apple_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6c6e2838dce13def54be641c346b9618bb3e3bdc10288b98a2accb639e3ea107
+  data.tar.gz: c6a16b50b7d59bdf788385d4718d6664e94d6206fbcb2febbe73e92ec4e25440
+SHA512:
+  metadata.gz: 18707eddc8b74cc651477b0464dd890c83b4d8c5acb3080d0943c5a6eb6fa5a2c8f808c4e2c8ca9ab9c757f89d1c2494a04f4ff044e5f5ae8484893a5745d6fb
+  data.tar.gz: 8abc50e0cef074c7228ab3e7e2fe64822161f9b1c724e2b62877ecd8b23caf8862ff305d1b8025bbf0e8892a38559aef90c736aead513aacd4f801e9685cec2d

data/.gitignore

@@ -0,0 +1,21 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+.byebug_history
+.DS_Store
+
+Gemfile.lock
+
+Dockerfile
+docker-compose.yml
+
+# File created by the generators tests
+spec/generators/tmp/

data/.reek.yml

@@ -0,0 +1,128 @@
+detectors:
+  Attribute:
+    enabled: false
+    exclude: []
+  BooleanParameter:
+    enabled: true
+    exclude: []
+  ClassVariable:
+    enabled: false
+    exclude: []
+  ControlParameter:
+    enabled: true
+    exclude: []
+  DataClump:
+    enabled: true
+    exclude: []
+    max_copies: 2
+    min_clump_size: 2
+  DuplicateMethodCall:
+    enabled: true
+    exclude: []
+    max_calls: 1
+    allow_calls: []
+  FeatureEnvy:
+    enabled: true
+    exclude: []
+  InstanceVariableAssumption:
+    enabled: false
+  IrresponsibleModule:
+    enabled: false
+    exclude: []
+  LongParameterList:
+    enabled: true
+    exclude: []
+    max_params: 4
+    overrides:
+      initialize:
+        max_params: 5
+  LongYieldList:
+    enabled: true
+    exclude: []
+    max_params: 3
+  ManualDispatch:
+    enabled: true
+    exclude: []
+  MissingSafeMethod:
+    enabled: false
+    exclude: []
+  ModuleInitialize:
+    enabled: true
+    exclude: []
+  NestedIterators:
+    enabled: true
+    exclude: []
+    max_allowed_nesting: 2
+    ignore_iterators: []
+  NilCheck:
+    enabled: false
+    exclude: []
+  RepeatedConditional:
+    enabled: true
+    exclude: []
+    max_ifs: 3
+  SubclassedFromCoreClass:
+    enabled: true
+    exclude: []
+  TooManyConstants:
+    enabled: true
+    exclude: []
+    max_constants: 5
+  TooManyInstanceVariables:
+    enabled: true
+    exclude: []
+    max_instance_variables: 9
+  TooManyMethods:
+    enabled: true
+    exclude: []
+    max_methods: 25
+  TooManyStatements:
+    enabled: true
+    exclude:
+      - initialize
+    max_statements: 12
+  UncommunicativeMethodName:
+    enabled: true
+    exclude: []
+    reject:
+      - "/^[a-z]$/"
+      - "/[0-9]$/"
+      - "/[A-Z]/"
+    accept: []
+  UncommunicativeModuleName:
+    enabled: true
+    exclude: []
+    reject:
+      - "/^.$/"
+      - "/[0-9]$/"
+    accept:
+      - Inline::C
+      - "/V[0-9]/"
+  UncommunicativeParameterName:
+    enabled: true
+    exclude: []
+    reject:
+      - "/^.$/"
+      - "/[0-9]$/"
+      - "/[A-Z]/"
+    accept: []
+  UncommunicativeVariableName:
+    enabled: true
+    exclude: []
+    reject:
+      - "/^.$/"
+      - "/[0-9]$/"
+      - "/[A-Z]/"
+    accept:
+      - _
+      - e
+  UnusedParameters:
+    enabled: true
+    exclude: []
+  UnusedPrivateMethod:
+    enabled: false
+  UtilityFunction:
+    enabled: false
+
+exclude_paths:
+  - config

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,81 @@
+Style/Documentation:
+  Enabled: false
+
+Layout/SpaceBeforeFirstArg:
+  Exclude:
+
+Lint/AmbiguousBlockAssociation:
+  Exclude:
+    - spec/**/*
+
+Metrics/AbcSize:
+  # The ABC size is a calculated magnitude, so this number can be an Integer or
+  # a Float.
+  Max: 15
+
+Metrics/BlockLength:
+  CountComments: false
+  Max: 25
+  Exclude:
+    - '*.gemspec'
+    - config/**/*
+    - spec/**/*
+  ExcludedMethods:
+    - class_methods
+
+Metrics/BlockNesting:
+  Max: 4
+
+Metrics/ClassLength:
+  CountComments: false
+  Max: 200
+
+# Avoid complex methods.
+Metrics/CyclomaticComplexity:
+  Max: 7
+
+Metrics/MethodLength:
+  CountComments: false
+  Max: 24
+
+Metrics/ModuleLength:
+  CountComments: false
+  Max: 200
+
+Layout/LineLength:
+  Max: 100
+  # To make it possible to copy or click on URIs in the code, we allow lines
+  # containing a URI to be longer than Max.
+  AllowURI: true
+  URISchemes:
+    - http
+    - https
+
+Metrics/ParameterLists:
+  Max: 5
+  CountKeywordArgs: true
+
+Metrics/PerceivedComplexity:
+  Max: 12
+
+Style/FrozenStringLiteralComment:
+  Enabled: true
+
+Style/ModuleFunction:
+  Enabled: false
+
+Style/RescueModifier:
+  Exclude:
+    - spec/**/*
+
+Naming/PredicateName:
+  Enabled: false
+
+Style/HashEachMethods:
+  Enabled: true
+
+Style/HashTransformKeys:
+  Enabled: true
+
+Style/HashTransformValues:
+  Enabled: true

data/.travis.yml

@@ -0,0 +1,28 @@
+language: ruby
+
+rvm:
+  - 2.5.0
+  - 2.6.0
+  - ruby-head
+
+dist: bionic
+
+jobs:
+  allow_failures:
+    - rvm: ruby-head
+
+env:
+  global:
+    - CC_TEST_REPORTER_ID=cb01575b98b3b80848a3bc292ca6145860871470e5d0669453030d36578f9115
+
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+
+script:
+  - bundle exec rake code_analysis
+  - bundle exec rspec
+
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT

data/CODEOWNERS

@@ -0,0 +1,7 @@
+  
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# @global-owner1 and @global-owner2 will be requested for
+# review when someone opens a pull request.
+
+* @fedeagripa @vitogit @mrubi-rootstrap @santib @juanmanuelramallo

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at federicogagripa@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [https://contributor-covenant.org/version/1/4][version]
+
+[homepage]: https://contributor-covenant.org
+[version]: https://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in apple_sign_in.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 fedeagripa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,116 @@
+# AppleAuth
+
+[![CI](https://travis-ci.org/rootstrap/apple_sign_in.svg?branch=master)](https://travis-ci.org/rootstrap/apple_sign_in)
+[![Maintainability](https://api.codeclimate.com/v1/badges/78453501221a76e3806e/maintainability)](https://codeclimate.com/github/rootstrap/apple_sign_in/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/78453501221a76e3806e/test_coverage)](https://codeclimate.com/github/rootstrap/apple_sign_in/test_coverage)
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/apple_auth`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'apple_auth'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install apple_auth
+
+------------------
+
+After installing the gem, you need to run the generator.
+
+    $ rails g apple_auth:config
+
+This will generate a new initializer: `apple_auth.rb` containing the following default configuration:
+```
+AppleAuth.configure do |config|
+  # config.apple_client_id = <Your client_id in your Apple Developer account>
+  # config.apple_private_key = <Your private key provided by Apple>
+  # config.apple_key_id = <Your kid provided by Apple>
+  # config.apple_team_id = <Your team id provided by Apple>
+  # config.redirect_uri = <Your app redicrect url>
+end
+```
+Set your different credentials in the file by uncommenting the lines and adding your keys.
+
+## Usage
+
+This show you an example of a settings
+
+```ruby
+AppleAuth.configure do |config|
+  config.apple_client_id = 'com.yourapp...'
+  config.apple_private_key = "-----BEGIN PRIVATE KEY-----\nMIGTAgEA....\n-----END PRIVATE KEY-----"
+  config.apple_key_id = 'RTZ...'
+  config.apple_team_id = 'WNU...'
+  config.redirect_uri = 'https://localhost:3000'
+end
+```
+
+We strongly recommend to use environment variable when you add this values.
+
+Apple sign in workflow:
+
+![alt text](https://docs-assets.developer.apple.com/published/360d59b776/rendered2x-1592224731.png)
+
+For more information, check the [Apple oficial documentation](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api)
+
+Validate JWT token and get user information:
+
+```ruby
+# with a valid JWT
+user_id = '000343.1d22d2937c7a4e56806dfb802b06c430...'
+valid_jwt_token = 'eyJraWQiOiI4NkQ4OEtmIiwiYWxnIjoiUlMyNTYifQ.eyJpc...'
+AppleAuth::UserIdentity.new(user_id, valid_jwt_token).validate!
+>>  { exp: 1595279622, email: "user@example.com", email_verified: true , ...}
+
+# with an invalid JWT
+invalid_jwt_token = 'eyJraWQiOiI4NkQsd4OEtmIiwiYWxnIjoiUlMyNTYifQ.edsyJpc...'
+AppleAuth::UserIdentity.new(user_id, invalid_jwt_token).validate!
+>> Traceback (most recent call last):..
+>> ...
+>>  AppleAuth::Conditions::JWTValidationError
+```
+
+Verify user identity and get token:
+
+```ruby
+code = 'cfb77c21ecd444390a2c214cd33decdfb.0.mr...'
+AppleAuth::Token.new(code).authenticate
+>> { access_token: "a7058d...", expires_at: 1595894672, refresh_token: "r8f1ce..." }
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/apple_sign_in. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/apple_auth/blob/master/CODE_OF_CONDUCT.md).
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the AppleAuth project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/apple_auth/blob/master/CODE_OF_CONDUCT.md).
+
+## Credits
+
+apple_auth is maintained by [Rootstrap](http://www.rootstrap.com) with the help of our
+[contributors](https://github.com/rootstrap/apple_sign_in/contributors).
+
+[<img src="https://s3-us-west-1.amazonaws.com/rootstrap.com/img/rs.png" width="100"/>](http://www.rootstrap.com)

data/Rakefile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+task :code_analysis do
+  sh 'bundle exec rubocop lib spec'
+  sh 'bundle exec reek lib'
+end

data/apple_auth.gemspec

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require_relative 'lib/apple_auth/base/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'apple_auth'
+  spec.version       = AppleAuth::Base::VERSION
+  spec.authors       = ['Timothy Peraza, Antonieta Alvarez, Martín Morón']
+  spec.email         = ['timothy@rootstrap.com, antonieta.alvarez@rootstrap.com, martin.jaime@rootstrap.com']
+
+  spec.summary       = 'Integration with Apple Sign In'
+  spec.homepage      = 'https://github.com/rootstrap/apple_auth'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/rootstrap/apple_auth'
+  spec.metadata['changelog_uri'] = 'https://github.com/rootstrap/apple_auth'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  # Production dependencies
+  spec.add_dependency 'jwt', '~> 2.2'
+  spec.add_dependency 'oauth2', '~> 1.4'
+
+  # Development dependencies
+  spec.add_development_dependency 'generator_spec', '~> 0.9.4'
+  spec.add_development_dependency 'byebug', '~> 11.1'
+  spec.add_development_dependency 'railties', '~> 6.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'reek', '~> 5.6'
+  spec.add_development_dependency 'rspec', '~> 3.9'
+  spec.add_development_dependency 'rubocop', '~> 0.80'
+  spec.add_development_dependency 'simplecov', '~> 0.17.1'
+  spec.add_development_dependency 'webmock', '~> 3.8'
+end

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'apple_auth'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/apple_auth.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# Rails Core
+require 'active_support/core_ext/hash'
+require 'rails/generators'
+
+# Ruby Core
+require 'base64'
+require 'json'
+require 'net/http'
+
+# Gems
+require 'jwt'
+require 'oauth2'
+
+# Files
+require 'apple_auth/config'
+require 'apple_auth/helpers/conditions/jwt_validation_error'
+
+require 'apple_auth/helpers/conditions/aud_condition'
+require 'apple_auth/helpers/conditions/exp_condition'
+require 'apple_auth/helpers/conditions/iat_condition'
+require 'apple_auth/helpers/conditions/iss_condition'
+require 'apple_auth/helpers/jwt_conditions'
+
+require 'apple_auth/user_identity'
+require 'apple_auth/token'
+
+require 'generators/apple_auth/config/config_generator'

data/lib/apple_auth/base.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'apple_auth/base/version'
+
+module AppleAuth
+  module Base
+    class Error < StandardError; end
+  end
+end

data/lib/apple_auth/base/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  module Base
+    VERSION = '0.1.0'
+  end
+end

data/lib/apple_auth/config.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  class << self
+    def configure
+      yield config
+    end
+
+    def reset_configuration
+      @config = Config.new
+    end
+
+    def config
+      @config ||= Config.new
+    end
+  end
+
+  class Config
+    attr_accessor :apple_client_id, :apple_private_key, :apple_key_id,
+                  :apple_team_id, :redirect_uri
+  end
+end

data/lib/apple_auth/helpers/conditions/aud_condition.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  module Conditions
+    class AudCondition
+      def initialize(jwt)
+        @aud = jwt['aud']
+      end
+
+      def validate!
+        return true if @aud == AppleAuth.config.apple_client_id
+
+        raise JWTValidationError, 'jwt_aud is different to apple_client_id'
+      end
+    end
+  end
+end

data/lib/apple_auth/helpers/conditions/exp_condition.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  module Conditions
+    class ExpCondition
+      def initialize(jwt)
+        @exp = jwt['exp'].to_i
+      end
+
+      def validate!
+        return true if @exp > Time.now.to_i
+
+        raise JWTValidationError, 'Expired jwt_exp'
+      end
+    end
+  end
+end

data/lib/apple_auth/helpers/conditions/iat_condition.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  module Conditions
+    class IatCondition
+      def initialize(jwt)
+        @iat = jwt['iat'].to_i
+      end
+
+      def validate!
+        return true if @iat <= Time.now.to_i
+
+        raise JWTValidationError, 'jwt_iat is greater than now'
+      end
+    end
+  end
+end

data/lib/apple_auth/helpers/conditions/iss_condition.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  module Conditions
+    class IssCondition
+      APPLE_ISS = 'https://appleid.apple.com'
+
+      def initialize(jwt)
+        @iss = jwt['iss']
+      end
+
+      def validate!
+        return true if @iss.include?(APPLE_ISS)
+
+        raise JWTValidationError, 'jwt_iss is different to apple_iss'
+      end
+    end
+  end
+end

data/lib/apple_auth/helpers/conditions/jwt_validation_error.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  module Conditions
+    class JWTValidationError < StandardError; end
+  end
+end

data/lib/apple_auth/helpers/jwt_conditions.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: false
+
+module AppleAuth
+  class JWTConditions
+    include Conditions
+
+    CONDITIONS = [
+      AudCondition,
+      ExpCondition,
+      IatCondition,
+      IssCondition
+    ].freeze
+
+    attr_reader :user_identity, :decoded_jwt
+
+    def initialize(user_identity, decoded_jwt)
+      @user_identity = user_identity
+      @decoded_jwt = decoded_jwt
+    end
+
+    def validate!
+      JWT::ClaimsValidator.new(decoded_jwt).validate! && validate_sub! && jwt_conditions_validate!
+    rescue JWT::InvalidPayload => e
+      raise JWTValidationError, e.message
+    end
+
+    private
+
+    def validate_sub!
+      return true if user_identity && user_identity == decoded_jwt['sub']
+
+      raise JWTValidationError, 'Not valid Sub'
+    end
+
+    def jwt_conditions_validate!
+      conditions_results = CONDITIONS.map do |condition|
+        condition.new(decoded_jwt).validate!
+      end
+      conditions_results.all? { |value| value == true }
+    end
+  end
+end

data/lib/apple_auth/token.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  class Token
+    APPLE_AUD = 'https://appleid.apple.com'
+    APPLE_CONFIG = AppleAuth.config
+    APPLE_CODE_TYPE = 'authorization_code'
+    APPLE_ALG = 'ES256'
+
+    def initialize(code)
+      @code = code
+    end
+
+    # :reek:FeatureEnvy
+    def authenticate
+      access_token = apple_access_token
+      access_token.refresh! if access_token.expired?
+
+      reponse_hash(access_token)
+    end
+
+    private
+
+    attr_reader :code
+
+    def apple_token_params
+      {
+        client_id: APPLE_CONFIG.apple_team_id,
+        client_secret: client_secret_from_jwt,
+        grant_type: APPLE_CODE_TYPE,
+        redirect_uri: APPLE_CONFIG.redirect_uri,
+        code: code
+      }
+    end
+
+    def client_secret_from_jwt
+      JWT.encode(claims, gen_private_key, APPLE_ALG, claims_headers)
+    end
+
+    def claims
+      time_now = Time.now.to_i
+      {
+        iss: APPLE_CONFIG.apple_team_id,
+        iat: time_now,
+        exp: time_now + 10.minutes.to_i,
+        aud: APPLE_AUD,
+        sub: APPLE_CONFIG.apple_client_id
+      }
+    end
+
+    def claims_headers
+      {
+        alg: APPLE_ALG,
+        kid: AppleAuth.config.apple_key_id
+      }
+    end
+
+    def request_header
+      {
+        'Content-Type': 'application/x-www-form-urlencoded'
+      }
+    end
+
+    def gen_private_key
+      key = AppleAuth.config.apple_private_key
+      key = OpenSSL::PKey::EC.new(key) unless key.class == OpenSSL::PKey::EC
+      key
+    end
+
+    def client_urls
+      {
+        site: APPLE_AUD,
+        authorize_url: '/auth/authorize',
+        token_url: '/auth/token'
+      }
+    end
+
+    def reponse_hash(access_token)
+      token_hash = { access_token: access_token.token }
+
+      expires = access_token.expires?
+      if expires
+        token_hash[:expires_at] = access_token.expires_at
+        refresh_token = access_token.refresh_token
+        token_hash[:refresh_token] = refresh_token if refresh_token
+      end
+
+      token_hash
+    end
+
+    def apple_access_token
+      client = ::OAuth2::Client.new(APPLE_CONFIG.apple_client_id,
+                                    client_secret_from_jwt,
+                                    client_urls)
+      client.auth_code.get_token(code, { redirect_uri: APPLE_CONFIG.redirect_uri }, {})
+    end
+  end
+end

data/lib/apple_auth/user_identity.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  class UserIdentity
+    APPLE_KEY_URL = 'https://appleid.apple.com/auth/keys'
+
+    attr_reader :user_identity, :jwt
+
+    def initialize(user_identity, jwt)
+      @user_identity = user_identity
+      @jwt = jwt
+    end
+
+    def validate!
+      token_data = decoded_jwt
+
+      JWTConditions.new(user_identity, token_data).validate!
+
+      token_data.symbolize_keys
+    end
+
+    private
+
+    def decoded_jwt
+      key_hash = apple_key_hash
+      apple_jwk = JWT::JWK.import(key_hash)
+      JWT.decode(jwt, apple_jwk.public_key, true, algorithm: key_hash['alg']).first
+    end
+
+    def apple_key_hash
+      response = Net::HTTP.get(URI.parse(APPLE_KEY_URL))
+      certificate = JSON.parse(response)
+      matching_key = certificate['keys'].select { |key| key['kid'] == jwt_kid }
+      ActiveSupport::HashWithIndifferentAccess.new(matching_key.first)
+    end
+
+    def jwt_kid
+      header = JSON.parse(Base64.decode64(jwt.split('.').first))
+      header['kid']
+    end
+  end
+end

data/lib/generators/apple_auth/config/config_generator.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  module Generators
+    class ConfigGenerator < Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+
+      def copy_config_file
+        copy_file 'config.rb', 'config/initializers/apple_auth.rb'
+      end
+    end
+  end
+end

data/lib/generators/apple_auth/config/templates/config.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+AppleAuth.configure do |config|
+  # config.apple_client_id = <Your client_id in your Apple Developer account>
+  # config.apple_private_key = <Your private key provided by Apple>
+  # config.apple_key_id = <Your kid provided by Apple>
+  # config.apple_team_id = <Your team id provided by Apple>
+  # config.redirect_uri = <Your app redicrect url>
+end

metadata

@@ -0,0 +1,228 @@
+--- !ruby/object:Gem::Specification
+name: apple_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Timothy Peraza, Antonieta Alvarez, Martín Morón
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-07-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: generator_spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.4
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: reek
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.6'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.80'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.80'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.1
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+description: 
+email:
+- timothy@rootstrap.com, antonieta.alvarez@rootstrap.com, martin.jaime@rootstrap.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".reek.yml"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CODEOWNERS
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- apple_auth.gemspec
+- bin/console
+- bin/setup
+- lib/apple_auth.rb
+- lib/apple_auth/base.rb
+- lib/apple_auth/base/version.rb
+- lib/apple_auth/config.rb
+- lib/apple_auth/helpers/conditions/aud_condition.rb
+- lib/apple_auth/helpers/conditions/exp_condition.rb
+- lib/apple_auth/helpers/conditions/iat_condition.rb
+- lib/apple_auth/helpers/conditions/iss_condition.rb
+- lib/apple_auth/helpers/conditions/jwt_validation_error.rb
+- lib/apple_auth/helpers/jwt_conditions.rb
+- lib/apple_auth/token.rb
+- lib/apple_auth/user_identity.rb
+- lib/generators/apple_auth/config/config_generator.rb
+- lib/generators/apple_auth/config/templates/config.rb
+homepage: https://github.com/rootstrap/apple_auth
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/rootstrap/apple_auth
+  source_code_uri: https://github.com/rootstrap/apple_auth
+  changelog_uri: https://github.com/rootstrap/apple_auth
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Integration with Apple Sign In
+test_files: []