gc-guide-api/src/main/java/com/gcsc/guide/auth/GoogleTokenVerifier.java

package com.gcsc.guide.auth;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.gson.GsonFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

import java.util.Collections;

@Slf4j
@Component
public class GoogleTokenVerifier {

    private final GoogleIdTokenVerifier verifier;
    private final String allowedEmailDomain;

    public GoogleTokenVerifier(
        @Value("${app.google.client-id}") String clientId,
        @Value("${app.allowed-email-domain}") String allowedEmailDomain
    ) {
        this.verifier = new GoogleIdTokenVerifier.Builder(
            new NetHttpTransport(), GsonFactory.getDefaultInstance())
            .setAudience(Collections.singletonList(clientId))
            .build();
        this.allowedEmailDomain = allowedEmailDomain;
    }

    /**
     * Google ID Token을 검증하고 페이로드를 반환한다.
     * 검증 실패 또는 허용되지 않은 이메일 도메인이면 null을 반환한다.
     */
    public GoogleIdToken.Payload verify(String idTokenString) {
        try {
            GoogleIdToken idToken = verifier.verify(idTokenString);
            if (idToken == null) {
                log.warn("Google ID Token 검증 실패: 유효하지 않은 토큰");
                return null;
            }

            GoogleIdToken.Payload payload = idToken.getPayload();
            String email = payload.getEmail();

            if (email == null || !email.endsWith("@" + allowedEmailDomain)) {
                log.warn("허용되지 않은 이메일 도메인: {}", email);
                return null;
            }

            return payload;
        } catch (Exception e) {
            log.error("Google ID Token 검증 중 오류: {}", e.getMessage());
            return null;
        }
    }
}
feat(auth): JWT 기반 Google 로그인 인증 API 구현 - Entity: User, Role, RoleUrlPattern, UserStatus enum - Repository: UserRepository, RoleRepository (fetch join 쿼리) - Auth: GoogleTokenVerifier, JwtTokenProvider, JwtAuthenticationFilter - API: POST /api/auth/google, GET /api/auth/me, POST /api/auth/logout - DTO: AuthResponse, UserResponse, RoleResponse, GoogleLoginRequest - SecurityConfig: JWT 필터 등록, CORS 설정, 공개 엔드포인트 정의 - 초기 데이터: roles + role_url_patterns 시드 (data.sql) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-14 17:28:51 +09:00			`package com.gcsc.guide.auth;`

			`import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;`
			`import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;`
			`import com.google.api.client.http.javanet.NetHttpTransport;`
			`import com.google.api.client.json.gson.GsonFactory;`
			`import lombok.extern.slf4j.Slf4j;`
			`import org.springframework.beans.factory.annotation.Value;`
			`import org.springframework.stereotype.Component;`

			`import java.util.Collections;`

			`@Slf4j`
			`@Component`
			`public class GoogleTokenVerifier {`

			`private final GoogleIdTokenVerifier verifier;`
			`private final String allowedEmailDomain;`

			`public GoogleTokenVerifier(`
			`@Value("${app.google.client-id}") String clientId,`
			`@Value("${app.allowed-email-domain}") String allowedEmailDomain`
			`) {`
			`this.verifier = new GoogleIdTokenVerifier.Builder(`
			`new NetHttpTransport(), GsonFactory.getDefaultInstance())`
			`.setAudience(Collections.singletonList(clientId))`
			`.build();`
			`this.allowedEmailDomain = allowedEmailDomain;`
			`}`

			`/**`
			`* Google ID Token을 검증하고 페이로드를 반환한다.`
			`* 검증 실패 또는 허용되지 않은 이메일 도메인이면 null을 반환한다.`
			`*/`
			`public GoogleIdToken.Payload verify(String idTokenString) {`
			`try {`
			`GoogleIdToken idToken = verifier.verify(idTokenString);`
			`if (idToken == null) {`
			`log.warn("Google ID Token 검증 실패: 유효하지 않은 토큰");`
			`return null;`
			`}`

			`GoogleIdToken.Payload payload = idToken.getPayload();`
			`String email = payload.getEmail();`

			`if (email == null \|\| !email.endsWith("@" + allowedEmailDomain)) {`
			`log.warn("허용되지 않은 이메일 도메인: {}", email);`
			`return null;`
			`}`

			`return payload;`
			`} catch (Exception e) {`
			`log.error("Google ID Token 검증 중 오류: {}", e.getMessage());`
			`return null;`
			`}`
			`}`
			`}`