Feat: Auth svc route 추가

[dungbik]

Summary by CodeRabbit

릴리스 노트

• 새로운 기능

  • OAuth2 인증 콜백 지원 추가
  • API 엔드포인트 인증 요구사항 정리 및 개선

• 보안

  • 특정 API 엔드포인트에 인증 필터 적용
  • 사용자 정보 헤더 보안 강화

[coderabbitai]

Warning

Rate limit exceeded

@dungbik has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 29 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

API 게이트웨이 라우팅 구조를 재정리하여 인증 관련 엔드포인트를 분리했습니다. user-service-public에서 user-private로, user-service-private에서 auth-public으로 라우트명을 변경하고 새로운 auth-private 라우트를 추가했으며, JWT 시크릿 설정과 기본 필터를 업데이트했습니다.

Changes

Cohort / File(s)	Summary
API Gateway Route Reorganization src/main/resources/application-local.yml, src/main/resources/application.yml	라우트 ID 이름 변경 (user-service-public → user-private, user-service-private → auth-public), 새로운 auth-private 라우트 추가, Path 패턴 명시적 정의, AuthenticationFilter 적용, JWT 시크릿 설정 추가 및 환경 변수 참조 변경, X-User-* 헤더 제거를 위한 기본 필터 추가, 로깅 레벨 조정.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 라우트를 정렬하고 인증을 나누고,
토큰의 보물은 암호로 감싸고,
헤더는 걸러내며 경로를 꾸미니,
게이트웨이 마법으로 보안이 빛나네! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Pull request title clearly describes the main change: adding authentication service routes to the API gateway configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/auth-svc-route

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@src/main/resources/application-local.yml`:
- Around line 40-41: The JWT secret is hardcoded under the jwt.secret key in
application-local.yml; replace the literal with an environment variable
reference (e.g., read from JWT_SECRET) and update local dev instructions to load
it from a .env or the environment, add .env to .gitignore, and ensure local
config (jwt.secret) reads process env (JWT_SECRET) so secrets are not committed;
if the committed secret was used anywhere in production rotate it immediately.
- Around line 27-38: In the auth-private route definition (id: auth-private) add
the missing Path pattern "/v1/auth/social-links/*" to the predicates -> args ->
patterns list so local routing matches requests like DELETE
/v1/auth/social-links/google; update the patterns array that currently contains
"/v1/auth/logout", "/v1/auth/password", "/v1/auth/social-links", and
"/v1/oauth2/authorization/*" to include "/v1/auth/social-links/*" alongside the
existing entries.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

JWT 시크릿이 소스 코드에 하드코딩되어 있습니다.

Gitleaks에서도 감지된 문제입니다. 로컬 개발용이라 하더라도 시크릿 값을 레포지토리에 커밋하는 것은 권장되지 않습니다. application.yml처럼 환경 변수를 사용하거나, .env 파일을 .gitignore에 추가하여 관리하는 것을 권장합니다.

🔒 환경 변수 방식으로 변경

 jwt:
-  secret: "55ca298dcfc216e215622e3f48a251abaa4e8bb973074f065ab170e311acc15811d01a2407290c3ac143648196306d4a6f666a4ed364d3df633e08eb184bb0aea0f2edde4fd2d7fa68ea95ddbc421ff532ce47bde775975911042d665bc22d88a9fa26a03bb4d25530b8cdeb1247d87c9e3efcd721e368b0566b00a43308a729"
+  secret: ${JWT_SECRET:local-dev-secret}

이미 커밋된 시크릿 값은 프로덕션에서 사용 중이라면 반드시 로테이션해야 합니다.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jwt:
	secret: "55ca298dcfc216e215622e3f48a251abaa4e8bb973074f065ab170e311acc15811d01a2407290c3ac143648196306d4a6f666a4ed364d3df633e08eb184bb0aea0f2edde4fd2d7fa68ea95ddbc421ff532ce47bde775975911042d665bc22d88a9fa26a03bb4d25530b8cdeb1247d87c9e3efcd721e368b0566b00a43308a729"
	jwt:
	secret: ${JWT_SECRET:local-dev-secret}

🧰 Tools

🪛 Gitleaks (8.30.0)

[high] 41-41: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents

In `@src/main/resources/application-local.yml` around lines 40 - 41, The JWT
secret is hardcoded under the jwt.secret key in application-local.yml; replace
the literal with an environment variable reference (e.g., read from JWT_SECRET)
and update local dev instructions to load it from a .env or the environment, add
.env to .gitignore, and ensure local config (jwt.secret) reads process env
(JWT_SECRET) so secrets are not committed; if the committed secret was used
anywhere in production rotate it immediately.