merge: feature/oauth into develop

Author: mkSpace

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/apple/AppleApi.kt

@@ -0,0 +1,41 @@
+package noweekend.client.apple
+
+import org.springframework.cloud.openfeign.FeignClient
+import org.springframework.http.MediaType
+import org.springframework.http.ResponseEntity
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.PostMapping
+import org.springframework.web.bind.annotation.RequestParam
+
+@FeignClient(
+    value = "apple-api",
+    url = "\${oauth.apple.api-url}",
+)
+internal interface AppleApi {
+    @GetMapping(
+        value = ["/auth/keys"],
+        consumes = [MediaType.APPLICATION_JSON_VALUE],
+    )
+    fun getPublicKeys(): ApplePublicKeyResponse
+
+    @PostMapping(
+        value = ["/auth/token"],
+        consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE],
+    )
+    fun getAccessToken(
+        @RequestParam("code") code: String,
+        @RequestParam("client_id") clientId: String,
+        @RequestParam("client_secret") clientSecret: String,
+        @RequestParam("grant_type") grantType: String,
+    ): AppleTokens
+
+    @PostMapping(
+        value = ["/auth/revoke"],
+        consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE],
+    )
+    fun revokeToken(
+        @RequestParam("client_id") clientId: String,
+        @RequestParam("client_secret") clientSecret: String,
+        @RequestParam("token") token: String,
+    ): ResponseEntity<Any>
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/apple/AppleClient.kt

@@ -0,0 +1,124 @@
+package noweekend.client.apple
+
+import com.fasterxml.jackson.databind.ObjectMapper
+import com.fasterxml.jackson.module.kotlin.readValue
+import io.jsonwebtoken.Claims
+import io.jsonwebtoken.Jwts
+import io.jsonwebtoken.SignatureAlgorithm
+import noweekend.client.common.OAuthClient
+import noweekend.client.common.OAuthInfo
+import noweekend.client.common.OAuthLoginParams
+import noweekend.client.common.Revocable
+import noweekend.client.properties.AppleAuthProperties
+import noweekend.core.domain.user.ProviderType
+import org.bouncycastle.util.io.pem.PemReader
+import org.springframework.core.io.FileSystemResource
+import org.springframework.stereotype.Component
+import java.io.FileReader
+import java.math.BigInteger
+import java.security.KeyFactory
+import java.security.PrivateKey
+import java.security.spec.PKCS8EncodedKeySpec
+import java.security.spec.RSAPublicKeySpec
+import java.time.LocalDateTime
+import java.time.ZoneId
+import java.util.Base64
+import java.util.Date
+
+@Component
+class AppleClient internal constructor(
+    private val appleApi: AppleApi,
+    private val appleOAuthProperties: AppleAuthProperties,
+    private val objectMapper: ObjectMapper,
+) : OAuthClient, Revocable {
+    override fun supports(providerType: ProviderType): Boolean {
+        return providerType == ProviderType.APPLE
+    }
+
+    override fun requestOAuthInfo(params: OAuthLoginParams): OAuthInfo {
+        val appleTokens = requestAccessToken(params)
+        if (appleTokens?.idToken == null) throw IllegalStateException("cannot find idToken from apple")
+        val claims = getClaims(appleTokens.idToken)
+        return AppleOAuthInfo(claims.subject, appleTokens.refreshToken)
+    }
+
+    override fun revokeToken(token: String): Boolean {
+        val clientId = appleOAuthProperties.appId
+        val clientSecret = makeClientSecret(
+            keyId = appleOAuthProperties.keyId,
+            teamId = appleOAuthProperties.teamId,
+            clientId = clientId,
+            secretKeyFilePath = appleOAuthProperties.secretKeyFilePath,
+        )
+        return appleApi.revokeToken(clientId, clientSecret, token).statusCode.is2xxSuccessful
+    }
+
+    private fun requestAccessToken(params: OAuthLoginParams): AppleTokens? {
+        val clientId = appleOAuthProperties.appId
+        val clientSecret = makeClientSecret(
+            keyId = appleOAuthProperties.keyId,
+            teamId = appleOAuthProperties.teamId,
+            clientId = clientId,
+            secretKeyFilePath = appleOAuthProperties.secretKeyFilePath,
+        )
+
+        return appleApi.getAccessToken(params.getCode(), clientId, clientSecret, AUTHORIZATION_CODE)
+    }
+
+    private fun makeClientSecret(keyId: String, teamId: String, clientId: String, secretKeyFilePath: String): String {
+        val now = LocalDateTime.now()
+        val expirationDate = Date.from(now.plusDays(30).atZone(ZoneId.systemDefault()).toInstant())
+        return Jwts.builder()
+            .setHeaderParam(KEY_KID, keyId)
+            .setHeaderParam(KEY_ALGORITHM, "ES256")
+            .setIssuer(teamId)
+            .setIssuedAt(Date(System.currentTimeMillis()))
+            .setExpiration(expirationDate)
+            .setAudience(APPLE_AUDIENCE)
+            .setSubject(clientId)
+            .signWith(getPrivateKey(secretKeyFilePath), SignatureAlgorithm.ES256)
+            .compact()
+    }
+
+    private fun getPrivateKey(secretKeyPath: String): PrivateKey {
+        val resource = FileSystemResource(secretKeyPath)
+        val keyReader = FileReader(resource.uri.path)
+        PemReader(keyReader).use { reader ->
+            val content = reader.readPemObject().content
+            return KeyFactory.getInstance("EC")
+                .generatePrivate(PKCS8EncodedKeySpec(content))
+        }
+    }
+
+    private fun getClaims(identityToken: String): Claims {
+        val header = identityToken.substring(0, identityToken.indexOf("."))
+        val headerMap: Map<String, String> = objectMapper.readValue(String(Base64.getDecoder().decode(header)))
+        val key = getPublicKey(headerMap[KEY_KID], headerMap[KEY_ALGORITHM])
+
+        val nBytes = Base64.getUrlDecoder().decode(key.n)
+        val eBytes = Base64.getUrlDecoder().decode(key.e)
+
+        val n = BigInteger(1, nBytes)
+        val e = BigInteger(1, eBytes)
+
+        val publicKeySpec = RSAPublicKeySpec(n, e)
+        val keyFactory = KeyFactory.getInstance(key.kty)
+        val publicKey = keyFactory.generatePublic(publicKeySpec)
+
+        return Jwts.parserBuilder().setSigningKey(publicKey).build().parseClaimsJws(identityToken).body
+    }
+
+    private fun getPublicKey(kid: String?, alg: String?): ApplePublicKey {
+        if (kid == null || alg == null) throw IllegalStateException("cannot get public key from apple")
+        return appleApi.getPublicKeys().keys.firstOrNull { key -> key.kid == kid && key.alg == alg }
+            ?: throw IllegalStateException("cannot find public key from apple")
+    }
+
+    companion object {
+        private const val KEY_KID = "kid"
+        private const val KEY_ALGORITHM = "alg"
+
+        private const val AUTHORIZATION_CODE = "authorization_code"
+        private const val APPLE_AUDIENCE = "https://appleid.apple.com"
+    }
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/apple/AppleLoginParams.kt

@@ -0,0 +1,9 @@
+package noweekend.client.apple
+
+import noweekend.client.common.OAuthLoginParams
+import noweekend.core.domain.user.ProviderType
+
+class AppleLoginParams(private val code: String) : OAuthLoginParams {
+    override fun getProviderType(): ProviderType = ProviderType.APPLE
+    override fun getCode(): String = code
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/apple/AppleOAuthInfo.kt

@@ -0,0 +1,15 @@
+package noweekend.client.apple
+
+import noweekend.client.common.OAuthInfo
+import noweekend.core.domain.user.ProviderType
+
+class AppleOAuthInfo(
+    private val id: String,
+    private val revocableToken: String,
+) : OAuthInfo {
+    override fun getProviderType(): ProviderType = ProviderType.APPLE
+
+    override fun getProviderId(): String = id
+
+    override fun getProviderRevocableToken(): String = revocableToken
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/apple/ApplePublicKeyResponse.kt

@@ -0,0 +1,12 @@
+package noweekend.client.apple
+
+data class ApplePublicKeyResponse(val keys: List<ApplePublicKey>)
+
+data class ApplePublicKey(
+    val kty: String,
+    val kid: String,
+    val use: String,
+    val alg: String,
+    val n: String,
+    val e: String,
+)

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/apple/AppleTokens.kt

@@ -0,0 +1,23 @@
+package noweekend.client.apple
+
+import com.fasterxml.jackson.annotation.JsonProperty
+
+data class AppleTokens(
+    @JsonProperty("access_token")
+    val accessToken: String,
+
+    @JsonProperty("expires_in")
+    val expiresIn: String,
+
+    @JsonProperty("id_token")
+    val idToken: String,
+
+    @JsonProperty("refresh_token")
+    val refreshToken: String,
+
+    @JsonProperty("token_type")
+    val tokenType: String,
+
+    @JsonProperty("error")
+    val error: String? = null,
+)

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/common/OAuthClient.kt

@@ -0,0 +1,8 @@
+package noweekend.client.common
+
+import noweekend.core.domain.user.ProviderType
+
+interface OAuthClient {
+    fun supports(providerType: ProviderType): Boolean
+    fun requestOAuthInfo(params: OAuthLoginParams): OAuthInfo
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/common/OAuthInfo.kt

@@ -0,0 +1,9 @@
+package noweekend.client.common
+
+import noweekend.core.domain.user.ProviderType
+
+interface OAuthInfo {
+    fun getProviderType(): ProviderType
+    fun getProviderId(): String
+    fun getProviderRevocableToken(): String?
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/common/OAuthLoginParams.kt

@@ -0,0 +1,8 @@
+package noweekend.client.common
+
+import noweekend.core.domain.user.ProviderType
+
+interface OAuthLoginParams {
+    fun getProviderType(): ProviderType
+    fun getCode(): String
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/common/Revocable.kt

@@ -0,0 +1,5 @@
+package noweekend.client.common
+
+interface Revocable {
+    fun revokeToken(token: String): Boolean
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/config/ComponentScanConfig.kt

@@ -6,6 +6,8 @@ import org.springframework.context.annotation.Configuration
 @ComponentScan(
     basePackages = [
         "noweekend.client.google",
+        "noweekend.client.apple",
+        "noweekend.client.common",
     ],
 )
 @Configuration("clientsConfig")

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/config/OAuthConfig.kt

@@ -0,0 +1,13 @@
+package noweekend.client.config
+
+import noweekend.client.properties.AppleAuthProperties
+import noweekend.client.properties.GoogleAuthProperties
+import org.springframework.boot.context.properties.EnableConfigurationProperties
+import org.springframework.context.annotation.Configuration
+
+@Configuration
+@EnableConfigurationProperties(
+    AppleAuthProperties::class,
+    GoogleAuthProperties::class,
+)
+class OAuthConfig

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/config/OauthFeignConfig.kt renamed to noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/config/OAuthFeignConfig.kt

@@ -6,8 +6,8 @@ import org.springframework.context.annotation.Configuration
 @EnableFeignClients(
     basePackages = [
         "noweekend.client.google",
-//        "noweekend.client.apple",
+        "noweekend.client.apple",
     ],
 )
 @Configuration
-internal class OauthFeignConfig
+internal class OAuthFeignConfig

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/google/GoogleClient.kt

@@ -1,15 +1,44 @@
 package noweekend.client.google
 
-import noweekend.client.model.GoogleEmailResult
+import noweekend.client.common.OAuthClient
+import noweekend.client.common.OAuthInfo
+import noweekend.client.common.OAuthLoginParams
+import noweekend.client.properties.GoogleAuthProperties
+import noweekend.core.domain.user.ProviderType
 import org.springframework.stereotype.Component
 
 @Component
 class GoogleClient internal constructor(
-    private val googleApi: GoogleApi,
-) {
-    fun getEmail(request: GoogleUserInfoRequest): GoogleEmailResult {
-        val tokenHeader = "Bearer ${request.accessToken}"
-        val response = googleApi.getUserInfo(tokenHeader)
-        return response.result()
+    private val googleTokenApi: GoogleTokenApi,
+    private val googleResourceApi: GoogleResourceApi,
+    private val googleAuthProperties: GoogleAuthProperties,
+) : OAuthClient {
+
+    override fun supports(providerType: ProviderType): Boolean {
+        return providerType == ProviderType.GOOGLE
+    }
+
+    override fun requestOAuthInfo(params: OAuthLoginParams): OAuthInfo {
+        val accessToken = requestAccessToken(params)
+        return requestAuthInfo(accessToken)
+    }
+
+    private fun requestAccessToken(params: OAuthLoginParams): String {
+        return googleTokenApi.getGoogleToken(
+            code = params.getCode(),
+            redirectUri = DEFAULT_REDIRECT_URI,
+            clientId = googleAuthProperties.clientId,
+            clientSecret = googleAuthProperties.clientSecret,
+            grantType = GOOGLE_AUTHORIZATION_TYPE,
+        ).accessToken
+    }
+
+    private fun requestAuthInfo(accessToken: String): GoogleOAuthInfo {
+        return googleResourceApi.getUserInfo(accessToken)
+    }
+
+    companion object {
+        private const val GOOGLE_AUTHORIZATION_TYPE = "authorization_code"
+        private const val DEFAULT_REDIRECT_URI = "postmessage"
     }
 }

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/google/GoogleLoginParams.kt

@@ -0,0 +1,9 @@
+package noweekend.client.google
+
+import noweekend.client.common.OAuthLoginParams
+import noweekend.core.domain.user.ProviderType
+
+class GoogleLoginParams(private val code: String) : OAuthLoginParams {
+    override fun getProviderType(): ProviderType = ProviderType.GOOGLE
+    override fun getCode(): String = code
+}

noweekend-clients/client-oauth/src/main/kotlin/noweekend/client/google/GoogleOAuthInfo.kt

@@ -0,0 +1,17 @@
+package noweekend.client.google
+
+import com.fasterxml.jackson.annotation.JsonProperty
+import noweekend.client.common.OAuthInfo
+import noweekend.core.domain.user.ProviderType
+
+data class GoogleOAuthInfo(
+    @JsonProperty("id")
+    val id: String,
+
+    @JsonProperty("email")
+    val email: String?,
+) : OAuthInfo {
+    override fun getProviderId(): String = id
+    override fun getProviderRevocableToken(): String? = null
+    override fun getProviderType(): ProviderType = ProviderType.GOOGLE
+}