feat: CORS 및 Redis 기반 Rate Limiting 적용#111
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request configures global CORS settings and implements rate limiting across various API routes in the API Gateway, supported by a new RateLimiterConfig. Key feedback focuses on addressing critical security vulnerabilities, specifically header spoofing via X-User-Id and rate-limit bypass via X-Forwarded-For. Additionally, improvements are suggested to avoid a potential NullPointerException when extracting remote addresses and to externalize hardcoded CORS origins using environment variables.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request configures global CORS and implements Redis-based rate limiting across various service routes in the API Gateway. It introduces a custom KeyResolver to identify users by their ID or IP address. The review feedback points out two critical security vulnerabilities in the KeyResolver: potential rate-limit bypass via X-User-Id header spoofing on unauthenticated routes, and IP spoofing due to incorrect parsing of the X-Forwarded-For header in an AWS ALB environment.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request configures global CORS settings and implements rate limiting across various routes in the API Gateway. It introduces a custom KeyResolver that uses the authenticated user ID or falls back to the client's IP address extracted from the X-Forwarded-For header or remote address. A critical issue was identified in the IP extraction logic where a malformed X-Forwarded-For header consisting only of commas could trigger an ArrayIndexOutOfBoundsException. A code suggestion has been provided to safely verify the split array's length before accessing its elements.
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request configures global CORS settings and implements request rate limiting across various API gateway routes using a custom KeyResolver based on authenticated user IDs or client IPs. It also enhances security in JwtAuthFilter by sanitizing headers for public paths and validating token presence. A critical issue was identified in RateLimiterConfig where returning Mono.empty() when an IP cannot be resolved can cause requests to be blocked with a 403 Forbidden error due to Spring Cloud Gateway's default settings; returning a fallback key like "anonymous" is recommended instead.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces global CORS configuration and Redis-based request rate limiting across API Gateway routes, using a custom key resolver that distinguishes between authenticated users and client IPs. It also updates the JWT authentication filter to sanitize headers for public paths and track authentication status. However, critical security feedback highlights that header sanitization is missing for public prefix paths, risking header spoofing, and that returning an empty key when an IP cannot be resolved allows rate-limiting bypasses.
2 participants
📝 작업 내용
globalcors설정으로 모든 라우트에 일괄 적용allowCredentials: true설정으로 Authorization 헤더 포함 요청 허용RequestRateLimiter+ Redis Token Bucket 적용RateLimiterConfig-KeyResolverBean 추가X-User-Id헤더 기준 (userId 단위 격리)X-Forwarded-For헤더 우선 파싱/auth/**: replenishRate 5, burstCapacity 10 (브루트포스 방지)/ai-messages/**: replenishRate 5, burstCapacity 10 (LLM 호출 비용 제어)🛠️ 테스트 내역
💬 리뷰어에게 (선택)