Merge pull request #65 from Team-UMC/feature/#62/login_apple

Feature/#62/login apple
Team-UMC · Feb 8, 2024 · 7783f24 · 7783f24
2 parents bf5905c + 5e18466
commit 7783f24
Show file tree

Hide file tree

Showing 4 changed files with 119 additions and 10 deletions.
diff --git a/src/main/java/com/umc/networkingService/domain/member/client/AppleMemberClient.java b/src/main/java/com/umc/networkingService/domain/member/client/AppleMemberClient.java
@@ -1,30 +1,106 @@
 package com.umc.networkingService.domain.member.client;
 
-import com.umc.networkingService.domain.member.dto.client.AppleResponse;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.umc.networkingService.domain.member.dto.client.ApplePublicKeyResponse;
+import com.umc.networkingService.global.common.exception.RestApiException;
+import com.umc.networkingService.global.common.exception.code.AuthErrorCode;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
 import org.springframework.stereotype.Component;
 import org.springframework.web.reactive.function.client.WebClient;
 
+import java.io.UnsupportedEncodingException;
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.RSAPublicKeySpec;
+import java.util.Base64;
+import java.util.Map;
+
 @Component
 public class AppleMemberClient {
     private WebClient webClient;
 
     public AppleMemberClient(WebClient.Builder webclientBuilder){
         this.webClient = webclientBuilder
-                .baseUrl("https://appleid.apple.com/auth/keys")
+                .baseUrl("https://appleid.apple.com/auth")
                 .build();
     }
 
-    public String getappleClientID(final String accessToken){
-        AppleResponse response = webClient.get()
-                .header("Authorization", "Bearer " + accessToken)
+    public String getappleClientID(final String accessToken) {
+        Claims claims = getClaimsBy(accessToken);
+        validateClaims(claims);
+
+        return claims.getSubject();
+    }
+
+    /*
+    * 애플 검증 단계 (https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user)
+    * 1. 서버의 공개 키를 사용하여 JWS E256 서명을 검증
+    * 2. 인증에 대한 nonce를 검증
+    * 3. iss 필드가 https://appleid.apple.com을 포함하는지 확인
+    * 4. aud 필드가 개발자의 클라이언트 ID를 포함하는지 확인
+    * 5. 현재 시간을 기준으로 exp 필드가 유효한지 확인
+    * */
+
+    //1. Apple의 공개키를 사용하여 identityToken을 검증
+
+    //InvalidKeySpecException, NoSuchAlgorithmException, UnsupportedEncodingException, JsonProcessingException
+    public Claims getClaimsBy(String identityToken) {
+
+        try {
+            ApplePublicKeyResponse response = getAppleAuthPublicKey(); //공개키 가져오기
+
+            //공개 키를 사용하여 identityToken을 검증
+            String headerOfIdentityToken = identityToken.substring(0, identityToken.indexOf("."));
+            Map<String, String> header = new ObjectMapper().readValue(new String(Base64.getDecoder().decode(headerOfIdentityToken), "UTF-8"), Map.class);
+            ApplePublicKeyResponse.Key key = response.getMatchedKeyBy(header.get("kid"), header.get("alg"))
+                    .orElseThrow(() -> new RestApiException(AuthErrorCode.FAILED_GET_APPLE_KEY)); //공개키를 가져오는데 실패
+
+            byte[] nBytes = Base64.getUrlDecoder().decode(key.getN());
+            byte[] eBytes = Base64.getUrlDecoder().decode(key.getE());
+
+            BigInteger n = new BigInteger(1, nBytes);
+            BigInteger e = new BigInteger(1, eBytes);
+
+            RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec(n, e);
+            KeyFactory keyFactory = KeyFactory.getInstance(key.getKty());
+            PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
+
+            return Jwts.parser().setSigningKey(publicKey).parseClaimsJws(identityToken).getBody();
+        }catch (InvalidKeySpecException | NoSuchAlgorithmException | UnsupportedEncodingException | JsonProcessingException e) {
+            throw new RestApiException(AuthErrorCode.FAILED_GET_APPLE_KEY);
+        }
+    }
+
+    public ApplePublicKeyResponse getAppleAuthPublicKey() { //Apple의 공개키를 가져오기
+        return webClient.get()
+                .uri("/keys")
                 .retrieve()
-                .bodyToMono(AppleResponse.class)
+                .bodyToMono(ApplePublicKeyResponse.class)
                 .block();
+    }
+
+    //2. 인증에 대한 nonce를 검증
+    //3. iss 필드가 https://appleid.apple.com을 포함하는지 확인
+    //4. aud 필드가 개발자의 클라이언트 ID를 포함하는지 확인
+    //5. 현재 시간을 기준으로 exp 필드가 유효한지 확인
+    public void validateClaims(Claims claims) {
+        if (claims == null){
+            throw new RestApiException(AuthErrorCode.FAILED_SOCIAL_LOGIN);
+        }
 
-        //TODO 정보 받기 실패 예외 처리
-        if(response == null)
-            return null;
+        if (!claims.getIssuer().contains("https://appleid.apple.com"))
+            throw new RestApiException(AuthErrorCode.INVALID_APPLE_ID_TOKEN);
 
-        return response.getSub();
+        //if (!claims.getAudience().contains("com.networkingService.umc"))
+        //    throw new RestApiException(AuthErrorCode.INVALID_APPLE_ID_TOKEN);
+
+        if (claims.getExpiration().before(new java.util.Date()))
+            throw new RestApiException(AuthErrorCode.INVALID_APPLE_ID_TOKEN);
     }
 }
+
diff --git a/src/main/java/com/umc/networkingService/domain/member/dto/client/ApplePublicKeyResponse.java b/src/main/java/com/umc/networkingService/domain/member/dto/client/ApplePublicKeyResponse.java
@@ -0,0 +1,30 @@
+package com.umc.networkingService.domain.member.dto.client;
+
+import lombok.Getter;
+import lombok.Setter;
+
+import java.util.List;
+import java.util.Optional;
+
+@Getter
+@Setter
+public class ApplePublicKeyResponse {
+    private List<Key> keys;
+
+    @Getter
+    @Setter
+    public static class Key {
+        private String kty;
+        private String kid;
+        private String use;
+        private String alg;
+        private String n;
+        private String e;
+    }
+
+    public Optional<Key> getMatchedKeyBy(String kid, String alg) {
+        return this.keys.stream()
+                .filter(key -> key.getKid().equals(kid) && key.getAlg().equals(alg))
+                .findFirst();
+    }
+}
diff --git a/src/main/java/com/umc/networkingService/domain/member/service/AuthServiceImpl.java b/src/main/java/com/umc/networkingService/domain/member/service/AuthServiceImpl.java
@@ -139,6 +139,7 @@ public MemberIdResponse withdrawal(Member member) {
     private MemberLoginResponse loginByApple(final String accessToken){
         // apple 서버와 통신해서 유저 고유값(clientId) 받기
         String clientId = appleMemberClient.getappleClientID(accessToken);
+
         //존재 여부 파악
         Optional<Member> getMember = memberRepository.findByClientIdAndSocialType(clientId, SocialType.APPLE);
 

diff --git a/src/main/java/com/umc/networkingService/global/common/exception/code/AuthErrorCode.java b/src/main/java/com/umc/networkingService/global/common/exception/code/AuthErrorCode.java
@@ -18,6 +18,8 @@ public enum AuthErrorCode implements ErrorCodeInterface {
     INVALID_REFRESH_TOKEN(HttpStatus.BAD_REQUEST, "AUTH006", "유효하지 않은 REFRESH TOKEN입니다."),
     FAILED_SOCIAL_LOGIN(HttpStatus.INTERNAL_SERVER_ERROR, "AUTH007", "소셜 로그인에 실패하였습니다."),
     FAILED_GITHUB_AUTHENTICATION(HttpStatus.INTERNAL_SERVER_ERROR, "AUTH008", "깃허브 서버와 통신이 실패하였습니다."),
+    FAILED_GET_APPLE_KEY(HttpStatus.INTERNAL_SERVER_ERROR, "AUTH009", "애플 서버와 통신이 실패하였습니다."),
+    INVALID_APPLE_ID_TOKEN(HttpStatus.BAD_REQUEST, "AUTH010","유효하지 않은 애플 ID TOKEN입니다."),
     ;
 
     private final HttpStatus httpStatus;