feat(api): remove Firebase, switch to Resend, add cookie auth and tracks

- Remove firebase-admin dependency and phone verification
- Replace SMTP (aiosmtplib) with Resend API for email
- Add EmailSender Protocol for extensible email provider
- Add HTML email template for verification codes (10min TTL)
- Add cookie-based auth (Set-Cookie on login/register)
- Add GET /v1/auth/me and POST /v1/auth/logout endpoints
- Add GET /v1/tracks with Google Sheets backend and seed defaults
- Add CORS middleware with configurable origins
- Auto-initialize Google Sheets schema on app startup
- Add name field to RegisterRequest, remove firebase_token

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ImTotem

.claude/settings.json

@@ -0,0 +1,5 @@
+{
+  "enabledPlugins": {
+    "frontend-design@claude-plugins-official": true
+  }
+}

.env.example

@@ -10,11 +10,9 @@ JWT_EXPIRE_MINUTES=1440
 GOOGLE_SHEETS_ID=your-google-sheets-id
 GOOGLE_SERVICE_ACCOUNT_FILE=credentials.json
 
-# SMTP (학교 이메일 인증)
-SMTP_HOST=smtp.gmail.com
-SMTP_PORT=587
-SMTP_USER=your-email@gmail.com
-SMTP_PASSWORD=your-app-password
+# Resend (학교 이메일 인증)
+RESEND_API_KEY=re_your_api_key
+RESEND_SENDER=onboarding@resend.dev
 
-# Firebase
-FIREBASE_CREDENTIALS_FILE=firebase-credentials.json
+# CORS (쉼표로 여러 origin 구분)
+CORS_ORIGINS=http://localhost:3000

CLAUDE.md

@@ -7,8 +7,7 @@ Club management automation system using **n8n** to orchestrate **Google Workspac
 ```
 Client → FastAPI (auth, member API) → Google Sheets (database)
        → Google OAuth (ID Token 검증)
-       → Firebase Auth (전화번호 검증)
-       → SMTP (학교 이메일 인증)
+       → Resend (학교 이메일 인증)
 
 n8n (automation workflows) → Google Sheets (database) → Slack/Email (output)
 ```

docs/member-api.md

@@ -2,20 +2,19 @@
 
 ## 작업 목적
 BCSDLab 동아리 회원 관리를 위한 FastAPI 백엔드 구현.
-Google OAuth 인증, 학교 이메일/전화번호 인증을 통한 회원가입과 JWT 기반 인증된 회원 조회 API를 제공한다.
+Google OAuth 인증, 학교 이메일 인증을 통한 회원가입과 JWT 기반 인증된 회원 조회 API를 제공한다.
 
 ## 아키텍처
 
 ```
 Client → FastAPI → Google Sheets (members 탭)
                  → Google OAuth (ID Token 검증)
-                 → Firebase Auth (전화번호 검증)
-                 → SMTP (학교 이메일 인증 코드)
+                 → Resend (학교 이메일 인증 코드)
 ```
 
 - **데이터 저장**: Google Sheets `members` 탭 (PostgreSQL 없음)
 - **인증**: Google OAuth → JWT 발급
-- **회원가입**: Google OAuth + 학교 이메일 인증 + Firebase Phone Auth
+- **회원가입**: Google OAuth + 학교 이메일 인증
 
 ## 프로젝트 구조
 
@@ -57,9 +56,8 @@ src/bcsd_api/
 - `JWT_SECRET`: JWT 서명 키
 - `GOOGLE_SHEETS_ID`: Google Sheets 문서 ID
 - `GOOGLE_SERVICE_ACCOUNT_FILE`: 서비스 계정 JSON 파일 경로
-- `SMTP_*`: 이메일 발송 설정
-- `FIREBASE_CREDENTIALS_FILE`: Firebase 서비스 계정 JSON
-
+- `RESEND_API_KEY`: Resend API 키
+- `RESEND_SENDER`: 발신자 이메일 주소
 ### Google Sheets 스키마 (members 탭)
 헤더 행: `id | name | email | school_email | phone | status | track | team | join_date | payment_status | last_updated`
 
@@ -89,12 +87,10 @@ Spring의 `@ControllerAdvice` 패턴과 동일한 구조.
 ## 알려진 제약사항
 - 이메일 인증 코드는 서버 재시작 시 소실 (in-memory)
 - Google Sheets API 속도 제한 (분당 60회) → 대량 트래픽 시 캐싱 필요
-- Firebase Admin SDK 초기화가 아직 `main.py`에 포함되지 않음 → 회원가입 시 Firebase 설정 필요
 - `confirm-email` 성공 여부를 `register` 시점에 서버 측에서 재검증하지 않음 → 클라이언트 플로우에 의존
 
 ## 향후 개선 사항
 - Redis 기반 인증 코드 저장소
-- Firebase Admin SDK 초기화 (`firebase_admin.initialize_app`)
 - 회원가입 시 이메일 인증 완료 여부를 서버에서 재확인하는 상태 관리
 - 회원 정보 수정 API (PUT /v1/members/{id})
 - 비밀번호 없는 인증이므로 refresh token 전략 검토

pyproject.toml

@@ -14,8 +14,8 @@ dependencies = [
     "google-auth>=2.38.0",
     "google-api-python-client>=2.165.0",
     "python-jose[cryptography]>=3.3.0",
-    "firebase-admin>=6.6.0",
-    "aiosmtplib>=3.0.0",
+
+    "resend>=2.0.0",
 ]
 
 [project.optional-dependencies]

src/bcsd_api/auth/router.py

@@ -1,7 +1,10 @@
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, Response
 
 from bcsd_api.config import Settings
-from bcsd_api.dependencies import get_settings, get_sheets
+from bcsd_api.dependencies import (
+    current_user, get_email_sender, get_settings, get_sheets,
+)
+from bcsd_api.email.sender import EmailSender
 from bcsd_api.sheets.client import SheetsClient
 
 from . import service
@@ -10,6 +13,7 @@
     ConfirmEmailResponse,
     LoginRequest,
     LoginResponse,
+    MeResponse,
     MessageResponse,
     RegisterRequest,
     VerifyEmailRequest,
@@ -18,22 +22,36 @@
 router = APIRouter(prefix="/v1/auth", tags=["auth"])
 
 
+def _set_cookie(response: Response, token: str, settings: Settings) -> None:
+    response.set_cookie(
+        key=settings.cookie_name,
+        value=token,
+        httponly=True,
+        samesite="lax",
+        secure=settings.cookie_secure,
+        path="/",
+        max_age=settings.jwt_expire_minutes * 60,
+    )
+
+
 @router.post("/login", response_model=LoginResponse)
 def post_login(
     body: LoginRequest,
+    response: Response,
     settings: Settings = Depends(get_settings),
     sheets: SheetsClient = Depends(get_sheets),
 ) -> LoginResponse:
     token = service.login(body.google_token, settings, sheets)
+    _set_cookie(response, token, settings)
     return LoginResponse(access_token=token)
 
 
 @router.post("/verify-email", response_model=MessageResponse)
-async def post_verify(
+def post_verify(
     body: VerifyEmailRequest,
-    settings: Settings = Depends(get_settings),
+    sender: EmailSender = Depends(get_email_sender),
 ) -> MessageResponse:
-    await service.send_verify(body.email, settings)
+    service.send_verify(body.email, sender)
     return MessageResponse(message="verification code sent")
 
 
@@ -46,11 +64,33 @@ def post_confirm(body: ConfirmEmailRequest) -> ConfirmEmailResponse:
 @router.post("/register", response_model=LoginResponse)
 def post_register(
     body: RegisterRequest,
+    response: Response,
     settings: Settings = Depends(get_settings),
     sheets: SheetsClient = Depends(get_sheets),
 ) -> LoginResponse:
     token = service.register(
-        body.google_token, body.school_email, body.phone,
-        body.firebase_token, body.track, settings, sheets,
+        body.google_token, body.name, body.school_email,
+        body.phone, body.track, settings, sheets,
     )
+    _set_cookie(response, token, settings)
     return LoginResponse(access_token=token)
+
+
+@router.get("/me", response_model=MeResponse)
+def get_me(user: dict = Depends(current_user)) -> MeResponse:
+    return MeResponse(id=user["sub"], email=user["email"])
+
+
+@router.post("/logout", response_model=MessageResponse)
+def post_logout(
+    response: Response,
+    settings: Settings = Depends(get_settings),
+) -> MessageResponse:
+    response.delete_cookie(
+        key=settings.cookie_name,
+        httponly=True,
+        samesite="lax",
+        secure=settings.cookie_secure,
+        path="/",
+    )
+    return MessageResponse(message="logged out")

src/bcsd_api/auth/schema.py

@@ -25,11 +25,16 @@ class ConfirmEmailResponse(BaseModel):
 
 class RegisterRequest(BaseModel):
     google_token: str
+    name: str
     school_email: str
     phone: str
-    firebase_token: str
     track: str
 
 
+class MeResponse(BaseModel):
+    id: str
+    email: str
+
+
 class MessageResponse(BaseModel):
     message: str

src/bcsd_api/auth/service.py

@@ -1,9 +1,8 @@
 from datetime import datetime, timezone, timedelta
 
-import firebase_admin.auth as firebase_auth
-
 from bcsd_api.config import Settings
-from bcsd_api.exception import BadRequest, Conflict, Unauthorized
+from bcsd_api.email.sender import EmailSender
+from bcsd_api.exception import Conflict, Unauthorized
 from bcsd_api.id_gen import generate_id
 from bcsd_api.sheets.client import SheetsClient
 
@@ -23,11 +22,8 @@ def login(google_token: str, settings: Settings, sheets: SheetsClient) -> str:
     return _issue_jwt(payload, settings)
 
 
-async def send_verify(email: str, settings: Settings) -> None:
-    await verify.send_code(
-        email, settings.smtp_host, settings.smtp_port,
-        settings.smtp_user, settings.smtp_password,
-    )
+def send_verify(email: str, sender: EmailSender) -> None:
+    verify.send_code(email, sender)
 
 
 def confirm_verify(email: str, code: str) -> bool:
@@ -36,18 +32,17 @@ def confirm_verify(email: str, code: str) -> bool:
 
 def register(
     google_token: str,
+    name: str,
     school_email: str,
     phone: str,
-    firebase_token: str,
     track: str,
     settings: Settings,
     sheets: SheetsClient,
 ) -> str:
     profile = google_auth.verify_token(google_token, settings.google_client_id)
     _check_duplicate(profile["email"], sheets)
-    _verify_firebase(firebase_token)
     member_id = generate_id("M")
-    row = _build_row(member_id, profile, school_email, phone, track)
+    row = _build_row(member_id, name, profile["email"], school_email, phone, track)
     sheets.append_row("members", row)
     payload = {"sub": member_id, "email": profile["email"]}
     return _issue_jwt(payload, settings)
@@ -65,22 +60,15 @@ def _check_duplicate(email: str, sheets: SheetsClient) -> None:
         raise Conflict("member already registered")
 
 
-def _verify_firebase(firebase_token: str) -> None:
-    try:
-        firebase_auth.verify_id_token(firebase_token)
-    except Exception:
-        raise BadRequest("invalid firebase phone token")
-
-
 def _now_kst() -> str:
     return datetime.now(_KST).strftime("%Y-%m-%d %H:%M:%S")
 
 
 def _build_row(
-    member_id: str, profile: dict, school_email: str, phone: str, track: str
+    member_id: str, name: str, email: str, school_email: str, phone: str, track: str
 ) -> dict:
     now = _now_kst()
-    base = _base_fields(member_id, profile["name"], profile["email"])
+    base = _base_fields(member_id, name, email)
     extra = {"school_email": school_email, "phone": phone, "track": track}
     timestamps = {"join_date": now, "last_updated": now}
     return {**base, **extra, **timestamps}

src/bcsd_api/auth/verify.py

@@ -3,12 +3,13 @@
 import time
 from dataclasses import dataclass
 
-import aiosmtplib
-from email.message import EmailMessage
+from bcsd_api.email.sender import EmailSender
+from bcsd_api.email.template import verify_body
 
 
-_CODE_TTL = 300
+_CODE_TTL = 600
 _CODE_LENGTH = 6
+_SUBJECT = "[BCSD] 이메일 인증"
 
 
 @dataclass
@@ -24,24 +25,10 @@ def _generate_code() -> str:
     return "".join(random.choices(string.digits, k=_CODE_LENGTH))
 
 
-def _build_message(sender: str, recipient: str, code: str) -> EmailMessage:
-    msg = EmailMessage()
-    msg["From"] = sender
-    msg["To"] = recipient
-    msg["Subject"] = "[BCSDLab] Email Verification Code"
-    msg.set_content(f"Your verification code is: {code}\nExpires in 5 minutes.")
-    return msg
-
-
-async def send_code(email: str, host: str, port: int, user: str, password: str) -> None:
+def send_code(email: str, sender: EmailSender) -> None:
     code = _generate_code()
     _store[email] = _Pending(code=code, expires=time.time() + _CODE_TTL)
-    msg = _build_message(user, email, code)
-    await aiosmtplib.send(
-        msg, hostname=host, port=port,
-        username=user, password=password,
-        use_tls=False, start_tls=True,
-    )
+    sender.send(to=email, subject=_SUBJECT, body=verify_body(code))
 
 
 def confirm_code(email: str, code: str) -> bool:

src/bcsd_api/config.py

@@ -8,10 +8,9 @@ class Settings(BaseSettings):
     jwt_expire_minutes: int = 1440
     google_sheets_id: str = ""
     google_service_account_file: str = "credentials.json"
-    smtp_host: str = "smtp.gmail.com"
-    smtp_port: int = 587
-    smtp_user: str = ""
-    smtp_password: str = ""
-    firebase_credentials_file: str = "firebase-credentials.json"
-
+    resend_api_key: str = ""
+    resend_sender: str = "onboarding@resend.dev"
+    cors_origins: str = "http://localhost:3000"
+    cookie_name: str = "access_token"
+    cookie_secure: bool = False
     model_config = {"env_file": ".env"}