야, 보안 강화하고 에러 페이지 제대로 만들었어

kenu · kenu · commit 2882b69c1ec7 · 2026-02-01T00:58:29.000+09:00
add-channel이랑 remove-channel에 본인 확인 로직 추가했고, 남의 계정 건드리면 403 띄우면서 자기 페이지로 튕겨버린다. 그리고 에러 페이지는 완전 맨땅이었는데 제대로 된 HTML 구조로 다시 짰어. favicon, 스타일시트 다 넣고, production 환경에선 stack trace 안 보이게 처리했다.
diff --git a/web/routes/index.js b/web/routes/index.js
@@ -242,6 +242,13 @@ router.get('/@:username/manage', connectEnsureLogin.ensureLoggedIn(), async (req
 });
 
 router.post('/@:username/add-channel', connectEnsureLogin.ensureLoggedIn(), async (req, res) => {
+  const { username } = req.params;
+  
+  // 본인만 채널 추가 가능
+  if (req.user.username !== username) {
+    return res.status(403).redirect(`/@${req.user.username}/manage`);
+  }
+  
   let { channelUrl } = req.body;
   
   // URL 디코딩 (한글 등 인코딩된 문자 처리)
@@ -333,8 +340,15 @@ router.post('/@:username/add-channel', connectEnsureLogin.ensureLoggedIn(), asyn
 });
 
 router.post('/@:username/remove-channel', connectEnsureLogin.ensureLoggedIn(), async (req, res) => {
+  const { username } = req.params;
   const { channelId } = req.body;
   const user = req.user;
+  
+  // 본인만 삭제 가능
+  if (user.username !== username) {
+    return res.status(403).redirect(`/@${user.username}/manage`);
+  }
+  
   await dao.removeChannelFromAccount(user.accountId, channelId);
   res.redirect(`/@${req.user.username}/manage`);
 });
diff --git a/web/views/error.ejs b/web/views/error.ejs
@@ -1,3 +1,26 @@
-<h1><%= message %></h1>
-<h2><%= error.status %></h2>
-<pre><%= error.stack %></pre>
+<!DOCTYPE html>
+<html lang="ko">
+  <head>
+    <title>Error - <%= error.status %></title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="apple-touch-icon" sizes="180x180" href="/favicon/apple-touch-icon.png">
+    <link rel="icon" type="image/png" sizes="32x32" href="/favicon/favicon-32x32.png">
+    <link rel="icon" type="image/png" sizes="16x16" href="/favicon/favicon-16x16.png">
+    <link rel="manifest" href="/favicon/site.webmanifest">
+    <link rel='stylesheet' href='/css/style.css' />
+  </head>
+  <body>
+    <section id="title">
+      <h1 class="title">
+        <a href="/">Error - <%= error.status %></a>
+      </h1>
+    </section>
+    <div style="padding: 2rem; text-align: center;">
+      <p><%= message %></p>
+      <% if (process.env.NODE_ENV !== 'production') { %>
+        <pre style="text-align: left; background: #f5f5f5; padding: 1rem; overflow: auto; max-width: 800px; margin: 1rem auto;"><%= error.stack %></pre>
+      <% } %>
+      <p><a href="/">홈으로 돌아가기</a></p>
+    </div>
+  </body>
+</html>
