release: 1.7.0 (#185)

Author: devxb

docs/api/identity/login-apple.md

@@ -9,8 +9,7 @@
 ### Request Body
 ```json
 {
-  "name": "유저의 이름",
-  "profileImage": "유저의 프로필 이미지"
+  "accessToken": "..." // accessToken을 전달합니다. 
 }
 ```
 

src/main/kotlin/org/gitanimals/core/HttpClientErrorHandler.kt

@@ -1,5 +1,6 @@
 package org.gitanimals.core
 
+import org.slf4j.LoggerFactory
 import org.springframework.http.HttpMethod
 import org.springframework.http.HttpStatus
 import org.springframework.http.client.ClientHttpResponse
@@ -16,13 +17,24 @@ class HttpClientErrorHandler : ResponseErrorHandler {
     override fun handleError(url: URI, method: HttpMethod, response: ClientHttpResponse) {
         val body = response.body.bufferedReader().use { it.readText() }
         when {
-            response.statusCode.isSameCodeAs(HttpStatus.UNAUTHORIZED) ->
+            response.statusCode.isSameCodeAs(HttpStatus.UNAUTHORIZED) -> run {
+                logger.info("[HttpClientErrorHandler] Unauthorization exception \"$body\"")
                 throw AuthorizationException(body)
+            }
 
-            response.statusCode.is4xxClientError ->
+            response.statusCode.is4xxClientError -> run {
+                logger.warn("[HttpClientErrorHandler] IllegalArgumentException \"$body\"")
                 throw IllegalArgumentException(body)
+            }
 
-            else -> error(body)
+            else -> run {
+                logger.error("[HttpClientErrorHandler] Something went wrong. \"$body\"")
+                error(body)
+            }
         }
     }
+
+    companion object {
+        private val logger = LoggerFactory.getLogger(this::class.simpleName)
+    }
 }

src/main/kotlin/org/gitanimals/identity/app/AppleLoginFacade.kt

@@ -1,37 +1,125 @@
 package org.gitanimals.identity.app
 
+import com.fasterxml.jackson.core.type.TypeReference
+import com.fasterxml.jackson.databind.ObjectMapper
+import io.jsonwebtoken.Jwts
+import org.gitanimals.core.AUTHORIZATION_EXCEPTION
+import org.gitanimals.identity.app.AppleOauth2Api.AppleAuthKeyResponse
 import org.gitanimals.identity.domain.EntryPoint
 import org.gitanimals.identity.domain.UserService
+import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.stereotype.Component
+import java.math.BigInteger
+import java.security.KeyFactory
+import java.security.PublicKey
+import java.security.spec.RSAPublicKeySpec
+import java.util.*
 
 @Component
 class AppleLoginFacade(
-    @Value("\${login.secret}") private val loginSecret: String,
     private val tokenManager: TokenManager,
     private val userService: UserService,
+    private val appleOauth2Api: AppleOauth2Api,
+    private val objectMapper: ObjectMapper,
+    @Value("\${login.secret}") private val loginSecret: String,
 ) {
 
-    fun login(loginSecret: String, username: String, profileImage: String): String {
-        require(loginSecret == this.loginSecret) {
-            "Fail to login cause wrong loginSecret"
-        }
+    private val logger = LoggerFactory.getLogger(this::class.simpleName)
 
-        val isExistsUser = userService.existsUser(username, EntryPoint.APPLE)
+    fun login(loginSecret: String, accessToken: String): String {
+        require(this.loginSecret == loginSecret) { throw AUTHORIZATION_EXCEPTION }
+        val appleUserInfo = getAppleUserInfo(accessToken)
+
+        val isExistsUser = userService.existsByEntryPointAndAuthenticationId(
+            authenticationId = appleUserInfo.sub,
+            entryPoint = EntryPoint.APPLE
+        )
 
         val user = when (isExistsUser) {
-            true -> userService.getUserByNameAndEntryPoint(username, EntryPoint.APPLE)
+            true -> userService.getUserByNameAndEntryPoint(appleUserInfo.email, EntryPoint.APPLE)
             false -> {
                 userService.newUser(
-                    username = username,
+                    username = appleUserInfo.email,
                     entryPoint = EntryPoint.APPLE,
-                    profileImage = profileImage,
+                    profileImage = defaultProfileImage,
                     contributionPerYears = mapOf(),
-                    authenticationId = username,
+                    authenticationId = appleUserInfo.sub,
                 )
             }
         }
 
         return tokenManager.createToken(user).withType()
     }
+
+    private fun getAppleUserInfo(accessToken: String): AppleUserInfo {
+        val tokenHeaders = parseHeaders(accessToken)
+        val appleAuthKeys = appleOauth2Api.getAuthKeys()
+        val publicKey =
+            generatePublicKey(tokenHeaders = tokenHeaders, appleAuthKeys = appleAuthKeys)
+        val claims = runCatching {
+            Jwts.parser()
+                .verifyWith(publicKey)
+                .build()
+                .parseSignedClaims(accessToken)
+                .payload
+        }.getOrElse {
+            logger.error("[AppleLoginFacade] Cannot parse claims from accessToken.")
+            throw it
+        }
+
+        return AppleUserInfo(
+            sub = claims["sub"] as String,
+            email = claims["email"] as String,
+        )
+    }
+
+    private fun parseHeaders(token: String): Map<String, String> = runCatching {
+        val encodedHeader: String =
+            token
+                .split("\\.".toRegex())
+                .dropLastWhile { it.isEmpty() }
+                .toTypedArray()[0]
+        val decodedHeader = String(Base64.getUrlDecoder().decode(encodedHeader))
+        objectMapper.readValue(
+            decodedHeader,
+            object : TypeReference<Map<String, String>>() {},
+        )
+    }.getOrElse {
+        logger.error("[AppleLoginFacade] Cannot parse token from header. ${it.message}", it)
+        throw it
+    }
+
+    private fun generatePublicKey(
+        tokenHeaders: Map<String, String>,
+        appleAuthKeys: AppleAuthKeyResponse,
+    ): PublicKey {
+        val publicKeys = appleAuthKeys.keys
+        val publicKey = publicKeys.find {
+            it.alg == tokenHeaders["alg"] && it.kid == tokenHeaders["kid"]
+        } ?: run {
+            val message = "Cannot find matched public key."
+            logger.error("[AppleLoginFacade] $message alg: \"${tokenHeaders["alg"]}\", kid: \"${tokenHeaders["kid"]}\"")
+            error(message)
+        }
+
+        val n = Base64.getUrlDecoder().decode(publicKey.n)
+        val e = Base64.getUrlDecoder().decode(publicKey.e)
+
+        val publicKeySpec = RSAPublicKeySpec(BigInteger(1, n), BigInteger(1, e))
+
+        val keyFactory = KeyFactory.getInstance(publicKey.kty)
+
+        return keyFactory.generatePublic(publicKeySpec)
+    }
+
+    data class AppleUserInfo(
+        val sub: String,
+        val email: String,
+    )
+
+    private companion object {
+        private const val defaultProfileImage =
+            "https://avatars.githubusercontent.com/u/171903401?s=200&v=4"
+    }
 }

src/main/kotlin/org/gitanimals/identity/app/AppleOauth2Api.kt

@@ -0,0 +1,22 @@
+package org.gitanimals.identity.app
+
+import org.springframework.web.service.annotation.GetExchange
+
+fun interface AppleOauth2Api {
+
+    @GetExchange("/auth/keys")
+    fun getAuthKeys(): AppleAuthKeyResponse
+
+    data class AppleAuthKeyResponse(
+        val keys: List<AuthKey>
+    ) {
+        data class AuthKey(
+            val kty: String,
+            val kid: String,
+            val use: String,
+            val alg: String,
+            val n: String,
+            val e: String,
+        )
+    }
+}

src/main/kotlin/org/gitanimals/identity/app/GithubLoginFacade.kt

@@ -6,14 +6,14 @@ import org.springframework.stereotype.Service
 
 @Service
 class GithubLoginFacade(
-    private val oauth2Api: Oauth2Api,
+    private val githubOauth2Api: GithubOauth2Api,
     private val userService: UserService,
     private val contributionApi: ContributionApi,
     private val tokenManager: TokenManager,
 ) {
 
     fun login(code: String): String {
-        val oauthUserResponse = oauth2Api.getOauthUsername(oauth2Api.getToken(code))
+        val oauthUserResponse = githubOauth2Api.getOauthUsername(githubOauth2Api.getToken(code))
 
         val user = when (userService.existsByEntryPointAndAuthenticationId(
             entryPoint = EntryPoint.GITHUB,

…org/gitanimals/identity/app/Oauth2Api.kt …tanimals/identity/app/GithubOauth2Api.ktsrc/main/kotlin/org/gitanimals/identity/app/Oauth2Api.kt renamed to src/main/kotlin/org/gitanimals/identity/app/GithubOauth2Api.kt src/main/kotlin/org/gitanimals/identity/app/Oauth2Api.kt renamed to src/main/kotlin/org/gitanimals/identity/app/GithubOauth2Api.kt

@@ -1,6 +1,6 @@
 package org.gitanimals.identity.app
 
-interface Oauth2Api {
+interface GithubOauth2Api {
 
     fun getToken(temporaryToken: String): String
 

src/main/kotlin/org/gitanimals/identity/controller/Oauth2Controller.kt

@@ -51,13 +51,12 @@ class Oauth2Controller(
     @PostMapping("/logins/oauth/apple")
     @ResponseStatus(HttpStatus.OK)
     fun loginWithApple(
-        @RequestHeader(name = "Login-Secret") loginSecret: String,
         @RequestBody appleLoginRequest: AppleLoginRequest,
+        @RequestHeader("Login-Secret") loginSecret: String,
     ): TokenResponse {
         val token = appleLoginFacade.login(
-            username = appleLoginRequest.name,
-            profileImage = appleLoginRequest.profileImage,
             loginSecret = loginSecret,
+            accessToken = appleLoginRequest.accessToken,
         )
 
         return TokenResponse(token)

src/main/kotlin/org/gitanimals/identity/controller/request/AppleLoginRequest.kt

@@ -1,6 +1,5 @@
 package org.gitanimals.identity.controller.request
 
 data class AppleLoginRequest(
-    val name: String,
-    val profileImage: String,
+    val accessToken: String,
 )

…nimals/identity/infra/GithubOauth2Api.kt …/identity/infra/GithubGithubOauth2Api.ktsrc/main/kotlin/org/gitanimals/identity/infra/GithubOauth2Api.kt renamed to src/main/kotlin/org/gitanimals/identity/infra/GithubGithubOauth2Api.kt src/main/kotlin/org/gitanimals/identity/infra/GithubOauth2Api.kt renamed to src/main/kotlin/org/gitanimals/identity/infra/GithubGithubOauth2Api.kt

@@ -1,18 +1,18 @@
 package org.gitanimals.identity.infra
 
 import com.fasterxml.jackson.annotation.JsonProperty
-import org.gitanimals.identity.app.Oauth2Api
+import org.gitanimals.identity.app.GithubOauth2Api
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.http.HttpHeaders
 import org.springframework.http.MediaType
 import org.springframework.stereotype.Component
 import org.springframework.web.client.RestClient
 
 @Component
-class GithubOauth2Api(
+class GithubGithubOauth2Api(
     @Value("\${oauth.client.id.github}") private val clientId: String,
     @Value("\${oauth.client.secret.github}") private val clientSecret: String,
-) : Oauth2Api {
+) : GithubOauth2Api {
 
     private val githubClient = RestClient.create("https://github.com")
     private val githubApiClient = RestClient.create("https://api.github.com")
@@ -35,7 +35,7 @@ class GithubOauth2Api(
         return "${tokenResponse.tokenType} ${tokenResponse.accessToken}"
     }
 
-    override fun getOauthUsername(token: String): Oauth2Api.OAuthUserResponse {
+    override fun getOauthUsername(token: String): GithubOauth2Api.OAuthUserResponse {
         val userResponse = githubApiClient.get()
             .uri("/user")
             .header(HttpHeaders.AUTHORIZATION, token)
@@ -47,7 +47,7 @@ class GithubOauth2Api(
                     )
             }
 
-        return Oauth2Api.OAuthUserResponse(
+        return GithubOauth2Api.OAuthUserResponse(
             username = userResponse.login,
             id = userResponse.id,
             profileImage = userResponse.avatarUrl,

src/main/kotlin/org/gitanimals/identity/infra/HttpClientConfigurer.kt

@@ -0,0 +1,28 @@
+package org.gitanimals.identity.infra
+
+import org.gitanimals.core.HttpClientErrorHandler
+import org.gitanimals.identity.app.AppleOauth2Api
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.web.client.RestClient
+import org.springframework.web.client.support.RestClientAdapter
+import org.springframework.web.service.invoker.HttpServiceProxyFactory
+
+@Configuration
+class HttpClientConfigurer {
+
+    @Bean
+    fun appleOauth2Api(): AppleOauth2Api {
+        val restClient = RestClient
+            .builder()
+            .defaultStatusHandler(HttpClientErrorHandler())
+            .baseUrl("https://appleid.apple.com")
+            .build()
+
+        val httpServiceProxyFactory = HttpServiceProxyFactory
+            .builderFor(RestClientAdapter.create(restClient))
+            .build()
+
+        return httpServiceProxyFactory.createClient(AppleOauth2Api::class.java)
+    }
+}