feat: 멤버십(무료/유료) 게이팅 — 백엔드
CI / build (push) Failing after 13m40s

- member.plan(FREE/PREMIUM) 컬럼 추가 + SessionUser/MemberResponse 노출
- auth_session 백업에 plan 저장(세션 복원 시 유료 상태 유지)
- 관리자 회원 plan 변경 API (PUT /api/admin/members/{id}/plan)
- PremiumInterceptor 로 유료 전용 경로 차단(통계/예산/고정지출/태그/OCR/투자/카드알림/백업)
  · 관리자는 플랜과 무관하게 허용, 무료 회원은 403 PREMIUM_REQUIRED
- WebConfigTest: 유료 경로 등록 회귀 가드 추가

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
ByungCheol
2026-06-28 11:02:19 +09:00
parent 93e06c9475
commit 6256d3e63d
15 changed files with 122 additions and 5 deletions
@@ -1,5 +1,6 @@
package com.sb.web.admin.controller;
import com.sb.web.admin.dto.PlanUpdateRequest;
import com.sb.web.admin.dto.RoleUpdateRequest;
import com.sb.web.admin.dto.StatusUpdateRequest;
import com.sb.web.admin.service.MemberAdminService;
@@ -36,6 +37,14 @@ public class MemberAdminController {
return memberAdminService.updateRole(id, req.getRole(), current.getId());
}
@PutMapping("/{id}/plan")
public MemberAdminResponse updatePlan(
@PathVariable Long id,
@Valid @RequestBody PlanUpdateRequest req,
@RequestAttribute(AuthInterceptor.CURRENT_MEMBER) SessionUser current) {
return memberAdminService.updatePlan(id, req.getPlan(), current.getId());
}
@PutMapping("/{id}/status")
public MemberAdminResponse updateStatus(
@PathVariable Long id,
@@ -0,0 +1,14 @@
package com.sb.web.admin.dto;
import jakarta.validation.constraints.Pattern;
import lombok.Data;
/**
* 회원 멤버십 플랜 변경 요청.
*/
@Data
public class PlanUpdateRequest {
@Pattern(regexp = "FREE|PREMIUM", message = "플랜은 FREE 또는 PREMIUM 이어야 합니다.")
private String plan;
}
@@ -36,6 +36,14 @@ public class MemberAdminService {
return MemberAdminResponse.from(target);
}
@Transactional
public MemberAdminResponse updatePlan(Long targetId, String plan, Long currentAdminId) {
Member target = mustFind(targetId);
memberMapper.updatePlan(targetId, plan);
target.setPlan(plan);
return MemberAdminResponse.from(target);
}
@Transactional
public MemberAdminResponse updateStatus(Long targetId, String status, Long currentAdminId) {
Member target = mustFind(targetId);
@@ -22,6 +22,7 @@ public class AuthSession {
private String loginId;
private String name;
private String role;
private String plan;
private String provider;
private boolean rememberMe;
private LocalDateTime expiresAt;
@@ -34,6 +35,7 @@ public class AuthSession {
.loginId(u.getLoginId())
.name(u.getName())
.role(u.getRole())
.plan(u.getPlan())
.provider(u.getProvider())
.rememberMe(u.isRememberMe())
.expiresAt(expiresAt)
@@ -46,6 +48,7 @@ public class AuthSession {
.loginId(loginId)
.name(name)
.role(role)
.plan(plan)
.provider(provider)
.rememberMe(rememberMe)
.build();
@@ -27,6 +27,7 @@ public class Member implements Serializable {
private String providerId; // 소셜 제공자 측 고유 ID
private String googleId; // 구글 sub (계정 연결용 — LOCAL 계정에 구글을 연결해도 provider 는 유지)
private String role; // USER / ADMIN
private String plan; // FREE / PREMIUM (멤버십)
private String status; // ACTIVE / SUSPENDED / WITHDRAWN
private LocalDateTime createdAt;
private LocalDateTime updatedAt;
@@ -18,6 +18,7 @@ public class MemberAdminResponse {
private String name;
private String email;
private String role; // USER / ADMIN
private String plan; // FREE / PREMIUM
private String status; // ACTIVE / SUSPENDED / WITHDRAWN
private String provider; // LOCAL / 소셜
private LocalDateTime createdAt;
@@ -29,6 +30,7 @@ public class MemberAdminResponse {
.name(m.getName())
.email(m.getEmail())
.role(m.getRole())
.plan(m.getPlan())
.status(m.getStatus())
.provider(m.getProvider())
.createdAt(m.getCreatedAt())
@@ -17,6 +17,7 @@ public class MemberResponse {
private String email;
private String provider;
private String role;
private String plan; // FREE / PREMIUM
public static MemberResponse from(Member m) {
return MemberResponse.builder()
@@ -26,6 +27,7 @@ public class MemberResponse {
.email(m.getEmail())
.provider(m.getProvider())
.role(m.getRole())
.plan(m.getPlan())
.build();
}
}
@@ -22,6 +22,7 @@ public class SessionUser implements Serializable {
private String loginId;
private String name;
private String role;
private String plan; // FREE / PREMIUM
private String provider;
private boolean rememberMe; // 자동 로그인 세션 여부 (슬라이딩 만료 TTL 결정용)
@@ -31,6 +32,7 @@ public class SessionUser implements Serializable {
.loginId(m.getLoginId())
.name(m.getName())
.role(m.getRole())
.plan(m.getPlan())
.provider(m.getProvider())
.build();
}
@@ -42,6 +42,8 @@ public interface MemberMapper {
int updateRole(@Param("id") Long id, @Param("role") String role);
int updatePlan(@Param("id") Long id, @Param("plan") String plan);
int updateStatus(@Param("id") Long id, @Param("status") String status);
int deleteById(@Param("id") Long id);
@@ -0,0 +1,39 @@
package com.sb.web.auth.web;
import com.sb.web.auth.dto.SessionUser;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import java.nio.charset.StandardCharsets;
/**
* 유료(PREMIUM) 전용 경로 보호. AuthInterceptor 가 먼저 세팅한 SessionUser 의 plan 을 검사한다.
* 프론트의 메뉴 잠금은 우회 가능하므로, 실제 API 접근은 여기서 차단한다.
* 관리자(ADMIN)는 플랜과 무관하게 모든 기능을 사용할 수 있다.
*/
@Component
public class PremiumInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
if (HttpMethod.OPTIONS.matches(request.getMethod())) {
return true;
}
Object attr = request.getAttribute(AuthInterceptor.CURRENT_MEMBER);
if (attr instanceof SessionUser user
&& ("ADMIN".equals(user.getRole()) || "PREMIUM".equals(user.getPlan()))) {
return true;
}
response.setStatus(HttpStatus.FORBIDDEN.value());
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.setCharacterEncoding(StandardCharsets.UTF_8.name());
response.getWriter().write("{\"status\":403,\"code\":\"PREMIUM_REQUIRED\",\"message\":\"유료 멤버십 전용 기능입니다.\"}");
return false;
}
}
@@ -2,6 +2,7 @@ package com.sb.web.common.config;
import com.sb.web.auth.web.AdminInterceptor;
import com.sb.web.auth.web.AuthInterceptor;
import com.sb.web.auth.web.PremiumInterceptor;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
@@ -18,6 +19,7 @@ public class WebConfig implements WebMvcConfigurer {
private final AuthInterceptor authInterceptor;
private final AdminInterceptor adminInterceptor;
private final PremiumInterceptor premiumInterceptor;
@Override
public void addInterceptors(InterceptorRegistry registry) {
@@ -29,5 +31,18 @@ public class WebConfig implements WebMvcConfigurer {
// 인가: 관리자 전용 경로 (authInterceptor 다음에 실행되어 role 검사)
registry.addInterceptor(adminInterceptor)
.addPathPatterns("/api/admin/**");
// 인가: 유료(PREMIUM) 전용 경로 (authInterceptor 다음에 실행되어 plan 검사)
registry.addInterceptor(premiumInterceptor)
.addPathPatterns(
"/api/account/stats",
"/api/account/category-stats",
"/api/account/networth/trend",
"/api/account/budgets", "/api/account/budgets/**",
"/api/account/recurrings", "/api/account/recurrings/**",
"/api/account/ocr", "/api/account/ocr/**",
"/api/account/invest", "/api/account/invest/**",
"/api/account/tags", "/api/account/tags/**",
"/api/account/entries/notification",
"/api/account/restore");
}
}