Merge pull request #58 from WiSoft-PrePair/fix/sse-session-authorization

Boyeon-Shin · web-flow · commit c3e92bb9a566 · 2026-04-23T17:08:07.000+09:00
fix: SSE 세션 구독 엔드포인트에 소유자 인가 검증 추가(#51)
diff --git a/src/main/java/io/wisoft/prepair/prepair_api/controller/InterviewController.java b/src/main/java/io/wisoft/prepair/prepair_api/controller/InterviewController.java
@@ -91,8 +91,11 @@ public ApiResponse<Void> submitVideoAnswer(
     }
 
     @GetMapping(value = "/questions/video-answers/{sessionId}/stream", produces = MediaType.TEXT_EVENT_STREAM_VALUE)
-    public SseEmitter subscribeSession(@PathVariable UUID sessionId) {
+    public SseEmitter subscribeSession(
+            @PathVariable UUID sessionId,
+            @RequestHeader("X-User-Id") UUID memberId
+    ) {
+        questionService.validateSessionOwner(sessionId, memberId);
         return sseEmitterManager.create(sessionId);
     }
 }
-
diff --git a/src/main/java/io/wisoft/prepair/prepair_api/repository/SessionRepository.java b/src/main/java/io/wisoft/prepair/prepair_api/repository/SessionRepository.java
@@ -5,4 +5,5 @@
 import org.springframework.data.jpa.repository.JpaRepository;
 
 public interface SessionRepository extends JpaRepository<InterviewSession, UUID> {
+    boolean existsByIdAndMemberId(UUID id, UUID memberId);
 }
diff --git a/src/main/java/io/wisoft/prepair/prepair_api/service/question/QuestionService.java b/src/main/java/io/wisoft/prepair/prepair_api/service/question/QuestionService.java
@@ -78,4 +78,10 @@ public List<InterviewQuestion> generateVideoQuestions(UUID memberId, VideoInterv
         log.info("화상 면접 질문 생성 완료 - memberId: {}, sessionId: {}", memberId, session.getId());
         return questions;
     }
+
+    public void validateSessionOwner(UUID sessionId, UUID memberId) {
+        if(!sessionRepository.existsByIdAndMemberId(sessionId, memberId)) {
+            throw new BusinessException(ErrorCode.FORBIDDEN);
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -91,8 +91,11 @@ public ApiResponse<Void> submitVideoAnswer(`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`@GetMapping(value = "/questions/video-answers/{sessionId}/stream", produces = MediaType.TEXT_EVENT_STREAM_VALUE)`
`94`		`- public SseEmitter subscribeSession(@PathVariable UUID sessionId) {`
	`94`	`+ public SseEmitter subscribeSession(`
	`95`	`+ @PathVariable UUID sessionId,`
	`96`	`+ @RequestHeader("X-User-Id") UUID memberId`
	`97`	`+ ) {`
	`98`	`+ questionService.validateSessionOwner(sessionId, memberId);`
`95`	`99`	`return sseEmitterManager.create(sessionId);`
`96`	`100`	`}`
`97`	`101`	`}`
`98`		`-`
Original file line number	Diff line number	Diff line change
`@@ -5,4 +5,5 @@`
`5`	`5`	`import org.springframework.data.jpa.repository.JpaRepository;`
`6`	`6`
`7`	`7`	`public interface SessionRepository extends JpaRepository<InterviewSession, UUID> {`
	`8`	`+ boolean existsByIdAndMemberId(UUID id, UUID memberId);`
`8`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -78,4 +78,10 @@ public List<InterviewQuestion> generateVideoQuestions(UUID memberId, VideoInterv`
`78`	`78`	`log.info("화상 면접 질문 생성 완료 - memberId: {}, sessionId: {}", memberId, session.getId());`
`79`	`79`	`return questions;`
`80`	`80`	`}`
	`81`	`+`
	`82`	`+ public void validateSessionOwner(UUID sessionId, UUID memberId) {`
	`83`	`+ if(!sessionRepository.existsByIdAndMemberId(sessionId, memberId)) {`
	`84`	`+ throw new BusinessException(ErrorCode.FORBIDDEN);`
	`85`	`+ }`
	`86`	`+ }`
`81`	`87`	`}`