Skip to content

Commit c02abf8

Browse files
committed
Use shared Google client secret names in dev deploy
1 parent 757bdd0 commit c02abf8

4 files changed

Lines changed: 53 additions & 8 deletions

File tree

.github/workflows/deploy-dev.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -126,8 +126,8 @@ jobs:
126126
JWT_ACCESS_HEADER=${{ secrets.DEV_JWT_ACCESS_HEADER || 'Authorization' }}
127127
JWT_REFRESH_HEADER=${{ secrets.DEV_JWT_REFRESH_HEADER || 'Authorization-refresh' }}
128128
129-
GOOGLE_WEB_CLIENT_ID=${{ secrets.DEV_GOOGLE_WEB_CLIENT_ID || 'dev-google-web-client-id' }}
130-
GOOGLE_APP_CLIENT_ID=${{ secrets.DEV_GOOGLE_APP_CLIENT_ID || 'dev-google-app-client-id' }}
129+
GOOGLE_WEB_CLIENT_ID=${{ secrets.GOOGLE_WEB_CLIENT_ID || 'dev-google-web-client-id' }}
130+
GOOGLE_APP_CLIENT_ID=${{ secrets.GOOGLE_APP_CLIENT_ID || 'dev-google-app-client-id' }}
131131
132132
APPLE_CLIENT_ID=${{ secrets.DEV_APPLE_CLIENT_ID || 'dev-apple-client-id' }}
133133
APPLE_TEAM_ID=${{ secrets.DEV_APPLE_TEAM_ID || 'dev-apple-team-id' }}

docs/deployment.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -143,8 +143,8 @@ Optional development secrets:
143143
- `DEV_JWT_REFRESH_EXPIRATION`
144144
- `DEV_JWT_ACCESS_HEADER`
145145
- `DEV_JWT_REFRESH_HEADER`
146-
- `DEV_GOOGLE_WEB_CLIENT_ID`
147-
- `DEV_GOOGLE_APP_CLIENT_ID`
146+
- `GOOGLE_WEB_CLIENT_ID`
147+
- `GOOGLE_APP_CLIENT_ID`
148148
- `DEV_APPLE_CLIENT_ID`
149149
- `DEV_APPLE_TEAM_ID`
150150
- `DEV_APPLE_LOGIN_KEY`
@@ -212,8 +212,8 @@ Optional development secrets:
212212
- `DEV_JWT_REFRESH_EXPIRATION`
213213
- `DEV_JWT_ACCESS_HEADER`
214214
- `DEV_JWT_REFRESH_HEADER`
215-
- `DEV_GOOGLE_WEB_CLIENT_ID`
216-
- `DEV_GOOGLE_APP_CLIENT_ID`
215+
- `GOOGLE_WEB_CLIENT_ID`
216+
- `GOOGLE_APP_CLIENT_ID`
217217
- `DEV_APPLE_CLIENT_ID`
218218
- `DEV_APPLE_TEAM_ID`
219219
- `DEV_APPLE_LOGIN_KEY`

ontime-back/src/main/java/devkor/ontime_back/global/oauth/google/GoogleLoginService.java

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,9 @@ public GoogleLoginService(
6666
.map(String::trim)
6767
.filter(clientId -> !clientId.isBlank())
6868
.toList();
69+
log.info("Configured Google OAuth audiences: {}", validClientIds.stream()
70+
.map(this::maskClientId)
71+
.toList());
6972
}
7073

7174

@@ -173,10 +176,52 @@ public GoogleIdToken.Payload verifyIdentityToken(String identityToken) throws Ex
173176
return payload;
174177
} else {
175178
log.info("Google identity credential is invalid");
179+
logGoogleIdentityTokenClaims(identityToken);
176180
return null;
177181
}
178182
}
179183

184+
private void logGoogleIdentityTokenClaims(String identityToken) {
185+
try {
186+
GoogleIdToken parsedToken = GoogleIdToken.parse(
187+
GsonFactory.getDefaultInstance(),
188+
identityToken
189+
);
190+
GoogleIdToken.Payload payload = parsedToken.getPayload();
191+
String audience = String.valueOf(payload.getAudience());
192+
Long expirationTimeSeconds = payload.getExpirationTimeSeconds();
193+
long nowSeconds = System.currentTimeMillis() / 1000;
194+
log.info(
195+
"Google identity token claims aud={}, azp={}, iss={}, exp={}, now={}, secondsUntilExp={}, audienceAllowed={}",
196+
maskClientId(audience),
197+
payload.get("azp"),
198+
payload.getIssuer(),
199+
expirationTimeSeconds,
200+
nowSeconds,
201+
expirationTimeSeconds == null ? null : expirationTimeSeconds - nowSeconds,
202+
validClientIds.contains(audience)
203+
);
204+
} catch (Exception e) {
205+
log.info("Google identity token claim parsing failed: {}", e.getClass().getSimpleName());
206+
}
207+
}
208+
209+
private String maskClientId(String clientId) {
210+
int separatorIndex = clientId.indexOf('-');
211+
if (separatorIndex < 0) {
212+
return "<invalid-client-id>";
213+
}
214+
String projectNumber = clientId.substring(0, separatorIndex);
215+
String suffix = ".apps.googleusercontent.com";
216+
boolean hasGoogleSuffix = clientId.endsWith(suffix);
217+
String middle = clientId.substring(
218+
separatorIndex + 1,
219+
hasGoogleSuffix ? clientId.length() - suffix.length() : clientId.length()
220+
);
221+
String visibleTail = middle.length() <= 4 ? middle : middle.substring(middle.length() - 4);
222+
return projectNumber + "-..." + visibleTail + (hasGoogleSuffix ? suffix : "");
223+
}
224+
180225
public boolean revokeToken(Long userId) {
181226
User user = userRepository.findById(userId)
182227
.orElseThrow(() -> new IllegalArgumentException("User not found with id: " + userId));

ontime-back/src/main/resources/application-dev.properties

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,8 @@ jwt.access.header=${JWT_ACCESS_HEADER:Authorization}
2323
jwt.refresh.header=${JWT_REFRESH_HEADER:Authorization-refresh}
2424

2525
# Google OAuth
26-
google.web.client-id=${GOOGLE_WEB_CLIENT_ID:dev-google-web-client-id}
27-
google.app.client-id=${GOOGLE_APP_CLIENT_ID:dev-google-app-client-id}
26+
google.web.client-id=${GOOGLE_WEB_CLIENT_ID:456571312261-5kuf2r6i5i7lqjr7qealv06sdgkn3hcp.apps.googleusercontent.com}
27+
google.app.client-id=${GOOGLE_APP_CLIENT_ID:456571312261-r35ah9qi0qaq7al007e2db0e0jmjcmb4.apps.googleusercontent.com,456571312261-5e99nruk62f21uoh7stfp8i82acmh6iq.apps.googleusercontent.com,456571312261-6470v6goejjkcqn3608b4nbbtpt6dknu.apps.googleusercontent.com}
2828

2929
# Apple OAuth
3030
apple.client.id=${APPLE_CLIENT_ID:dev-apple-client-id}

0 commit comments

Comments
 (0)