[fix] 비로그인 상태 비밀번호 재설정 엔드포인트 인증 제외

[k3vin7]

Summary

• PUT /auth/password-reset 엔드포인트가 permitAll() 목록에 누락되어 비로그인 상태에서 401이 반환되는 버그 수정
• 프론트에서 401 수신 시 리프레시 토큰으로 재시도하는 로직이 동작하면서 증상 발생

Changes

• SecurityConfig: PUT /auth/password-reset 를 permitAll() 에 추가

Test plan

• 비로그인 상태에서 PUT /auth/password-reset 요청 시 정상 응답(200) 확인
• 로그인 상태에서도 정상 동작 확인

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

이 Pull Request는 비로그인 사용자가 비밀번호를 재설정할 수 있도록 인증 설정을 수정하고, 이메일 발송 기능을 비동기 방식으로 전환하여 시스템 성능을 개선합니다. 이를 통해 사용자 경험을 향상시키고, 이메일 발송으로 인한 블로킹을 방지합니다.

Highlights

• 비밀번호 재설정 엔드포인트 인증 제외: 비로그인 상태에서 비밀번호 재설정(PUT /auth/password-reset) 요청 시 401 오류가 발생하는 버그를 수정하기 위해 해당 엔드포인트를 인증 예외 목록에 추가했습니다.
• 이메일 발송 비동기 처리: 이메일 발송 로직을 AsyncMailSender를 통해 비동기적으로 처리하도록 리팩토링하여 애플리케이션의 응답성을 향상시켰습니다.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/main/java/com/daramg/server/auth/application/AsyncMailSender.java
  • 비동기 이메일 발송을 위한 AsyncMailSender 컴포넌트가 추가되었습니다.
• src/main/java/com/daramg/server/auth/application/MailVerificationServiceImpl.java
  • AsyncMailSender를 사용하여 이메일 발송 로직을 비동기 처리하도록 변경되었습니다.
  • 기존의 MimeMessageGenerator, MailContentBuilder, JavaMailSender 의존성이 제거되었습니다.
• src/main/java/com/daramg/server/auth/config/SecurityConfig.java
  • PUT /auth/password-reset 엔드포인트가 인증 없이 접근 가능하도록 permitAll() 목록에 추가되었습니다.
• src/main/java/com/daramg/server/common/config/AsyncConfig.java
  • 비동기 처리를 활성화하고 메일 발송을 위한 mailTaskExecutor 스레드 풀을 정의하는 AsyncConfig가 추가되었습니다.
• src/test/java/com/daramg/server/auth/application/MailVerificationServiceImplTest.java
  • MailVerificationServiceImpl 테스트에서 AsyncMailSender를 모킹하고 호출을 검증하도록 수정되었습니다.
  • 이메일 발송 관련 기존 모킹 로직이 제거되었습니다.

Activity

• 이 Pull Request는 Claude Code를 사용하여 생성되었습니다.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an asynchronous email sending mechanism and updates the security configuration to allow unauthenticated access to the password reset endpoint. While the SecurityConfig modification is correctly applied and asynchronous email sending improves API response speed, a critical security concern was identified: the logging of Personally Identifiable Information (PII), specifically the user's email address, in plain text during email delivery failures. This poses a privacy risk and requires remediation. Furthermore, the current asynchronous email failure handling might negatively impact user experience, and improvements to error logging are suggested.

[gemini-code-assist]

A critical security concern exists here: the user's email address is logged in plain text when email sending fails. Email addresses are Personally Identifiable Information (PII) and should not be logged to avoid privacy violations and compliance issues (e.g., GDPR).

Additionally, while asynchronous processing improves API response time, the current implementation logs exceptions on email sending failure without proper handling. This means the API might return a 200 OK even if the email wasn't sent, potentially confusing users. Furthermore, the current logging only captures e.getMessage(), missing the full stack trace needed for debugging. It's recommended to log the full Throwable directly for better error context.

Suggested change

	log.error("이메일 발송 실패 - email: {}, error: {}", email, e.getMessage());
	log.error("이메일 발송 실패 - error: {}", e.getMessage());