internal/auth/service.go

package auth

import (
	"context"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"strings"
	"time"

	"github.com/jackc/pgx/v5/pgxpool"
	"google.golang.org/api/idtoken"
)

type Service struct {
	pool           *pgxpool.Pool
	googleClientID string
	jwtSecret      string
}

func NewService(pool *pgxpool.Pool, googleClientID, jwtSecret string) *Service {
	return &Service{
		pool:           pool,
		googleClientID: googleClientID,
		jwtSecret:      jwtSecret,
	}
}

func (s *Service) HandleGoogleLogin(ctx context.Context, req GoogleLoginRequest) (SessionResponse, error) {
	if strings.TrimSpace(req.IDToken) == "" || s.googleClientID == "" {
		return SessionResponse{}, errors.New("google id token is required")
	}

	payload, err := idtoken.Validate(ctx, req.IDToken, s.googleClientID)
	if err != nil {
		return SessionResponse{}, err
	}

	email := ""
	if v, ok := payload.Claims["email"].(string); ok {
		email = strings.ToLower(strings.TrimSpace(v))
	}
	name := ""
	if v, ok := payload.Claims["name"].(string); ok {
		name = strings.TrimSpace(v)
	}
	subject := payload.Subject

	if email == "" {
		return SessionResponse{}, errors.New("email not found in token")
	}
	if name == "" {
		name = strings.Split(email, "@")[0]
	}

	user, err := s.upsertUser(ctx, email, name, subject)
	if err != nil {
		return SessionResponse{}, err
	}

	token, err := SignToken(s.jwtSecret, Claims{
		UserID: user.ID,
		Email:  user.Email,
		Exp:    time.Now().Add(7 * 24 * time.Hour).Unix(),
	})
	if err != nil {
		return SessionResponse{}, err
	}

	return SessionResponse{Token: token, User: user}, nil
}

func (s *Service) upsertUser(ctx context.Context, email, displayName, subject string) (User, error) {
	var user User
	err := s.pool.QueryRow(ctx, `
		INSERT INTO users (email, display_name, provider, provider_subject)
		VALUES ($1, $2, 'google', $3)
		ON CONFLICT (email) DO UPDATE SET
			display_name = EXCLUDED.display_name,
			provider_subject = EXCLUDED.provider_subject
		RETURNING id, email, display_name
	`, email, displayName, subject).Scan(&user.ID, &user.Email, &user.DisplayName)
	if err != nil {
		return User{}, fmt.Errorf("upsert user: %w", err)
	}
	return user, nil
}

func SignToken(secret string, claims Claims) (string, error) {
	body, err := json.Marshal(claims)
	if err != nil {
		return "", err
	}
	payload := base64.RawURLEncoding.EncodeToString(body)
	mac := hmac.New(sha256.New, []byte(secret))
	_, _ = mac.Write([]byte(payload))
	sig := base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
	return payload + "." + sig, nil
}

func VerifyToken(secret, token string) (Claims, error) {
	parts := strings.Split(token, ".")
	if len(parts) != 2 {
		return Claims{}, errors.New("invalid token")
	}
	mac := hmac.New(sha256.New, []byte(secret))
	_, _ = mac.Write([]byte(parts[0]))
	expected := mac.Sum(nil)
	actual, err := base64.RawURLEncoding.DecodeString(parts[1])
	if err != nil || !hmac.Equal(expected, actual) {
		return Claims{}, errors.New("invalid signature")
	}
	body, err := base64.RawURLEncoding.DecodeString(parts[0])
	if err != nil {
		return Claims{}, err
	}
	var claims Claims
	if err := json.Unmarshal(body, &claims); err != nil {
		return Claims{}, err
	}
	if claims.Exp < time.Now().Unix() {
		return Claims{}, fmt.Errorf("token expired")
	}
	return claims, nil
}
feat: add Google Sign-In with JWT auth and Neon DB persistence 2026-04-27 13:23:47 +09:00			`package auth`

			`import (`
			`"context"`
			`"crypto/hmac"`
			`"crypto/sha256"`
			`"encoding/base64"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"strings"`
			`"time"`

			`"github.com/jackc/pgx/v5/pgxpool"`
			`"google.golang.org/api/idtoken"`
			`)`

			`type Service struct {`
			`pool *pgxpool.Pool`
			`googleClientID string`
			`jwtSecret string`
			`}`

			`func NewService(pool pgxpool.Pool, googleClientID, jwtSecret string) Service {`
			`return &Service{`
			`pool: pool,`
			`googleClientID: googleClientID,`
			`jwtSecret: jwtSecret,`
			`}`
			`}`

			`func (s *Service) HandleGoogleLogin(ctx context.Context, req GoogleLoginRequest) (SessionResponse, error) {`
			`if strings.TrimSpace(req.IDToken) == "" \|\| s.googleClientID == "" {`
			`return SessionResponse{}, errors.New("google id token is required")`
			`}`

			`payload, err := idtoken.Validate(ctx, req.IDToken, s.googleClientID)`
			`if err != nil {`
			`return SessionResponse{}, err`
			`}`

			`email := ""`
			`if v, ok := payload.Claims["email"].(string); ok {`
			`email = strings.ToLower(strings.TrimSpace(v))`
			`}`
			`name := ""`
			`if v, ok := payload.Claims["name"].(string); ok {`
			`name = strings.TrimSpace(v)`
			`}`
			`subject := payload.Subject`

			`if email == "" {`
			`return SessionResponse{}, errors.New("email not found in token")`
			`}`
			`if name == "" {`
			`name = strings.Split(email, "@")[0]`
			`}`

			`user, err := s.upsertUser(ctx, email, name, subject)`
			`if err != nil {`
			`return SessionResponse{}, err`
			`}`

			`token, err := SignToken(s.jwtSecret, Claims{`
			`UserID: user.ID,`
			`Email: user.Email,`
			`Exp: time.Now().Add(7 * 24 * time.Hour).Unix(),`
			`})`
			`if err != nil {`
			`return SessionResponse{}, err`
			`}`

			`return SessionResponse{Token: token, User: user}, nil`
			`}`

			`func (s *Service) upsertUser(ctx context.Context, email, displayName, subject string) (User, error) {`
			`var user User`
			err := s.pool.QueryRow(ctx, `
			`INSERT INTO users (email, display_name, provider, provider_subject)`
			`VALUES ($1, $2, 'google', $3)`
			`ON CONFLICT (email) DO UPDATE SET`
			`display_name = EXCLUDED.display_name,`
			`provider_subject = EXCLUDED.provider_subject`
			`RETURNING id, email, display_name`
			`, email, displayName, subject).Scan(&user.ID, &user.Email, &user.DisplayName)
			`if err != nil {`
			`return User{}, fmt.Errorf("upsert user: %w", err)`
			`}`
			`return user, nil`
			`}`

			`func SignToken(secret string, claims Claims) (string, error) {`
			`body, err := json.Marshal(claims)`
			`if err != nil {`
			`return "", err`
			`}`
			`payload := base64.RawURLEncoding.EncodeToString(body)`
			`mac := hmac.New(sha256.New, []byte(secret))`
			`_, _ = mac.Write([]byte(payload))`
			`sig := base64.RawURLEncoding.EncodeToString(mac.Sum(nil))`
			`return payload + "." + sig, nil`
			`}`

			`func VerifyToken(secret, token string) (Claims, error) {`
			`parts := strings.Split(token, ".")`
			`if len(parts) != 2 {`
			`return Claims{}, errors.New("invalid token")`
			`}`
			`mac := hmac.New(sha256.New, []byte(secret))`
			`_, _ = mac.Write([]byte(parts[0]))`
			`expected := mac.Sum(nil)`
			`actual, err := base64.RawURLEncoding.DecodeString(parts[1])`
			`if err != nil \|\| !hmac.Equal(expected, actual) {`
			`return Claims{}, errors.New("invalid signature")`
			`}`
			`body, err := base64.RawURLEncoding.DecodeString(parts[0])`
			`if err != nil {`
			`return Claims{}, err`
			`}`
			`var claims Claims`
			`if err := json.Unmarshal(body, &claims); err != nil {`
			`return Claims{}, err`
			`}`
			`if claims.Exp < time.Now().Unix() {`
			`return Claims{}, fmt.Errorf("token expired")`
			`}`
			`return claims, nil`
			`}`