[Fix] WebSocket CORS 전체 origin 허용 제한

[howooyeon]

🧾 요약

• WebSocket CORS 와일드카드(*)를 특정 패턴으로 제한하여 악성 사이트 GPS 세션 탈취 방지

🔗 이슈

• close [fix] WebSocket CORS 전체 origin 허용 제한 #202

✨ 변경 내용

• SecurityConfig: REST/WebSocket CORS 설정 분리 — REST는 setAllowedOrigins(exact match), WebSocket은 setAllowedOriginPatterns(pattern match)
• WebSocketConfig: setAllowedOriginPatterns("*") → setAllowedOriginPatterns("http://localhost:*", "https://lgenius.site")
• React Native 네이티브 WebSocket(Origin 헤더 없음) 정상 동작 검증 완료

✅ 확인

• 빌드 OK
• 테스트 OK

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c34aa6de-1d26-41b2-b677-4c89f475e9db

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/#202-websocket-cors

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

본 PR은 WebSocket 통신 시 발생할 수 있는 보안 취약점을 방지하기 위해 CORS 설정을 최적화하는 내용을 담고 있습니다. 기존의 광범위한 와일드카드 허용 방식을 특정 도메인 및 로컬 호스트 패턴으로 구체화하여, 승인되지 않은 출처로부터의 접근을 차단하고 시스템 보안성을 높이는 것을 목적으로 합니다.

Highlights

• CORS 보안 강화: WebSocket 연결에 대한 CORS 허용 범위를 와일드카드('*')에서 특정 도메인 및 로컬 패턴으로 제한하여 보안을 강화했습니다.
• 설정 분리: SecurityConfig 내에서 REST API와 WebSocket의 CORS 설정을 명확히 분리하여 각 엔드포인트에 적합한 보안 정책을 적용했습니다.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request restricts the CORS allowed origin patterns for WebSocket connections in both SecurityConfig and WebSocketConfig from wildcard (*) to specific patterns (http://localhost:* and https://lgenius.site). The review feedback suggests externalizing these hardcoded CORS configurations to environment-specific properties files (e.g., application.yaml) to avoid duplication and prevent security risks in production environments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

[P2] CORS 허용 Origin 설정 외재화 및 중복 제거 권장

문제점
현재 SecurityConfig와 WebSocketConfig 두 곳에 CORS 허용 Origin 패턴("http://localhost:*", "https://lgenius.site")이 하드코딩되어 중복 존재합니다. 또한, 운영(production) 환경에서도 http://localhost:*와 같은 로컬 개발용 주소가 허용되어 보안상 아쉬움이 있습니다.

영향

• 운영 환경에서 불필요하게 로컬 호스트(localhost)의 접근을 허용하여 보안 취약점이 될 수 있습니다.
• 도메인이 변경되거나 허용할 Origin이 추가될 때마다 자바 코드를 수정하고 재빌드해야 하므로 유지보수성이 떨어집니다.
• 두 설정 파일(SecurityConfig, WebSocketConfig)의 허용 Origin이 불일치할 경우 예기치 않은 CORS 에러가 발생할 수 있습니다.

개선 제안
CORS 설정을 application.yaml 및 application-prod.yaml로 외재화(Externalize)하여 환경별로 다르게 적용하고, @Value 등을 통해 주입받아 사용하도록 개선하는 것을 권장합니다.

예시:

cors:
  allowed-origins:
    - "http://localhost:3000"
    - "http://localhost:8081"
    - "https://lgenius.site"
  allowed-websocket-origins:
    - "http://localhost:*"
    - "https://lgenius.site"

application-prod.yaml (운영 환경)

cors:
  allowed-origins:
    - "https://lgenius.site"
  allowed-websocket-origins:
    - "https://lgenius.site"