Skip to content

[app] 실수로 디벨롭 제외하고 메인에 머지함#31

Merged
tlrdmsEjrqhRdl merged 4 commits into
developfrom
main
Jul 2, 2026
Merged

[app] 실수로 디벨롭 제외하고 메인에 머지함#31
tlrdmsEjrqhRdl merged 4 commits into
developfrom
main

Conversation

@tlrdmsEjrqhRdl

Copy link
Copy Markdown
Contributor

죄송하빈다

@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
chuijun-client Ready Ready Preview, Comment Jul 2, 2026 5:44am

@tlrdmsEjrqhRdl
tlrdmsEjrqhRdl marked this pull request as ready for review July 2, 2026 05:44
@tlrdmsEjrqhRdl
tlrdmsEjrqhRdl merged commit 82c990f into develop Jul 2, 2026
8 checks passed

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new Route Handler for DataGSM OAuth login with PKCE, migrates the 'Black Han Sans' font loading to Next.js Google Fonts, and cleans up unused code in the middleware. Feedback highlights two key issues in the new OAuth route: first, the potential for incorrect redirect URI generation behind reverse proxies, which can be resolved by checking forwarding headers; second, the missing 'secure' flag on sensitive OAuth cookies, which should be enabled in production environments to mitigate session fixation and CSRF risks.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +30 to +31
const requestUrl = new URL(request.url);
const redirectUri = new URL(OAUTH_CALLBACK_PATH, requestUrl.origin).toString();

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

🚨 프록시 환경에서 잘못된 Redirect URI 생성 위험

현재 request.url에서 직접 origin을 추출하여 redirectUri를 생성하고 있습니다.

Next.js 애플리케이션이 Vercel, Docker, Nginx 등의 리버스 프록시 뒤에서 실행되는 경우, request.url은 실제 클라이언트가 접속한 도메인이 아닌 내부 주소(예: http://localhost:3000 또는 내부 IP)를 가질 수 있습니다. 이로 인해 OAuth 인증 서버로 잘못된 redirect_uri가 전달되어 로그인 흐름이 완전히 깨질 수 있습니다.

이를 방지하기 위해 x-forwarded-hostx-forwarded-proto 헤더를 참조하여 동적으로 올바른 외부 Origin을 구성하는 것이 안전합니다.

Suggested change
const requestUrl = new URL(request.url);
const redirectUri = new URL(OAUTH_CALLBACK_PATH, requestUrl.origin).toString();
const requestUrl = new URL(request.url);
const host = request.headers.get("x-forwarded-host") || requestUrl.host;
const proto = request.headers.get("x-forwarded-proto") || (requestUrl.protocol === "https:" ? "https" : "http");
const origin = `${proto}://${host}`;
const redirectUri = new URL(OAUTH_CALLBACK_PATH, origin).toString();

Comment on lines +46 to +63
response.cookies.set("dg_oauth_state", state, {
httpOnly: true,
maxAge: OAUTH_COOKIE_MAX_AGE_SECONDS,
path: "/auth/dg",
sameSite: "lax",
});
response.cookies.set("dg_oauth_code_verifier", codeVerifier, {
httpOnly: true,
maxAge: OAUTH_COOKIE_MAX_AGE_SECONDS,
path: "/auth/dg",
sameSite: "lax",
});
response.cookies.set("dg_oauth_redirect_uri", redirectUri, {
httpOnly: true,
maxAge: OAUTH_COOKIE_MAX_AGE_SECONDS,
path: "/auth/dg",
sameSite: "lax",
});

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

🔒 OAuth 보안 쿠키에 secure 옵션 누락

OAuth state, code_verifier, redirect_uri는 세션 고정(Session Fixation) 및 CSRF 공격을 방지하기 위한 민감한 보안 데이터입니다.

운영(production) 환경에서는 이 쿠키들이 반드시 HTTPS 연결을 통해서만 전송되도록 secure: process.env.NODE_ENV === "production" 옵션을 추가하는 것이 안전합니다.

  response.cookies.set("dg_oauth_state", state, {
    httpOnly: true,
    secure: process.env.NODE_ENV === "production",
    maxAge: OAUTH_COOKIE_MAX_AGE_SECONDS,
    path: "/auth/dg",
    sameSite: "lax",
  });
  response.cookies.set("dg_oauth_code_verifier", codeVerifier, {
    httpOnly: true,
    secure: process.env.NODE_ENV === "production",
    maxAge: OAUTH_COOKIE_MAX_AGE_SECONDS,
    path: "/auth/dg",
    sameSite: "lax",
  });
  response.cookies.set("dg_oauth_redirect_uri", redirectUri, {
    httpOnly: true,
    secure: process.env.NODE_ENV === "production",
    maxAge: OAUTH_COOKIE_MAX_AGE_SECONDS,
    path: "/auth/dg",
    sameSite: "lax",
  });

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants