From 9af778fc2d1ffac142628da4f9e2fd027dbfec7c Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Tue, 19 Apr 2022 20:43:21 +0300
Subject: Google sign in: validate client id

---
 src/main/java/com/github/scribejava/apis/GoogleTokenVerifier.java | 8 ++++----
 src/main/java/com/juick/www/api/ApiSocialLogin.java               | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/main/java/com/github/scribejava/apis/GoogleTokenVerifier.java b/src/main/java/com/github/scribejava/apis/GoogleTokenVerifier.java
index 35a9d832..a7d48a34 100644
--- a/src/main/java/com/github/scribejava/apis/GoogleTokenVerifier.java
+++ b/src/main/java/com/github/scribejava/apis/GoogleTokenVerifier.java
@@ -3,6 +3,7 @@ package com.github.scribejava.apis;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.text.ParseException;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
 
@@ -20,11 +21,10 @@ import com.nimbusds.jwt.proc.DefaultJWTProcessor;
 
 public class GoogleTokenVerifier {
 
-    public static Optional<String> validateToken(String idToken) {
+    public static Optional<String> validateToken(String clientId, String idToken) {
 
         // Create a JWT processor for the access tokens
-                ConfigurableJWTProcessor<SecurityContext> jwtProcessor =
-                        new DefaultJWTProcessor<>();
+                ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
         
         // The public RSA keys to validate the signatures will be sourced from the
         // OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet
@@ -49,7 +49,7 @@ public class GoogleTokenVerifier {
                 jwtProcessor.setJWSKeySelector(keySelector);
         
         // Set the required JWT claims for access tokens issued by the server
-                jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>());
+                jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>(Collections.singleton(clientId), null, null, null));
         
         // Process the token
                 Map<String, Object> claimsSet;
diff --git a/src/main/java/com/juick/www/api/ApiSocialLogin.java b/src/main/java/com/juick/www/api/ApiSocialLogin.java
index 5e17d2b7..02f16676 100644
--- a/src/main/java/com/juick/www/api/ApiSocialLogin.java
+++ b/src/main/java/com/juick/www/api/ApiSocialLogin.java
@@ -230,7 +230,7 @@ public class ApiSocialLogin {
             throws GeneralSecurityException, IOException {
         logger.info("Token: {}", idTokenString);
         logger.info("Client: {}", googleClientId);
-        Optional<String> verifiedEmail = GoogleTokenVerifier.validateToken(idTokenString);
+        Optional<String> verifiedEmail = GoogleTokenVerifier.validateToken(googleClientId, idTokenString);
         if (verifiedEmail.isPresent()) {
             String email = verifiedEmail.get();
             com.juick.model.User visitor = userService.getUserByEmail(email);
-- 
cgit v1.2.3