feat(auth): enhance token audience validation for Google authentication

- Updated the `googleMobileAuth` method in `AuthController` to accept multiple client IDs (web, Android, iOS) for token audience validation.
- Improved error handling for invalid token audiences, ensuring a more flexible and robust authentication process.

worklenz-backend/src/controllers/auth-controller.ts

@@ -194,13 +194,19 @@ export default class AuthController extends WorklenzControllerBase {
       const response = await axios.get(`https://oauth2.googleapis.com/tokeninfo?id_token=${idToken}`);
       const profile = response.data;
 
-      // Validate token audience (client ID)
+      // Validate token audience (client ID) - accept web, Android, and iOS client IDs
-      if (profile.aud !== process.env.GOOGLE_CLIENT_ID) {
+      const allowedClientIds = [
+        process.env.GOOGLE_CLIENT_ID, // Web client ID
+        process.env.GOOGLE_ANDROID_CLIENT_ID, // Android client ID
+        process.env.GOOGLE_IOS_CLIENT_ID, // iOS client ID
+      ].filter(Boolean); // Remove undefined values
+      
+      if (!allowedClientIds.includes(profile.aud)) {
         return res.status(400).send(new ServerResponse(false, null, "Invalid token audience"));
       }
 
       // Validate token issuer
-      if (!['https://accounts.google.com', 'accounts.google.com'].includes(profile.iss)) {
+      if (!["https://accounts.google.com", "accounts.google.com"].includes(profile.iss)) {
         return res.status(400).send(new ServerResponse(false, null, "Invalid token issuer"));
       }