Merge pull request '콘텐츠 관리자 권한 추가' (#423) from test into main

Reviewed-on: #423
2026-05-07 06:35:15 +00:00
parent 965bb068fc 85621cd107
commit 81c0d2586c
15 changed files with 591 additions and 4 deletions
--- a/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md
+++ b/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md
@@ -0,0 +1,46 @@
+# 콘텐츠 관리자 권한 및 관리자 로그인 API 추가
+
+## 작업 항목
+- [x] `MemberRole`에 콘텐츠 관리자 권한을 추가한다.
+- [x] 관리자 로그인 API 테스트를 먼저 추가하고 RED를 확인한다.
+- [x] 관리자와 콘텐츠 관리자만 로그인 가능한 관리자 전용 로그인 API를 구현한다.
+- [x] 응답을 `token`, `role`만 포함하도록 구현한다.
+- [x] focused test, 관련 테스트, 스타일 검사를 실행하고 결과를 기록한다.
+- [x] 콘텐츠 관리자가 `GET /menu`를 호출할 수 있도록 메뉴 조회 권한을 확장한다.
+- [x] 콘텐츠 관리자가 관리자 콘텐츠 목록/조회 보조 API를 호출할 수 있도록 읽기 권한만 확장한다.
+- [x] 콘텐츠 관리자가 관리자 콘텐츠 수정 API를 호출할 수 없도록 수정 권한은 관리자 전용으로 유지한다.
+- [x] focused security test, 관련 테스트, 스타일 검사를 실행하고 결과를 기록한다.
+
+## 설계
+- 새 권한은 기존 `MemberRole` enum에 `CONTENT_MANAGER`로 추가한다.
+- 새 API는 관리자 도메인의 `/admin/member/login`으로 추가하고 인증 없이 호출 가능하도록 보안 설정에 permitAll을 추가한다.
+- 서비스는 기존 이메일/비밀번호 인증 흐름과 JWT 생성 방식을 재사용하되, `ADMIN`, `CONTENT_MANAGER` 외 역할은 `common.error.bad_credentials` 예외로 거부한다.
+- 응답 DTO는 관리자 로그인 전용으로 분리해 `token`, `role`만 노출한다.
+
+## 후속 설계: 콘텐츠 관리자 메뉴 및 콘텐츠 읽기 권한
+- `CONTENT_MANAGER`는 이미 관리자 로그인 API로 토큰을 받을 수 있으므로 새 역할이나 새 권한 타입을 추가하지 않는다.
+- 메뉴 조회는 기존 `GET /menu`와 `MenuRepository.getMenu(member.role)` 구조를 그대로 사용한다. 컨트롤러의 `@PreAuthorize`에 `CONTENT_MANAGER`만 추가해 콘텐츠 관리자가 자신의 역할에 매핑된 메뉴를 받을 수 있게 한다.
+- `/content/list`는 서버 코드 상수가 아니라 `Menu.route` DB 값으로 내려가는 구조이므로, 서버에서는 별도 라우트 상수를 추가하지 않는다. 실제 메뉴 노출은 `roles = CONTENT_MANAGER`, `route = /content/list`, `isActive = true` 데이터가 존재할 때 가능하다.
+- 관리자 콘텐츠 API는 기존 `hasRole('ADMIN')` 클래스 권한을 메서드 단위로 분리한다. `GET /admin/audio-content/list`, `GET /admin/audio-content/search`, `GET /admin/audio-content/main/tab`은 `ADMIN`과 `CONTENT_MANAGER`를 허용하고, `PUT /admin/audio-content`는 `ADMIN`만 허용한다.
+- 콘텐츠 재생은 기존 사용자 콘텐츠 API의 `GET /audio-content/{id}/generate-url` 흐름을 변경하지 않는다. 이 API는 로그인 사용자와 구매/접근 조건으로 재생 URL을 제어하므로 콘텐츠 관리자 전용 우회 권한은 추가하지 않는다.
+
+## 구현 계획
+- [x] `MenuController` 보안 테스트를 추가해 `CONTENT_MANAGER`가 `GET /menu`에 접근 가능하고 일반 사용자는 거부되는지 확인한다.
+- [x] `AdminContentController` 보안 테스트를 추가해 `CONTENT_MANAGER`는 목록/검색/메인탭 조회가 가능하고 수정은 거부되는지 확인한다.
+- [x] 테스트가 실패하는 것을 확인한다.
+- [x] `MenuController`의 `@PreAuthorize`에 `CONTENT_MANAGER`를 추가한다.
+- [x] `AdminContentController`의 클래스 단위 `@PreAuthorize`를 제거하고 각 메서드에 읽기/수정 권한을 분리한다.
+- [x] focused test, 관련 test, ktlint를 실행해 검증한다.
+
+## 검증 기록
+- 2026-05-07: RED 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginServiceTest' --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginControllerTest'` 실행 시 `AdminMemberLoginService`, `AdminMemberLoginController`, `AdminMemberLoginResponse`, `CONTENT_MANAGER`, `findByEmail` 미구현으로 `compileTestKotlin`이 실패함을 확인했다.
+- 2026-05-07: GREEN 확인: 동일 focused test가 `BUILD SUCCESSFUL`로 통과해 관리자/콘텐츠 관리자 로그인 허용 및 일반 사용자 거부를 확인했다.
+- 2026-05-07: API 응답 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginControllerTest.shouldReturnTokenAndRoleJson'`가 `BUILD SUCCESSFUL`로 통과해 `POST /admin/member/login` JSON 응답의 `data.token`, `data.role`을 확인했다.
+- 2026-05-07: 회귀 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.*'`가 `BUILD SUCCESSFUL`로 통과했다.
+- 2026-05-07: 스타일 확인: `./gradlew ktlintCheck`가 `BUILD SUCCESSFUL`로 통과했다.
+- 2026-05-07: Kotlin LSP는 현재 환경에 `.kt` 서버가 설정되어 있지 않아 `lsp_diagnostics` 실행이 불가했다. 대신 Gradle 컴파일 포함 focused/관련 test와 ktlint로 검증했다.
+- 2026-05-07: RED 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.menu.MenuControllerSecurityTest' --tests 'kr.co.vividnext.sodalive.admin.content.AdminContentControllerSecurityTest'` 실행 시 `CONTENT_MANAGER`의 `GET /menu`, `GET /admin/audio-content/list`, `GET /admin/audio-content/search`, `GET /admin/audio-content/main/tab` 허용 기대 테스트 4건이 실패함을 확인했다.
+- 2026-05-07: GREEN 확인: 동일 focused security test가 `BUILD SUCCESSFUL`로 통과해 콘텐츠 관리자 메뉴 조회, 관리자 콘텐츠 목록/검색/메인탭 조회 허용과 관리자 콘텐츠 수정 거부를 확인했다.
+- 2026-05-07: 관련 테스트 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.content.AdminContentServiceTest' --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginServiceTest' --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginControllerTest'`가 `BUILD SUCCESSFUL`로 통과했다.
+- 2026-05-07: 스타일 확인: `./gradlew ktlintCheck`가 `BUILD SUCCESSFUL`로 통과했다.
+- 2026-05-07: Kotlin LSP는 현재 환경에 `.kt` 서버가 설정되어 있지 않아 `lsp_diagnostics` 실행이 불가했다. 대신 Gradle 컴파일 포함 focused/관련 test와 ktlint로 검증했다.
--- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentController.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentController.kt
@@ -13,10 +13,10 @@ import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.multipart.MultipartFile

@RestController
-@PreAuthorize("hasRole('ADMIN')")
@RequestMapping("/admin/audio-content")
 class AdminContentController(private val service: AdminContentService) {
    @GetMapping("/list")
+    @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')")
    fun getAudioContentList(
        @RequestParam(value = "status", required = false) status: ContentReleaseStatus?,
        pageable: Pageable
@@ -28,6 +28,7 @@ class AdminContentController(private val service: AdminContentService) {
    )

    @GetMapping("/search")
+    @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')")
    fun searchAudioContent(
        @RequestParam(value = "status", required = false) status: ContentReleaseStatus?,
        @RequestParam(value = "search_word") searchWord: String,
@@ -41,12 +42,14 @@ class AdminContentController(private val service: AdminContentService) {
    )

    @PutMapping(consumes = [MediaType.MULTIPART_FORM_DATA_VALUE])
+    @PreAuthorize("hasRole('ADMIN')")
    fun modifyAudioContent(
        @RequestPart("request") requestString: String,
        @RequestPart("coverImage", required = false) coverImage: MultipartFile? = null
    ) = ApiResponse.ok(service.updateAudioContent(coverImage, requestString))

    @GetMapping("/main/tab")
+    @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')")
    fun getContentMainTabList() = ApiResponse.ok(service.getContentMainTabList())
 }

--- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginController.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginController.kt
@@ -0,0 +1,15 @@
+package kr.co.vividnext.sodalive.admin.member
+
+import kr.co.vividnext.sodalive.common.ApiResponse
+import kr.co.vividnext.sodalive.member.login.LoginRequest
+import org.springframework.web.bind.annotation.PostMapping
+import org.springframework.web.bind.annotation.RequestBody
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.RestController
+
+@RestController
+@RequestMapping("/admin/member")
+class AdminMemberLoginController(private val service: AdminMemberLoginService) {
+    @PostMapping("/login")
+    fun login(@RequestBody request: LoginRequest) = ApiResponse.ok(service.login(request))
+}
--- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginResponse.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginResponse.kt
@@ -0,0 +1,8 @@
+package kr.co.vividnext.sodalive.admin.member
+
+import kr.co.vividnext.sodalive.member.MemberRole
+
+data class AdminMemberLoginResponse(
+    val token: String,
+    val role: MemberRole
+)
--- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginService.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginService.kt
@@ -0,0 +1,39 @@
+package kr.co.vividnext.sodalive.admin.member
+
+import kr.co.vividnext.sodalive.common.SodaException
+import kr.co.vividnext.sodalive.jwt.TokenProvider
+import kr.co.vividnext.sodalive.member.MemberAdapter
+import kr.co.vividnext.sodalive.member.MemberRole
+import kr.co.vividnext.sodalive.member.login.LoginRequest
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
+import org.springframework.security.crypto.password.PasswordEncoder
+import org.springframework.stereotype.Service
+
+@Service
+class AdminMemberLoginService(
+    private val repository: AdminMemberRepository,
+    private val passwordEncoder: PasswordEncoder,
+    private val tokenProvider: TokenProvider
+) {
+    fun login(request: LoginRequest): AdminMemberLoginResponse {
+        val member = repository.findByEmail(request.email)
+            ?: throw SodaException(messageKey = "common.error.bad_credentials")
+
+        if (member.role != MemberRole.ADMIN && member.role != MemberRole.CONTENT_MANAGER) {
+            throw SodaException(messageKey = "common.error.bad_credentials")
+        }
+
+        if (!member.isActive || !passwordEncoder.matches(request.password, member.password)) {
+            throw SodaException(messageKey = "common.error.bad_credentials")
+        }
+
+        val authentication = UsernamePasswordAuthenticationToken(
+            MemberAdapter(member),
+            null,
+            MemberAdapter(member).authorities
+        )
+        val token = tokenProvider.createToken(authentication = authentication, memberId = member.id!!)
+
+        return AdminMemberLoginResponse(token = token, role = member.role)
+    }
+}
--- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberRepository.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberRepository.kt
@@ -6,7 +6,9 @@ import kr.co.vividnext.sodalive.member.MemberRole
 import kr.co.vividnext.sodalive.member.QMember.member
 import org.springframework.data.jpa.repository.JpaRepository

-interface AdminMemberRepository : JpaRepository<Member, Long>, AdminMemberQueryRepository
+interface AdminMemberRepository : JpaRepository<Member, Long>, AdminMemberQueryRepository {
+    fun findByEmail(email: String?): Member?
+}

 interface AdminMemberQueryRepository {
    fun getMemberTotalCount(role: MemberRole? = null): Int
--- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberService.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberService.kt
@@ -101,6 +101,10 @@ class AdminMemberService(
                    MemberRole.CREATOR -> messageSource.getMessage("admin.member.role.creator", langContext.lang).orEmpty()
                    MemberRole.AGENT -> messageSource.getMessage("admin.member.role.agent", langContext.lang).orEmpty()
                    MemberRole.BOT -> messageSource.getMessage("admin.member.role.bot", langContext.lang).orEmpty()
+                    MemberRole.CONTENT_MANAGER ->
+                        messageSource
+                            .getMessage("admin.member.role.content_manager", langContext.lang)
+                            .orEmpty()
                }

                val loginType = when (it.provider) {
--- a/src/main/kotlin/kr/co/vividnext/sodalive/configs/SecurityConfig.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/configs/SecurityConfig.kt
@@ -74,6 +74,7 @@ class SecurityConfig(
            .antMatchers("/member/login/kakao").permitAll()
            .antMatchers("/member/login/apple").permitAll()
            .antMatchers("/member/login/line").permitAll()
+            .antMatchers("/admin/member/login").permitAll()
            .antMatchers("/creator-admin/member/login").permitAll()
            .antMatchers("/member/forgot-password").permitAll()
            .antMatchers("/stplat/terms_of_service").permitAll()
--- a/src/main/kotlin/kr/co/vividnext/sodalive/i18n/SodaMessageSource.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/i18n/SodaMessageSource.kt
@@ -1044,6 +1044,11 @@ class SodaMessageSource {
            Lang.KO to "봇",
            Lang.EN to "Bot",
            Lang.JA to "ボット"
+        ),
+        "admin.member.role.content_manager" to mapOf(
+            Lang.KO to "콘텐츠 관리자",
+            Lang.EN to "Content Manager",
+            Lang.JA to "コンテンツ管理者"
        )
    )

--- a/src/main/kotlin/kr/co/vividnext/sodalive/member/Member.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/member/Member.kt
@@ -177,7 +177,7 @@ enum class Gender {
 }

 enum class MemberRole {
-    ADMIN, BOT, USER, CREATOR, AGENT
+    ADMIN, BOT, USER, CREATOR, AGENT, CONTENT_MANAGER
 }

 enum class MemberProvider {
--- a/src/main/kotlin/kr/co/vividnext/sodalive/menu/MenuController.kt
+++ b/src/main/kotlin/kr/co/vividnext/sodalive/menu/MenuController.kt
@@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RestController
@RequestMapping("/menu")
 class MenuController(private val service: MenuService) {
    @GetMapping
-    @PreAuthorize("hasAnyRole('AGENT', 'ADMIN', 'CREATOR')")
+    @PreAuthorize("hasAnyRole('AGENT', 'ADMIN', 'CREATOR', 'CONTENT_MANAGER')")
    fun getMenus(
        @AuthenticationPrincipal(expression = "#this == 'anonymousUser' ? null : member") member: Member?
    ) = run {
--- a/src/test/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentControllerSecurityTest.kt
+++ b/src/test/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentControllerSecurityTest.kt
@@ -0,0 +1,184 @@
+package kr.co.vividnext.sodalive.admin.content
+
+import kr.co.vividnext.sodalive.common.CountryContext
+import kr.co.vividnext.sodalive.content.main.tab.GetContentMainTabItem
+import kr.co.vividnext.sodalive.i18n.LangContext
+import kr.co.vividnext.sodalive.i18n.SodaMessageSource
+import org.junit.jupiter.api.DisplayName
+import org.junit.jupiter.api.Test
+import org.mockito.Mockito
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest
+import org.springframework.boot.test.context.TestConfiguration
+import org.springframework.boot.test.mock.mockito.MockBean
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Import
+import org.springframework.data.domain.PageRequest
+import org.springframework.http.HttpStatus
+import org.springframework.http.MediaType
+import org.springframework.mock.web.MockMultipartFile
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.anonymous
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user
+import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.authentication.HttpStatusEntryPoint
+import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.multipart
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
+import javax.servlet.http.HttpServletResponse
+
+@WebMvcTest(AdminContentController::class)
+@Import(AdminContentControllerSecurityTest.TestSecurityConfig::class)
+class AdminContentControllerSecurityTest @Autowired constructor(
+    private val mockMvc: MockMvc
+) {
+    @MockBean
+    private lateinit var service: AdminContentService
+
+    @MockBean
+    private lateinit var countryContext: CountryContext
+
+    @MockBean
+    private lateinit var langContext: LangContext
+
+    @MockBean
+    private lateinit var sodaMessageSource: SodaMessageSource
+
+    @TestConfiguration
+    @EnableGlobalMethodSecurity(prePostEnabled = true)
+    class TestSecurityConfig {
+        @Bean
+        fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            return http
+                .csrf().disable()
+                .authorizeRequests()
+                .anyRequest().authenticated()
+                .and()
+                .exceptionHandling()
+                .authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
+                .accessDeniedHandler { _, response, _ -> response.sendError(HttpServletResponse.SC_FORBIDDEN) }
+                .and()
+                .build()
+        }
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 목록 조회에 성공한다")
+    fun shouldAllowContentManagerRoleForContentList() {
+        Mockito.`when`(
+            service.getAudioContentList(
+                status = ContentReleaseStatus.OPEN,
+                pageable = PageRequest.of(0, 20)
+            )
+        ).thenReturn(GetAdminContentListResponse(totalCount = 0, items = emptyList()))
+
+        mockMvc.perform(
+            get("/admin/audio-content/list")
+                .param("page", "0")
+                .param("size", "20")
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+            .andExpect(jsonPath("$.data.totalCount").value(0))
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 검색에 성공한다")
+    fun shouldAllowContentManagerRoleForContentSearch() {
+        Mockito.`when`(
+            service.searchAudioContent(
+                status = ContentReleaseStatus.OPEN,
+                searchWord = "title",
+                pageable = PageRequest.of(0, 20)
+            )
+        ).thenReturn(GetAdminContentListResponse(totalCount = 0, items = emptyList()))
+
+        mockMvc.perform(
+            get("/admin/audio-content/search")
+                .param("search_word", "title")
+                .param("page", "0")
+                .param("size", "20")
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 메인 탭 조회에 성공한다")
+    fun shouldAllowContentManagerRoleForContentMainTab() {
+        Mockito.`when`(service.getContentMainTabList()).thenReturn(
+            listOf(GetContentMainTabItem(tabId = 1L, title = "홈"))
+        )
+
+        mockMvc.perform(
+            get("/admin/audio-content/main/tab")
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+            .andExpect(jsonPath("$.data[0].tabId").value(1L))
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 수정에 접근할 수 없다")
+    fun shouldRejectContentManagerRoleForContentUpdate() {
+        val requestPart = MockMultipartFile(
+            "request",
+            "request.json",
+            MediaType.APPLICATION_JSON_VALUE,
+            "{\"id\":1,\"isDefaultCoverImage\":false}".toByteArray()
+        )
+
+        mockMvc.perform(
+            multipart("/admin/audio-content")
+                .file(requestPart)
+                .with { request ->
+                    request.method = "PUT"
+                    request
+                }
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(false))
+    }
+
+    @Test
+    @DisplayName("관리자 권한이면 관리자 콘텐츠 수정에 접근할 수 있다")
+    fun shouldAllowAdminRoleForContentUpdate() {
+        val requestPart = MockMultipartFile(
+            "request",
+            "request.json",
+            MediaType.APPLICATION_JSON_VALUE,
+            "{\"id\":1,\"isDefaultCoverImage\":false}".toByteArray()
+        )
+
+        mockMvc.perform(
+            multipart("/admin/audio-content")
+                .file(requestPart)
+                .with { request ->
+                    request.method = "PUT"
+                    request
+                }
+                .with(user("admin").roles("ADMIN"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+    }
+
+    @Test
+    @DisplayName("익명 사용자는 관리자 콘텐츠 목록 조회에 접근할 수 없다")
+    fun shouldRejectAnonymousUserForContentList() {
+        mockMvc.perform(
+            get("/admin/audio-content/list")
+                .param("page", "0")
+                .param("size", "20")
+                .with(anonymous())
+        )
+            .andExpect(status().isUnauthorized)
+    }
+}
--- a/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginControllerTest.kt
+++ b/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginControllerTest.kt
@@ -0,0 +1,66 @@
+package kr.co.vividnext.sodalive.admin.member
+
+import kr.co.vividnext.sodalive.member.MemberRole
+import kr.co.vividnext.sodalive.member.login.LoginRequest
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Assertions.assertTrue
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.DisplayName
+import org.junit.jupiter.api.Test
+import org.mockito.Mockito
+import org.springframework.http.MediaType
+import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
+import org.springframework.test.web.servlet.setup.MockMvcBuilders
+
+class AdminMemberLoginControllerTest {
+    private lateinit var service: AdminMemberLoginService
+    private lateinit var controller: AdminMemberLoginController
+    private lateinit var mockMvc: MockMvc
+
+    @BeforeEach
+    fun setup() {
+        service = mock()
+        controller = AdminMemberLoginController(service = service)
+        mockMvc = MockMvcBuilders.standaloneSetup(controller).build()
+    }
+
+    @Test
+    @DisplayName("POST /admin/member/login은 token과 role을 응답한다")
+    fun shouldReturnTokenAndRole() {
+        val request = LoginRequest(email = "admin@test.com", password = "password")
+        val loginResponse = AdminMemberLoginResponse(token = "admin-token", role = MemberRole.ADMIN)
+        Mockito.`when`(service.login(request)).thenReturn(loginResponse)
+
+        val response = controller.login(request)
+
+        assertTrue(response.success)
+        assertEquals("admin-token", response.data?.token)
+        assertEquals(MemberRole.ADMIN, response.data?.role)
+    }
+
+    @Test
+    @DisplayName("POST /admin/member/login은 JSON으로 token과 role을 응답한다")
+    fun shouldReturnTokenAndRoleJson() {
+        val request = LoginRequest(email = "content@test.com", password = "password")
+        Mockito.`when`(service.login(request)).thenReturn(
+            AdminMemberLoginResponse(token = "content-token", role = MemberRole.CONTENT_MANAGER)
+        )
+
+        mockMvc.perform(
+            post("/admin/member/login")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content("""{"email":"content@test.com","password":"password"}""")
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+            .andExpect(jsonPath("$.data.token").value("content-token"))
+            .andExpect(jsonPath("$.data.role").value("CONTENT_MANAGER"))
+    }
+
+    private inline fun <reified T> mock(): T {
+        return Mockito.mock(T::class.java)
+    }
+}
--- a/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginServiceTest.kt
+++ b/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginServiceTest.kt
@@ -0,0 +1,98 @@
+package kr.co.vividnext.sodalive.admin.member
+
+import kr.co.vividnext.sodalive.common.SodaException
+import kr.co.vividnext.sodalive.jwt.TokenProvider
+import kr.co.vividnext.sodalive.member.Member
+import kr.co.vividnext.sodalive.member.MemberRepository
+import kr.co.vividnext.sodalive.member.MemberRole
+import kr.co.vividnext.sodalive.member.login.LoginRequest
+import kr.co.vividnext.sodalive.member.token.MemberTokenRepository
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Assertions.assertThrows
+import org.junit.jupiter.api.Assertions.assertTrue
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.DisplayName
+import org.junit.jupiter.api.Test
+import org.mockito.Mockito
+import org.springframework.security.crypto.password.PasswordEncoder
+
+class AdminMemberLoginServiceTest {
+    private lateinit var repository: AdminMemberRepository
+    private lateinit var passwordEncoder: PasswordEncoder
+    private lateinit var tokenRepository: MemberTokenRepository
+    private lateinit var service: AdminMemberLoginService
+
+    @BeforeEach
+    fun setup() {
+        repository = mock()
+        passwordEncoder = mock()
+        tokenRepository = mock()
+        val tokenProvider = TokenProvider(
+            secret = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
+            tokenValidityInSeconds = 3600,
+            repository = mock<MemberRepository>(),
+            tokenRepository = tokenRepository
+        )
+        tokenProvider.afterPropertiesSet()
+        service = AdminMemberLoginService(
+            repository = repository,
+            passwordEncoder = passwordEncoder,
+            tokenProvider = tokenProvider
+        )
+    }
+
+    @Test
+    @DisplayName("관리자는 관리자 로그인 API로 token과 role을 받는다")
+    fun shouldLoginAdmin() {
+        val member = createMember(id = 1L, role = MemberRole.ADMIN)
+        Mockito.`when`(repository.findByEmail("admin@test.com")).thenReturn(member)
+        Mockito.`when`(passwordEncoder.matches("password", "encoded-password")).thenReturn(true)
+
+        val response = service.login(LoginRequest(email = "admin@test.com", password = "password"))
+
+        assertTrue(response.token.isNotBlank())
+        assertEquals(MemberRole.ADMIN, response.role)
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자는 관리자 로그인 API로 token과 role을 받는다")
+    fun shouldLoginContentManager() {
+        val member = createMember(id = 2L, role = MemberRole.CONTENT_MANAGER)
+        Mockito.`when`(repository.findByEmail("content@test.com")).thenReturn(member)
+        Mockito.`when`(passwordEncoder.matches("password", "encoded-password")).thenReturn(true)
+
+        val response = service.login(LoginRequest(email = "content@test.com", password = "password"))
+
+        assertTrue(response.token.isNotBlank())
+        assertEquals(MemberRole.CONTENT_MANAGER, response.role)
+    }
+
+    @Test
+    @DisplayName("일반 사용자는 관리자 로그인 API를 사용할 수 없다")
+    fun shouldRejectUser() {
+        val member = createMember(id = 3L, role = MemberRole.USER)
+        Mockito.`when`(repository.findByEmail("user@test.com")).thenReturn(member)
+
+        val exception = assertThrows(SodaException::class.java) {
+            service.login(LoginRequest(email = "user@test.com", password = "password"))
+        }
+
+        assertEquals("common.error.bad_credentials", exception.messageKey)
+        Mockito.verifyNoInteractions(tokenRepository)
+    }
+
+    private fun createMember(id: Long, role: MemberRole): Member {
+        val member = Member(
+            email = "member$id@test.com",
+            password = "encoded-password",
+            nickname = "member$id",
+            role = role
+        )
+        member.id = id
+        return member
+    }
+
+    private inline fun <reified T> mock(): T {
+        return Mockito.mock(T::class.java)
+    }
+}
--- a/src/test/kotlin/kr/co/vividnext/sodalive/menu/MenuControllerSecurityTest.kt
+++ b/src/test/kotlin/kr/co/vividnext/sodalive/menu/MenuControllerSecurityTest.kt
@@ -0,0 +1,116 @@
+package kr.co.vividnext.sodalive.menu
+
+import kr.co.vividnext.sodalive.common.CountryContext
+import kr.co.vividnext.sodalive.i18n.LangContext
+import kr.co.vividnext.sodalive.i18n.SodaMessageSource
+import kr.co.vividnext.sodalive.member.Member
+import kr.co.vividnext.sodalive.member.MemberAdapter
+import kr.co.vividnext.sodalive.member.MemberRole
+import org.junit.jupiter.api.DisplayName
+import org.junit.jupiter.api.Test
+import org.mockito.Mockito
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest
+import org.springframework.boot.test.context.TestConfiguration
+import org.springframework.boot.test.mock.mockito.MockBean
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Import
+import org.springframework.http.HttpStatus
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.anonymous
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user
+import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.authentication.HttpStatusEntryPoint
+import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
+import javax.servlet.http.HttpServletResponse
+
+@WebMvcTest(MenuController::class)
+@Import(MenuControllerSecurityTest.TestSecurityConfig::class)
+class MenuControllerSecurityTest @Autowired constructor(
+    private val mockMvc: MockMvc
+) {
+    @MockBean
+    private lateinit var service: MenuService
+
+    @MockBean
+    private lateinit var countryContext: CountryContext
+
+    @MockBean
+    private lateinit var langContext: LangContext
+
+    @MockBean
+    private lateinit var sodaMessageSource: SodaMessageSource
+
+    @TestConfiguration
+    @EnableGlobalMethodSecurity(prePostEnabled = true)
+    class TestSecurityConfig {
+        @Bean
+        fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            return http
+                .csrf().disable()
+                .authorizeRequests()
+                .anyRequest().authenticated()
+                .and()
+                .exceptionHandling()
+                .authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
+                .accessDeniedHandler { _, response, _ -> response.sendError(HttpServletResponse.SC_FORBIDDEN) }
+                .and()
+                .build()
+        }
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 메뉴 조회에 성공한다")
+    fun shouldAllowContentManagerRole() {
+        val member = createMember(role = MemberRole.CONTENT_MANAGER)
+        Mockito.`when`(service.getMenus(member)).thenReturn(
+            listOf(GetMenuResponse(title = "콘텐츠 리스트", route = "/content/list"))
+        )
+
+        mockMvc.perform(
+            get("/menu")
+                .with(user(MemberAdapter(member)))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+            .andExpect(jsonPath("$.data[0].route").value("/content/list"))
+    }
+
+    @Test
+    @DisplayName("일반 사용자 권한이면 메뉴 조회에 접근할 수 없다")
+    fun shouldRejectUserRole() {
+        val member = createMember(role = MemberRole.USER)
+
+        mockMvc.perform(
+            get("/menu")
+                .with(user(MemberAdapter(member)))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(false))
+    }
+
+    @Test
+    @DisplayName("익명 사용자는 메뉴 조회에 접근할 수 없다")
+    fun shouldRejectAnonymousUser() {
+        mockMvc.perform(
+            get("/menu")
+                .with(anonymous())
+        )
+            .andExpect(status().isUnauthorized)
+    }
+
+    private fun createMember(role: MemberRole): Member {
+        return Member(
+            email = "${role.name.lowercase()}@test.com",
+            password = "password",
+            nickname = role.name.lowercase(),
+            role = role
+        ).apply {
+            id = role.ordinal.toLong() + 1
+        }
+    }
+}