boostcampwm2025 · LimSR12 · Dec 18, 2025 · Dec 18, 2025
diff --git a/BE/package-lock.json b/BE/package-lock.json
diff --git a/BE/package.json b/BE/package.json
@@ -20,9 +20,12 @@
     "test:e2e": "jest --config ./test/jest-e2e.json"
   },
   "dependencies": {
+    "@nestjs/axios": "^4.0.1",
     "@nestjs/common": "^11.0.1",
+    "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^11.0.1",
     "@nestjs/platform-express": "^11.0.1",
+    "axios": "^1.13.2",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1"
   },

diff --git a/BE/src/app.module.ts b/BE/src/app.module.ts
@@ -1,9 +1,16 @@
 import { Module } from '@nestjs/common';
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
+import { AuthModule } from './auth/auth.module';
+import { ConfigModule } from '@nestjs/config';
 
 @Module({
-  imports: [],
+  imports: [
+    ConfigModule.forRoot({
+      isGlobal: true,
+    }),
+    AuthModule,
+  ],
   controllers: [AppController],
   providers: [AppService],
 })

diff --git a/BE/src/auth/auth.controller.ts b/BE/src/auth/auth.controller.ts
@@ -0,0 +1,27 @@
+import { Controller, Get, Query, Res } from '@nestjs/common';
+import type { Response } from 'express';
+import { AuthService } from './auth.service';
+
+@Controller()
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Get('api/auth/login')
+  login(@Res() res: Response) {
+    const params = new URLSearchParams({
+      client_id: process.env.GITHUB_CLIENT_ID ?? '',
+      redirect_uri: process.env.GITHUB_REDIRECT_URI ?? '',
+      scope: 'read:org',
+    });
+
+    return res.redirect(`https://github.com/login/oauth/authorize?${params.toString()}`);
+  }
+
+  @Get('auth/github/callback')
+  async callback(@Query('code') code?: string) {
+    if (!code) {
+      return { success: false, message: '코드가 없습니당' };
+    }
+    return await this.authService.verifyCohortByGithubOAuth(code);
+  }
+}
diff --git a/BE/src/auth/auth.module.ts b/BE/src/auth/auth.module.ts
@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { HttpModule } from '@nestjs/axios';
+import { AuthController } from './auth.controller';
+import { AuthService } from './auth.service';
+import { GithubOAuthClient } from './github-oauth.client';
+
+@Module({
+  imports: [HttpModule],
+  controllers: [AuthController],
+  providers: [AuthService, GithubOAuthClient],
+})
+export class AuthModule {}
diff --git a/BE/src/auth/auth.service.ts b/BE/src/auth/auth.service.ts
@@ -0,0 +1,25 @@
+import { Injectable } from '@nestjs/common';
+import { GithubOAuthClient } from './github-oauth.client';
+import { resolveCohortFromOrgs } from './cohort-rules';
+
+@Injectable()
+export class AuthService {
+  constructor(private readonly github: GithubOAuthClient) {}
+
+  async verifyCohortByGithubOAuth(code: string) {
+    // ✅ code -> access token
+    const accessToken = await this.github.exchangeCodeForToken(code);
+
+    // ✅ access token으로 내 org 목록 조회
+    const orgLogins = await this.github.getUserOrgs(accessToken);
+
+    // ✅ org 목록 -> cohort 판정
+    const cohort = resolveCohortFromOrgs(orgLogins);
+
+    return {
+      accessTokenReceived: Boolean(accessToken),
+      orgLogins,
+      cohort,
+    };
+  }
+}
diff --git a/BE/src/auth/cohort-rules.ts b/BE/src/auth/cohort-rules.ts
@@ -0,0 +1,19 @@
+export const COHORT_ORG_MAP: Record<number, string[]> = {
+  6: ['boostcampwm-2021'],
+  7: ['boostcampwm-2022'],
+  8: ['boostcampwm2023'],
+  9: ['boostcampwm-2024'],
+  10: ['boostcampwm2025'],
+  11: ['0x05-hex-five'],
+};
+
+export function resolveCohortFromOrgs(orgLogins: string[]): number | null {
+  for (const [cohortStr, orgs] of Object.entries(COHORT_ORG_MAP)) {
+    const cohort = Number(cohortStr);
+    if (orgs.some((org) => orgLogins.includes(org))) {
+      return cohort;
+    }
+  }
+
+  return null;
+}
diff --git a/BE/src/auth/github-oauth.client.ts b/BE/src/auth/github-oauth.client.ts
@@ -0,0 +1,48 @@
+import { Injectable } from '@nestjs/common';
+import { HttpService } from '@nestjs/axios';
+import { firstValueFrom } from 'rxjs';
+
+type TokenResponse = {
+  access_token: string;
+  token_type: string;
+  scope: string;
+};
+
+@Injectable()
+export class GithubOAuthClient {
+  constructor(private readonly http: HttpService) {}
+
+  async exchangeCodeForToken(code: string): Promise<string> {
+    // redirect_uri로 전달받은 일회성 인가 코드 -> Access Token 발급받아오기
+    const res = await firstValueFrom(
+      this.http.post<TokenResponse>(
+        'https://github.com/login/oauth/access_token',
+        {
+          client_id: process.env.GITHUB_CLIENT_ID,
+          client_secret: process.env.GITHUB_CLIENT_SECRET,
+          redirect_uri: process.env.GITHUB_REDIRECT_URI,
+          code,
+        },
+        {
+          headers: {
+            Accept: 'application/json',
+          },
+        },
+      ),
+    );
+
+    return res.data.access_token;
+  }
+
+  async getUserOrgs(accessToken: string): Promise<string[]> {
+    const res = await firstValueFrom(
+      this.http.get<Array<{ login: string }>>('https://api.github.com/user/orgs', {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: 'application/vnd.github+json',
+        },
+      }),
+    );
+    return res.data.map((o) => o.login);
+  }
+}