package com.gcsc.guide.auth;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.gson.GsonFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

import java.util.Collections;

@Slf4j
@Component
public class GoogleTokenVerifier {

    private final GoogleIdTokenVerifier verifier;
    private final String allowedEmailDomain;

    public GoogleTokenVerifier(
        @Value("${app.google.client-id}") String clientId,
        @Value("${app.allowed-email-domain}") String allowedEmailDomain
    ) {
        this.verifier = new GoogleIdTokenVerifier.Builder(
            new NetHttpTransport(), GsonFactory.getDefaultInstance())
            .setAudience(Collections.singletonList(clientId))
            .build();
        this.allowedEmailDomain = allowedEmailDomain;
    }

    /**
     * Google ID Token을 검증하고 페이로드를 반환한다.
     * 검증 실패 또는 허용되지 않은 이메일 도메인이면 null을 반환한다.
     */
    public GoogleIdToken.Payload verify(String idTokenString) {
        try {
            GoogleIdToken idToken = verifier.verify(idTokenString);
            if (idToken == null) {
                log.warn("Google ID Token 검증 실패: 유효하지 않은 토큰");
                return null;
            }

            GoogleIdToken.Payload payload = idToken.getPayload();
            String email = payload.getEmail();

            if (email == null || !email.endsWith("@" + allowedEmailDomain)) {
                log.warn("허용되지 않은 이메일 도메인: {}", email);
                return null;
            }

            return payload;
        } catch (Exception e) {
            log.error("Google ID Token 검증 중 오류: {}", e.getMessage());
            return null;
        }
    }
}