slf4j
 @Configuration
 @EnableWebSocketMessageBroker
+@EnableWebSocketSecurity
 @RequiredArgsConstructor
 public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
 
@@ -155,4 +158,14 @@ private Authentication authenticate(StompHeaderAccessor accessor) {
       }
     });
   }
+
+  /**
+   * Disables CSRF for STOMP messages when using @EnableWebSocketSecurity.
+   * This bean name is specifically recognized by Spring Security to override the default CSRF ChannelInterceptor.
+   */
+  @Bean
+  public ChannelInterceptor csrfChannelInterceptor() {
+      // Returning a no-op ChannelInterceptor effectively disables the CSRF check
+      return new ChannelInterceptor() {};
+  }
 }

backend/src/main/java/com/deliveranything/global/security/config/WebSocketSecurityConfig.java

@@ -9,7 +9,6 @@
 # 1. 로그인 정보
 email = "[email protected]"
 password = "password2!"
-# 초기 device_id는 임의로 설정하거나, 서버에서 새로 발급받을 수 있음
 initial_device_id = "test_device_123"
 
 # 2. 로그인 요청
@@ -20,12 +19,12 @@
 }
 login_headers = {
     "Content-Type": "application/json",
-    "X-Device-ID": initial_device_id # 로그인 시 X-Device-ID를 보냄
+    "X-Device-ID": initial_device_id
 }
 
 try:
     login_response = requests.post(LOGIN_ENDPOINT, json=login_payload, headers=login_headers)
-    login_response.raise_for_status() # HTTP 오류 발생 시 예외 발생
+    login_response.raise_for_status()
 
     access_token = login_response.headers.get("Authorization")
     received_device_id_raw = login_response.headers.get("X-Device-ID")
@@ -36,14 +35,14 @@
         print(f"응답 본문: {login_response.text}")
         exit()
 
-    final_device_id = initial_device_id # 기본값은 초기 device_id
+    final_device_id = initial_device_id
     if received_device_id_raw:
         final_device_id = received_device_id_raw.split(',')[0].strip()
         print(f"로그인 응답에서 X-Device-ID를 추출했습니다: {final_device_id}")
     else:
         print("로그인 응답에서 X-Device-ID 헤더를 찾을 수 없습니다. 초기 device_id를 사용합니다.")
 
-    print("로그인 성공! (이전 단계에서 얻은 토큰 사용)")
+    print("로그인 성공!")
     print(f"Access Token: {access_token}")
     print(f"Final X-Device-ID: {final_device_id}")
 
@@ -55,20 +54,18 @@
         "X-Device-ID": final_device_id
     }
 
-    # stream=True를 사용하여 응답을 스트리밍 방식으로 처리
     with requests.get(SSE_ENDPOINT, headers=sse_headers, stream=True) as sse_response:
-        sse_response.raise_for_status() # HTTP 오류 발생 시 예외 발생
+        sse_response.raise_for_status()
 
         print("SSE 연결 성공! 이벤트를 수신 중...")
         for line in sse_response.iter_lines():
             if line:
                 decoded_line = line.decode('utf-8')
                 print(decoded_line)
-            # 연결이 끊어지면 루프 종료
             if not line and sse_response.raw.closed:
                 print("SSE 연결이 종료되었습니다.")
                 break
-            time.sleep(0.1) # 너무 빠르게 읽지 않도록 잠시 대기
+            time.sleep(0.1)
 
 except requests.exceptions.RequestException as e:
     print(f"요청 중 오류 발생: {e}")