Team-useMemo · bricksky · Jun 26, 2025 · Jun 27, 2025 · Jul 2, 2025 · Jul 2, 2025
@@ -15,4 +15,4 @@ public class PostCalendarDto {
 	private String place;
 	private Instant alarm;
 	private String description;
-}
+}
@@ -0,0 +1,14 @@
+package com.usememo.jugger.global.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.reactive.function.client.WebClient;
+
+@Configuration
+public class WebClientConfig {
+
+    @Bean
+    public WebClient webClient() {
+        return WebClient.builder().build();
+    }
+}
@@ -4,12 +4,12 @@
 
 @Getter
 public class BaseException extends RuntimeException {
-	private final ErrorCode errorCode;
-	private final String message;
+    private final ErrorCode errorCode;
+    private final String message;
 
-	public BaseException(ErrorCode errorCode) {
-		super(errorCode.getMessage());
-		this.errorCode = errorCode;
-		this.message = errorCode.getMessage();
-	}
+    public BaseException(ErrorCode errorCode) {
+        super(errorCode.getMessage());
+        this.errorCode = errorCode;
+        this.message = errorCode.getMessage();
+    }
 }
@@ -35,13 +35,21 @@ public enum ErrorCode {
 	KAKAO_USER_NOT_FOUND(BAD_REQUEST,427,"존재하지 않는 회원입니다."),
 
 	DUPLICATE_USER(BAD_REQUEST,428,"중복된 회원정보입니다."),
+	REQUIRED_TERMS_NOT_AGREED(BAD_REQUEST, 429, "필수 약관에 동의하지 않았습니다."),
 
 
 	GOOGLE_LOGIN_FAIL(BAD_REQUEST,404,"로그인에 실패하였습니다."),
 	GOOGLE_NO_EMAIL(BAD_REQUEST,404,"이메일이 존재하지 않습니다."),
 	GOOGLE_USER_NOT_FOUND(BAD_REQUEST,404,"구글 유저가 존재하지 않습니다."),
 	GOOGLE_NO_NAME(BAD_REQUEST,404,"이름이 존재하지 않습니다."),
 
+	APPLE_USER_NOT_FOUND(BAD_REQUEST, 430, "존재하지 않는 Apple 회원입니다."),
+	APPLE_TOKEN_REQUEST_FAILED(BAD_REQUEST, 431, "Apple 인가 코드로 토큰을 요청하는 데 실패했습니다."),
+	APPLE_CLIENT_SECRET_FAILED(HttpStatus.INTERNAL_SERVER_ERROR, 432, "Apple client secret 생성에 실패했습니다."),
+	APPLE_USERINFO_MISSING(BAD_REQUEST, 433, "Apple 사용자 정보가 불완전합니다."),
+	APPLE_TOKEN_PARSE_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, 434, "Apple id_token 파싱에 실패했습니다."),
+
+
 
 	JWT_KEY_GENERATION_FAILED(HttpStatus.INTERNAL_SERVER_ERROR, 422, "JWT 키 생성에 실패했습니다."),
 	JWT_ACCESS_TOKEN_CREATION_FAILED(HttpStatus.INTERNAL_SERVER_ERROR, 423, "액세스 토큰 생성 실패"),

@@ -0,0 +1,73 @@
+package com.usememo.jugger.global.security;
+
+import com.usememo.jugger.global.security.token.domain.AppleProperties;
+import io.jsonwebtoken.Jwts;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.stereotype.Component;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.Date;
+import java.util.stream.Collectors;
+
+@Component
+public class AppleJwtGenerator {
+    private final AppleProperties appleProperties;
+    private final ResourceLoader resourceLoader;
+    private static final String APPLE_AUDIENCE = "https://appleid.apple.com";
+
+    @Autowired
+    public AppleJwtGenerator(AppleProperties appleProperties, ResourceLoader resourceLoader) {
+        this.appleProperties = appleProperties;
+        this.resourceLoader = resourceLoader;
+    }
+
+    public String createClientSecret()
+            throws java.io.IOException,
+            NoSuchAlgorithmException,
+            InvalidKeySpecException{
+        Date now = new Date();
+        Date expiration = new Date(now.getTime() + 3600_000);
+
+        return Jwts.builder()
+                .header()
+                .keyId(appleProperties.getKeyId())
+                .and()
+                .subject(appleProperties.getClientId())
+                .issuer(appleProperties.getTeamId())
+                .audience()
+                .add(APPLE_AUDIENCE)
+                .and()
+                .expiration(expiration)
+                .signWith(getPrivateKey(), Jwts.SIG.ES256)
+                .compact();
+    }
+
+    private PrivateKey getPrivateKey()
+            throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
+        Resource resource = resourceLoader.getResource(appleProperties.getPrivateKeyLocation());
+        try (BufferedReader reader =
+                     new BufferedReader(new InputStreamReader(resource.getInputStream()))) {
+            String keyContent = reader.lines().collect(Collectors.joining("\n"));
+            String key =
+                    keyContent
+                            .replace("-----BEGIN PRIVATE KEY-----", "")
+                            .replace("-----END PRIVATE KEY-----", "")
+                            .replaceAll("\\s+", "");
+            byte[] encoded = Base64.getDecoder().decode(key);
+            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
+            KeyFactory keyFactory = KeyFactory.getInstance("EC");
+            return keyFactory.generatePrivate(keySpec);
+        }
+    }
+}
@@ -0,0 +1,72 @@
+package com.usememo.jugger.global.security;
+
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.JWKSet;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Component;
+
+import java.net.URL;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.locks.ReadWriteLock;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
+
+@Slf4j
+@Component
+public class ApplePublicKeyProvider {
+
+    private static final String APPLE_KEYS_URL = "https://appleid.apple.com/auth/keys";
+    private static final Duration CACHE_DURATION = Duration.ofDays(15);
+
+    private final Map<String, JWK> keyCache = new ConcurrentHashMap<>();
+    private volatile Instant lastCacheTime = Instant.MIN;
+    private final ReadWriteLock cacheLock = new ReentrantReadWriteLock();
+
+    public JWK getKeyById(String keyId) {
+
+        try {
+            // 캐시 확인 및 만료 체크
+            cacheLock.readLock().lock();
+            try {
+                if (keyCache.containsKey(keyId) && !isCacheExpired()) {
+                    return keyCache.get(keyId);
+                }
+            } finally {
+                cacheLock.readLock().unlock();
+            }
+
+            // 캐시 갱신
+            cacheLock.writeLock().lock();
+            try {
+                // 다른 스레드가 갱신했는지 재확인
+                if (keyCache.containsKey(keyId) && !isCacheExpired()) {
+                    return keyCache.get(keyId);
+                }
+                // Apple 서버에서 공개키 가져오기
+                JWKSet jwkSet = JWKSet.load(new URL(APPLE_KEYS_URL));
+                for (JWK key : jwkSet.getKeys()) {
+                    keyCache.put(key.getKeyID(), key);
+                }
+                lastCacheTime = Instant.now();
+            } finally {
+                cacheLock.writeLock().unlock();
+            }
+
+            JWK foundKey = keyCache.get(keyId);
+            if (foundKey == null) {
+                throw new IllegalArgumentException("Apple 공개키에서 keyId를 찾을 수 없습니다: " + keyId);
+            }
+
+            return foundKey;
+        } catch (Exception e) {
+            log.error("Apple 공개키 로딩 실패", e);
+            throw new IllegalArgumentException("Apple 공개키 로딩 실패", e);
+        }
+    }
+
+    private boolean isCacheExpired() {
+        return Duration.between(lastCacheTime, Instant.now()).compareTo(CACHE_DURATION) > 0;
+    }
+}
@@ -0,0 +1,68 @@
+package com.usememo.jugger.global.security;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jwt.SignedJWT;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import java.text.ParseException;
+import java.util.Date;
+
+@Component
+@RequiredArgsConstructor
+public class JwtValidator {
+
+    private static final String APPLE_ISSUER = "https://appleid.apple.com";
+
+    private final ApplePublicKeyProvider keyProvider;
+
+    @Value("${apple.client-id}")
+    private String clientId;
+
-    @Value("${apple.client-id}")
-    private String clientId;
+    // replace field-injected clientId with constructor injection
+-    @Value("${apple.client-id}")
+-    private String clientId;
+    private final String clientId;
+
+    public JwtValidator(ApplePublicKeyProvider keyProvider,
+                        @Value("${apple.client-id}") String clientId) {
+        this.keyProvider = keyProvider;
+        this.clientId = clientId;
+    }
-    @Value("${apple.client-id}")
-    private String clientId;
+    // replace field-injected clientId with constructor injection
+-    @Value("${apple.client-id}")
+-    private String clientId;
+    private final String clientId;
+
+    public JwtValidator(ApplePublicKeyProvider keyProvider,
+                        @Value("${apple.client-id}") String clientId) {
+        this.keyProvider = keyProvider;
+        this.clientId = clientId;
+    }
+    public SignedJWT validate(String idToken) {
+        try {
+            SignedJWT jwt = SignedJWT.parse(idToken);
+            JWSHeader header = jwt.getHeader();
+
+            // 알고리즘 확인
+            if (!JWSAlgorithm.RS256.equals(header.getAlgorithm())) {
+                throw new IllegalArgumentException("Unexpected JWS algorithm: " + header.getAlgorithm());
+            }
+
+            // 공개키로 서명 검증
+            var jwk = keyProvider.getKeyById(header.getKeyID());
+            JWSVerifier verifier = new RSASSAVerifier(jwk.toRSAKey());
+
+            if (!jwt.verify(verifier)) {
+                throw new IllegalArgumentException("Apple ID Token 서명 검증 실패");
+            }
+
+            // 클레임 검증
+            var claims = jwt.getJWTClaimsSet();
+            Date now = new Date();
+
+            if (claims.getExpirationTime() == null || now.after(claims.getExpirationTime())) {
+                throw new IllegalArgumentException("Apple ID Token 만료됨");
+            }
+
+            if (!APPLE_ISSUER.equals(claims.getIssuer())) {
+                throw new IllegalArgumentException("잘못된 iss: " + claims.getIssuer());
+            }
+
+            if (!claims.getAudience().contains(clientId)) {
+                throw new IllegalArgumentException("잘못된 aud: " + claims.getAudience());
+            }
+
+            return jwt;
+
+        } catch (ParseException e) {
+            throw new IllegalArgumentException("Apple ID Token 파싱 실패", e);
+        } catch (Exception e) {
+            throw new IllegalArgumentException("Apple ID Token 검증 실패", e);
+        }
+    }
+}
@@ -6,7 +6,8 @@
 import java.util.UUID;
 import java.util.logging.Logger;
 
-import org.apache.el.parser.Token;
+import com.usememo.jugger.global.security.token.domain.*;
+import com.usememo.jugger.global.security.token.service.AppleOAuthService;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseCookie;
@@ -27,18 +28,7 @@
 import com.usememo.jugger.global.exception.KakaoException;
 import com.usememo.jugger.global.security.CustomOAuth2User;
 import com.usememo.jugger.global.security.JwtTokenProvider;
-import com.usememo.jugger.global.security.token.domain.GoogleLoginRequest;
-import com.usememo.jugger.global.security.token.domain.GoogleSignupRequest;
-import com.usememo.jugger.global.security.token.domain.KakaoLoginRequest;
-
-import com.usememo.jugger.global.security.token.domain.KakaoLogoutResponse;
-import com.usememo.jugger.global.security.token.domain.KakaoSignUpRequest;
-
-import com.usememo.jugger.global.security.token.domain.LogOutRequest;
-import com.usememo.jugger.global.security.token.domain.LogOutResponse;
-import com.usememo.jugger.global.security.token.domain.NewTokenResponse;
-import com.usememo.jugger.global.security.token.domain.RefreshTokenRequest;
-import com.usememo.jugger.global.security.token.domain.TokenResponse;
+
 import com.usememo.jugger.global.security.token.repository.RefreshTokenRepository;
 import com.usememo.jugger.global.security.token.service.GoogleOAuthService;
 import com.usememo.jugger.global.security.token.service.KakaoOAuthService;
@@ -56,6 +46,7 @@ public class AuthController {
 
 	private final KakaoOAuthService kakaoService;
 	private final GoogleOAuthService googleOAuthService;
+	private final AppleOAuthService appleOAuthService;
 
 
 	@Operation(summary = "[POST] refresh token으로 새로운 access token 발급")
@@ -109,4 +100,18 @@ public Mono<ResponseEntity<TokenResponse>> signUpGoogle(@RequestBody GoogleSignu
 			.map(token-> ResponseEntity.ok().body(token));
 	}
 
+
+	@Operation(summary = "[POST] 애플 로그인")
+	@PostMapping("/apple")
+	public Mono<ResponseEntity<TokenResponse>> loginByApple(@RequestBody AppleLoginRequest appleLoginRequest){
+		return appleOAuthService.loginWithApple(appleLoginRequest.code())
+				.map(token -> ResponseEntity.ok().body(token));
+	}
+
+	@Operation(summary = "[POST] 애플 회원가입")
+	@PostMapping("/apple/signup")
+	public Mono<ResponseEntity<TokenResponse>> signUpApple(@RequestBody AppleSignUpRequest appleSignUpRequest){
+		return appleOAuthService.signUpApple(appleSignUpRequest)
+				.map(token -> ResponseEntity.ok().body(token));
+	}
 }
@@ -0,0 +1,7 @@
+package com.usememo.jugger.global.security.token.domain;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+
+public record AppleLoginRequest(@Schema(description = "애플 인가 코드", example = "dY94g8JaZ1Ki1s...")
+                                String code) {
+}
@@ -0,0 +1,20 @@
+package com.usememo.jugger.global.security.token.domain;
+
+import lombok.Getter;
+import lombok.Setter;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+@Getter
+@Setter
+@Component
+@ConfigurationProperties(prefix = "apple")
+public class AppleProperties {
+
+    private String clientId;
+    private String teamId;
+    private String keyId;
+    private String privateKeyLocation;
+    private String privateKey;
+    private String redirectUri;
+}
@@ -0,0 +1,27 @@
+package com.usememo.jugger.global.security.token.domain;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+import lombok.Data;
+
+public record AppleSignUpRequest(@Schema(description = "사용자 이름", example = "홍길동", required = true)
+                                 String name,
+
+                                 @Schema(description = "이메일 주소", example = "[email protected]", required = true)
+                                 String email,
+
+                                 @Schema(description = "약관 동의 정보", required = true)
+                                 KakaoSignUpRequest.Terms terms
+) {
+    @Schema(name = "Terms", description = "약관 동의 항목들")
+    @Data
+    public static class Terms {
+        @Schema(description = "서비스 이용약관 동의 여부", example = "true", required = true)
+        private boolean termsOfService;
+
+        @Schema(description = "개인정보 처리방침 동의 여부", example = "true", required = true)
+        private boolean privacyPolicy;
+
+        @Schema(description = "마케팅 정보 수신 동의 여부", example = "false", required = true)
+        private boolean marketing;
+    }
+}