[Fix] Apple OAuth audience(aud) 클레임 검증 추가

[howooyeon]

🧾 요약

• Apple OAuth 로그인 시 audience(aud) 클레임 검증 누락 수정 — 타 앱 토큰으로 로그인 가능한 보안 취약점 차단

🔗 이슈

• close [fix] Apple OAuth audience(aud) 클레임 검증 누락 #198

✨ 변경 내용

• application.yaml에 apple.client-id 설정 추가
• OAuthAppleClient에서 JWT 파싱 시 requireAudience(appleClientId) 검증 추가

✅ 확인

• 빌드 OK
• 테스트 OK

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d38f1cfc-2b35-4cbd-a8ec-ecc9fed108c8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/#198-apple-oauth-aud-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

본 PR은 Apple OAuth 인증 과정에서 발생할 수 있는 보안 취약점을 해결하기 위해 JWT 검증 로직을 강화하는 내용을 담고 있습니다. 기존에 누락되었던 audience(aud) 클레임 검증을 추가함으로써, 서비스의 인증 무결성을 높이고 외부 토큰을 통한 인증 우회 가능성을 방지하고자 합니다.

Highlights

• 보안 강화: Apple OAuth 로그인 시 audience(aud) 클레임 검증을 추가하여 타 앱의 토큰을 이용한 비정상적인 로그인 시도를 차단했습니다.
• 설정 추가: application.yaml에 apple.client-id 설정을 추가하고, 이를 OAuthAppleClient에서 주입받아 검증에 사용하도록 구현했습니다.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request integrates the Apple Client ID into the Apple OAuth client to verify the audience claim of identity tokens. The review feedback suggests adding defensive validation for the injected appleClientId to ensure that configuration errors are properly handled as internal server errors (500) rather than being masked as invalid token errors (401).

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.