[NDGL-18] feature: Token, uuid 암호화해서 저장하는 기능 추가

mj010504 · mj010504 · commit e5f7c5b0cd11 · 2026-02-03T01:12:22.000+09:00
diff --git a/data/auth/src/main/java/com/yapp/ndgl/data/auth/local/LocalAuthDataSource.kt b/data/auth/src/main/java/com/yapp/ndgl/data/auth/local/LocalAuthDataSource.kt
@@ -4,6 +4,7 @@ import androidx.datastore.core.DataStore
 import androidx.datastore.preferences.core.Preferences
 import androidx.datastore.preferences.core.edit
 import androidx.datastore.preferences.core.stringPreferencesKey
+import com.yapp.ndgl.data.auth.local.security.CryptoManager
 import com.yapp.ndgl.data.auth.local.util.handleException
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.first
@@ -14,17 +15,18 @@ import javax.inject.Singleton
 @Singleton
 class LocalAuthDataSource @Inject constructor(
     private val dataStore: DataStore<Preferences>,
+    private val cryptoManager: CryptoManager,
 ) {
     private val accessToken: Flow<String> = dataStore.data
         .handleException()
         .map { preferences ->
-            preferences[ACCESS_TOKEN_KEY] ?: ""
+            cryptoManager.decrypt(preferences[ACCESS_TOKEN_KEY] ?: "")
         }
 
     private val uuid: Flow<String> = dataStore.data
         .handleException()
         .map { preferences ->
-            preferences[UUID_KEY] ?: ""
+            cryptoManager.decrypt(preferences[UUID_KEY] ?: "")
         }
 
     suspend fun getAccessToken(): String = accessToken.first()
@@ -33,13 +35,13 @@ class LocalAuthDataSource @Inject constructor(
 
     suspend fun setAccessToken(token: String) {
         dataStore.edit { preferences ->
-            preferences[ACCESS_TOKEN_KEY] = token
+            preferences[ACCESS_TOKEN_KEY] = cryptoManager.encrypt(token)
         }
     }
 
     suspend fun setUuid(uuid: String) {
         dataStore.edit { preferences ->
-            preferences[UUID_KEY] = uuid
+            preferences[UUID_KEY] = cryptoManager.encrypt(uuid)
         }
     }
 
diff --git a/data/auth/src/main/java/com/yapp/ndgl/data/auth/local/security/CryptoManager.kt b/data/auth/src/main/java/com/yapp/ndgl/data/auth/local/security/CryptoManager.kt
@@ -0,0 +1,85 @@
+package com.yapp.ndgl.data.auth.local.security
+
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import android.util.Base64
+import timber.log.Timber
+import java.security.GeneralSecurityException
+import java.security.KeyStore
+import javax.crypto.Cipher
+import javax.crypto.KeyGenerator
+import javax.crypto.SecretKey
+import javax.crypto.spec.GCMParameterSpec
+import javax.inject.Inject
+import javax.inject.Singleton
+
+@Singleton
+class CryptoManager @Inject constructor() {
+    private val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER).apply {
+        load(null)
+    }
+
+    private fun getKey(): SecretKey {
+        return keyStore.getKey(KEY_ALIAS, null) as? SecretKey ?: createKey()
+    }
+
+    private fun createKey(): SecretKey =
+        KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES,
+            KEYSTORE_PROVIDER,
+        ).apply {
+            init(
+                KeyGenParameterSpec.Builder(
+                    KEY_ALIAS,
+                    KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT,
+                )
+                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+                    .setEncryptionPaddings(PADDING)
+                    .setUserAuthenticationRequired(false)
+                    .build(),
+            )
+        }.generateKey()
+
+    fun encrypt(plainText: String): String {
+        check(plainText.isNotEmpty()) { "Plain text is empty" }
+
+        val cipher = Cipher.getInstance(TRANSFORMATION)
+        cipher.init(Cipher.ENCRYPT_MODE, getKey())
+
+        val encryptedBytes = cipher.doFinal(plainText.toByteArray())
+        val combined = cipher.iv + encryptedBytes
+
+        return Base64.encodeToString(combined, Base64.NO_WRAP)
+    }
+
+    fun decrypt(encryptedText: String): String {
+        try {
+            if (encryptedText.isEmpty()) return ""
+
+            val combined = Base64.decode(encryptedText, Base64.NO_WRAP)
+            val iv = combined.copyOfRange(0, IV_SIZE)
+            val encryptedBytes = combined.copyOfRange(IV_SIZE, combined.size)
+
+            val cipher = Cipher.getInstance(TRANSFORMATION)
+            val spec = GCMParameterSpec(GCM_TAG_LENGTH, iv)
+            cipher.init(Cipher.DECRYPT_MODE, getKey(), spec)
+
+            val decryptedBytes = cipher.doFinal(encryptedBytes)
+            return String(decryptedBytes)
+        } catch (e: GeneralSecurityException) {
+            Timber.e(e, "Failed to decrypt")
+            return ""
+        }
+    }
+
+    companion object {
+        private const val KEYSTORE_PROVIDER = "AndroidKeyStore"
+        private const val KEY_ALIAS = "ndgl_encryption_key"
+        private const val ALGORITHM = KeyProperties.KEY_ALGORITHM_AES
+        private const val BLOCK_MODE = KeyProperties.BLOCK_MODE_GCM
+        private const val PADDING = KeyProperties.ENCRYPTION_PADDING_NONE
+        private const val TRANSFORMATION = "$ALGORITHM/$BLOCK_MODE/$PADDING"
+        private const val IV_SIZE = 12
+        private const val GCM_TAG_LENGTH = 128
+    }
+}
