[feat] 작곡가 생성 API 추가

[k3vin7]

Summary

• POST /composers 엔드포인트 추가 (201 Created)
• ComposerCreateDto.kt 신규 생성 (koreanName, englishName, gender 필수)
• Composer 빌더에 누락된 bio 필드 추가
• SecurityConfig: /composers permitAll을 GET으로 제한해 POST는 인증 필요

Test plan

• Swagger에서 어드민 로그인 후 POST /composers 호출 → 201
• 비인증 상태로 POST /composers 호출 → 401
• 어드민 아닌 유저로 POST /composers 호출 → 403
• GET /composers 로 생성된 작곡가 확인

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

이 PR은 작곡가 생성 기능을 도입합니다. 새로운 POST /composers API 엔드포인트를 추가하고, 작곡가 정보를 담는 ComposerCreateDto를 정의하며, Composer 도메인 모델에 bio 필드를 확장합니다. 또한, 이 새로운 생성 API가 인증된 사용자만 접근할 수 있도록 보안 설정을 업데이트하여 시스템의 무결성을 유지합니다.

Highlights

• 새로운 API 엔드포인트 추가: POST /composers 엔드포인트가 추가되어 새로운 작곡가를 생성할 수 있게 되었습니다.
• 작곡가 생성 DTO 정의: ComposerCreateDto.kt가 새로 생성되었으며, koreanName, englishName, gender 필드가 필수로 지정되었습니다.
• Composer 도메인 모델 확장: Composer 빌더에 bio 필드가 추가되어 작곡가 정보에 전기(biography)를 포함할 수 있게 되었습니다.
• 보안 설정 강화: SecurityConfig에서 /composers 엔드포인트에 대한 permitAll 설정이 GET 요청으로 제한되어, POST 요청에는 인증이 필요하게 변경되었습니다.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/main/java/com/daramg/server/auth/config/SecurityConfig.java
  • /composers 경로에 대한 접근 권한을 GET 메서드에만 permitAll로 설정하고, POST 메서드에는 인증이 필요하도록 변경했습니다.
• src/main/java/com/daramg/server/composer/application/ComposerService.java
  • ComposerRepository를 주입하고, ComposerCreateDto를 받아 새로운 작곡가를 생성하는 createComposer 메서드를 추가했습니다. 이 메서드는 관리자(ID 1L)만 호출할 수 있도록 권한 검사를 포함합니다.
• src/main/java/com/daramg/server/composer/domain/Composer.java
  • Composer 클래스의 빌더에 bio 필드를 추가하여 작곡가 생성 시 전기(biography) 정보를 포함할 수 있도록 했습니다.
• src/main/java/com/daramg/server/composer/dto/ComposerCreateDto.kt
  • 작곡가 생성 요청을 위한 데이터 전송 객체(DTO)인 ComposerCreateDto를 새로 정의했습니다. 이 DTO는 koreanName, englishName, gender를 필수 필드로 포함합니다.
• src/main/java/com/daramg/server/composer/presentation/ComposerController.java
  • POST /composers 엔드포인트를 추가하여 ComposerCreateDto를 통해 작곡가 생성 요청을 처리하고, HttpStatus.CREATED 응답을 반환하도록 구현했습니다.

Activity

• 현재까지 이 PR에 대한 추가적인 코멘트나 리뷰 활동은 없습니다.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This Pull Request successfully adds a composer creation API, applying validation via ComposerCreateDto, adding a bio field to the Composer entity, and restricting access to the /composers endpoint in SecurityConfig. However, there are significant security concerns regarding authorization, specifically the use of a hardcoded user ID for administrative checks and insecure binding of the User object, which could lead to privilege escalation and authentication bypass. The current admin permission check logic needs improvement to address these vulnerabilities.

[gemini-code-assist]

The createComposer method uses a hardcoded user ID (user.getId() != 1L) for administrative checks, which is a critical security vulnerability. This brittle approach allows for easy privilege escalation, as the first registered user (ID 1) would gain admin privileges, potentially enabling an attacker to bypass authorization. It is highly recommended to implement a robust Role-Based Access Control (RBAC) system, such as adding an isAdmin() method to the User entity or utilizing Spring Security's @PreAuthorize annotation, instead of relying on hardcoded user IDs.

Suggested change

	if (user.getId() != 1L) {
	throw new BusinessException(CommonErrorStatus.FORBIDDEN);
	}
	if (!user.isAdmin()) {
	throw new BusinessException(CommonErrorStatus.FORBIDDEN);
	}

[gemini-code-assist]

The createComposer method accepts a User object as a parameter without the @AuthenticationPrincipal annotation. In Spring MVC, if a POJO parameter is not annotated, the framework may attempt to bind request parameters (query strings, form data) to the object's properties. An attacker could potentially exploit this by providing an id parameter in the request (e.g., POST /composers?id=1) to impersonate the administrator or other users, bypassing the intended security checks in the service layer.

Recommendation: Use the @AuthenticationPrincipal annotation to ensure that the User object is resolved exclusively from the authenticated security context.

Suggested change

	public void createComposer(@Valid @RequestBody ComposerCreateDto dto, User user) {
	public void createComposer(@Valid @RequestBody ComposerCreateDto dto, @AuthenticationPrincipal User user) {