WiSoft-PrePair · Boyeon-Shin · Apr 23, 2026 · Apr 23, 2026 · gemini-code-assist · Apr 23, 2026
diff --git a/src/main/java/io/wisoft/prepair/prepair_api/controller/InterviewController.java b/src/main/java/io/wisoft/prepair/prepair_api/controller/InterviewController.java
@@ -91,8 +91,11 @@ public ApiResponse<Void> submitVideoAnswer(
     }
 
     @GetMapping(value = "/questions/video-answers/{sessionId}/stream", produces = MediaType.TEXT_EVENT_STREAM_VALUE)
-    public SseEmitter subscribeSession(@PathVariable UUID sessionId) {
+    public SseEmitter subscribeSession(
+            @PathVariable UUID sessionId,
+            @RequestHeader("X-User-Id") UUID memberId
+    ) {
+        questionService.validateSessionOwner(sessionId, memberId);
         return sseEmitterManager.create(sessionId);
     }
 }
-
diff --git a/src/main/java/io/wisoft/prepair/prepair_api/repository/SessionRepository.java b/src/main/java/io/wisoft/prepair/prepair_api/repository/SessionRepository.java
@@ -5,4 +5,5 @@
 import org.springframework.data.jpa.repository.JpaRepository;
 
 public interface SessionRepository extends JpaRepository<InterviewSession, UUID> {
+    boolean existsByIdAndMemberId(UUID id, UUID memberId);
 }
diff --git a/src/main/java/io/wisoft/prepair/prepair_api/service/question/QuestionService.java b/src/main/java/io/wisoft/prepair/prepair_api/service/question/QuestionService.java
@@ -78,4 +78,10 @@ public List<InterviewQuestion> generateVideoQuestions(UUID memberId, VideoInterv
         log.info("화상 면접 질문 생성 완료 - memberId: {}, sessionId: {}", memberId, session.getId());
         return questions;
     }
+
+    public void validateSessionOwner(UUID sessionId, UUID memberId) {
+        if(!sessionRepository.existsByIdAndMemberId(sessionId, memberId)) {
+            throw new BusinessException(ErrorCode.FORBIDDEN);
+        }
+    }
 }