feat: 코드 리뷰 기반 전면 개선 — 보안, 검증, 테스트, 안정성

- 체인 nonce 경쟁 조건 수정 (operatorMu + per-user mutex)
- 등록/SSAFY 원자적 트랜잭션 (wallet+profile 롤백 보장)
- IdempotencyRequired 미들웨어 (SETNX 원자적 클레임)
- 런치 티켓 API (JWT URL 노출 방지)
- HttpOnly 쿠키 refresh token
- SSAFY OAuth state 파라미터 (CSRF 방지)
- Refresh 시 DB 조회로 최신 role 사용
- 공지사항/유저목록 페이지네이션
- BodyLimit 미들웨어 (1MB, upload 제외)
- 입력 검증 강화 (닉네임, 게임데이터, 공지 길이)
- 에러 메시지 내부 정보 노출 방지
- io.LimitReader (RPC 10MB, SSAFY 1MB)
- RequestID 비출력 문자 제거
- 단위 테스트 (auth 11, announcement 9, bossraid 16)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pkg/config/config.go

@@ -103,6 +103,8 @@ func WarnInsecureDefaults() {
 	}
 }
 
+// getEnv returns the environment variable value, or fallback if unset or empty.
+// Note: explicitly setting a variable to "" is treated as unset.
 func getEnv(key, fallback string) string {
 	if v := os.Getenv(key); v != "" {
 		return v

pkg/database/mysql.go

@@ -9,6 +9,8 @@ import (
 	"gorm.io/gorm"
 )
 
+// TODO: Consider injecting DB as a dependency instead of using a package-level global
+// to improve testability. Currently, middleware directly accesses this global.
 var DB *gorm.DB
 
 func ConnectMySQL() error {

pkg/database/redis.go

@@ -7,6 +7,8 @@ import (
 	"github.com/redis/go-redis/v9"
 )
 
+// TODO: Consider injecting RDB as a dependency instead of using a package-level global
+// to improve testability. Currently, middleware directly accesses this global.
 var RDB *redis.Client
 
 func ConnectRedis() error {

pkg/middleware/bodylimit.go

@@ -0,0 +1,28 @@
+package middleware
+
+import (
+	"strings"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+// BodyLimit rejects requests whose Content-Length header exceeds maxBytes.
+// NOTE: Only checks Content-Length header. Chunked requests without Content-Length
+// bypass this check. Fiber's global BodyLimit provides the final safety net.
+// Paths matching any of the excludePrefixes are skipped (e.g. upload endpoints
+// that legitimately need the global 4GB limit).
+func BodyLimit(maxBytes int, excludePrefixes ...string) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		for _, prefix := range excludePrefixes {
+			if strings.HasPrefix(c.Path(), prefix) {
+				return c.Next()
+			}
+		}
+		if c.Request().Header.ContentLength() > maxBytes {
+			return c.Status(fiber.StatusRequestEntityTooLarge).JSON(fiber.Map{
+				"error": "요청이 너무 큽니다",
+			})
+		}
+		return c.Next()
+	}
+}

pkg/middleware/idempotency.go

@@ -19,6 +19,17 @@ type cachedResponse struct {
 	Body       json.RawMessage `json:"b"`
 }
 
+// IdempotencyRequired rejects requests without an Idempotency-Key header,
+// then delegates to Idempotency for cache/replay logic.
+func IdempotencyRequired(c *fiber.Ctx) error {
+	if c.Get("Idempotency-Key") == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
+			"error": "Idempotency-Key 헤더가 필요합니다",
+		})
+	}
+	return Idempotency(c)
+}
+
 // Idempotency checks the Idempotency-Key header to prevent duplicate transactions.
 // If the same key is seen again within the TTL, the cached response is returned.
 func Idempotency(c *fiber.Ctx) error {
@@ -40,23 +51,45 @@ func Idempotency(c *fiber.Ctx) error {
 	ctx, cancel := context.WithTimeout(context.Background(), redisTimeout)
 	defer cancel()
 
-	// Check if this key was already processed
-	cached, err := database.RDB.Get(ctx, redisKey).Bytes()
-	if err == nil && len(cached) > 0 {
+	// Atomically claim the key using SET NX (only succeeds if key doesn't exist)
+	set, err := database.RDB.SetNX(ctx, redisKey, "processing", idempotencyTTL).Result()
+	if err != nil {
+		// Redis error — let the request through rather than blocking
+		log.Printf("WARNING: idempotency SetNX failed (key=%s): %v", key, err)
+		return c.Next()
+	}
+
+	if !set {
+		// Key already exists — either processing or completed
+		getCtx, getCancel := context.WithTimeout(context.Background(), redisTimeout)
+		defer getCancel()
+
+		cached, err := database.RDB.Get(getCtx, redisKey).Bytes()
+		if err != nil {
+			return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": "요청이 처리 중입니다"})
+		}
+		if string(cached) == "processing" {
+			return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": "요청이 처리 중입니다"})
+		}
 		var cr cachedResponse
 		if json.Unmarshal(cached, &cr) == nil {
 			c.Set("Content-Type", "application/json")
 			c.Set("X-Idempotent-Replay", "true")
 			return c.Status(cr.StatusCode).Send(cr.Body)
 		}
+		return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": "요청이 처리 중입니다"})
 	}
 
-	// Process the request
+	// We claimed the key — process the request
 	if err := c.Next(); err != nil {
+		// Processing failed — remove the key so it can be retried
+		delCtx, delCancel := context.WithTimeout(context.Background(), redisTimeout)
+		defer delCancel()
+		database.RDB.Del(delCtx, redisKey)
 		return err
 	}
 
-	// Cache successful responses (2xx)
+	// Cache successful responses (2xx), otherwise remove the key for retry
 	status := c.Response().StatusCode()
 	if status >= 200 && status < 300 {
 		cr := cachedResponse{StatusCode: status, Body: c.Response().Body()}
@@ -67,6 +100,11 @@ func Idempotency(c *fiber.Ctx) error {
 				log.Printf("WARNING: idempotency cache write failed (key=%s): %v", key, err)
 			}
 		}
+	} else {
+		// Non-success — allow retry by removing the key
+		delCtx, delCancel := context.WithTimeout(context.Background(), redisTimeout)
+		defer delCancel()
+		database.RDB.Del(delCtx, redisKey)
 	}
 
 	return nil

pkg/middleware/requestid.go

@@ -1,6 +1,8 @@
 package middleware
 
 import (
+	"strings"
+
 	"github.com/gofiber/fiber/v2"
 	"github.com/google/uuid"
 )
@@ -11,6 +13,17 @@ func RequestID(c *fiber.Ctx) error {
 	if id == "" {
 		id = uuid.NewString()
 	}
+	// Truncate client-provided request IDs to prevent abuse
+	if len(id) > 64 {
+		id = id[:64]
+	}
+	// Strip non-printable characters to prevent log injection
+	id = strings.Map(func(r rune) rune {
+		if r < 32 || r == 127 {
+			return -1
+		}
+		return r
+	}, id)
 	c.Locals("requestID", id)
 	c.Set("X-Request-ID", id)
 	return c.Next()