Skip to content

Commit 8baa330

Browse files
committed
Handle invalid Google identity tokens
1 parent 3be6fb1 commit 8baa330

2 files changed

Lines changed: 37 additions & 0 deletions

File tree

ontime-back/src/main/java/devkor/ontime_back/global/oauth/google/GoogleLoginFilter.java

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
import jakarta.validation.Validator;
1717
import lombok.extern.slf4j.Slf4j;
1818
import org.springframework.dao.DataIntegrityViolationException;
19+
import org.springframework.security.authentication.BadCredentialsException;
1920
import org.springframework.security.core.Authentication;
2021
import org.springframework.security.core.AuthenticationException;
2122
import org.springframework.security.core.context.SecurityContextHolder;
@@ -57,7 +58,14 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
5758

5859
try {
5960
GoogleIdToken.Payload googlePayload = googleLoginService.verifyIdentityToken(oAuthGoogleRequestDto.getIdToken());
61+
if (googlePayload == null) {
62+
throw new BadCredentialsException("Invalid Google identity token");
63+
}
64+
6065
String googleUserId = googlePayload.getSubject();
66+
if (googleUserId == null || googleUserId.isBlank()) {
67+
throw new BadCredentialsException("Google identity token has no subject");
68+
}
6169

6270
Object loginLock = LOGIN_LOCKS.computeIfAbsent(googleUserId, key -> new Object());
6371
synchronized (loginLock) {
@@ -84,6 +92,9 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
8492
}
8593
}
8694

95+
} catch (AuthenticationException e) {
96+
log.warn("Google login failed: {}", e.getMessage());
97+
throw e;
8798
} catch (Exception e) {
8899
log.error("Google login failed: {}", e.getClass().getSimpleName());
89100
throw new AuthenticationException("Google 로그인 실패") {};

ontime-back/src/test/java/devkor/ontime_back/global/oauth/OAuthLoginFilterValidationTest.java

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,14 @@
1818
import org.mockito.junit.jupiter.MockitoExtension;
1919
import org.springframework.mock.web.MockHttpServletRequest;
2020
import org.springframework.mock.web.MockHttpServletResponse;
21+
import org.springframework.security.authentication.BadCredentialsException;
2122
import org.springframework.security.core.AuthenticationException;
2223

2324
import static org.assertj.core.api.Assertions.assertThat;
2425
import static org.assertj.core.api.Assertions.assertThatThrownBy;
26+
import static org.mockito.Mockito.verify;
2527
import static org.mockito.Mockito.verifyNoInteractions;
28+
import static org.mockito.Mockito.when;
2629

2730
@ExtendWith(MockitoExtension.class)
2831
class OAuthLoginFilterValidationTest {
@@ -65,6 +68,29 @@ void googleLoginFilterRejectsInvalidRequest() throws Exception {
6568
verifyNoInteractions(googleLoginService, userRepository);
6669
}
6770

71+
@Test
72+
@DisplayName("구글 로그인 필터가 검증 실패한 idToken을 인증 실패로 처리한다")
73+
void googleLoginFilterRejectsUnverifiedIdToken() throws Exception {
74+
GoogleLoginFilter filter = new GoogleLoginFilter(
75+
"/oauth2/google/login",
76+
objectMapper,
77+
validator,
78+
googleLoginService,
79+
userRepository);
80+
MockHttpServletResponse response = new MockHttpServletResponse();
81+
82+
when(googleLoginService.verifyIdentityToken("invalid-token")).thenReturn(null);
83+
84+
assertThatThrownBy(() -> filter.attemptAuthentication(
85+
request("/oauth2/google/login", "{\"idToken\":\"invalid-token\"}"),
86+
response))
87+
.isInstanceOf(BadCredentialsException.class)
88+
.hasMessage("Invalid Google identity token");
89+
90+
verify(googleLoginService).verifyIdentityToken("invalid-token");
91+
verifyNoInteractions(userRepository);
92+
}
93+
6894
@Test
6995
@DisplayName("카카오 로그인 필터가 잘못된 요청을 400 validation 응답으로 처리한다")
7096
void kakaoLoginFilterRejectsInvalidRequest() throws Exception {

0 commit comments

Comments
 (0)