apple_auth 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2325fb23f530c7f590aa0b2fa733af052923478e81a6ccc82c4d86963514a7da
-  data.tar.gz: 9551b96c8c9a1feebaa2ffc6f64fe9f66e6a36787d63805bff81c315a43897d4
+  metadata.gz: 81230a2cf77dadea66d5149d533545217931f531e6d1855d7f12d1dcf9dd8957
+  data.tar.gz: 8048602dd34d1b32b1ffb9cb6888b73e4ec912d94e41dc543137fc03a880c4af
 SHA512:
-  metadata.gz: aa21c140b1c060c38b6fa56f76339b3572f8d4e1d4deca9c761e1a58467950d89244937fa185d22872595ea49215200603efc06a50761712f82f7beac79574a6
-  data.tar.gz: bc1edcfca29b8176ecfec0fdf74c50065e1d1c313974a8bb8a441fa3300037c495b1ae013a71145e9d9def053de9ec002134289209250ad288b95baa87969dd9
+  metadata.gz: fd52622624be456077bc356bef447461d4d4638be8a38c29b0cc21f4a9c1e67cd494be8766aaf736918981067cd9c19eafcc5c248dea0d3b0b4e97b968c9ed0c
+  data.tar.gz: a82e5a11a1f4854b7a1e6000a7cfc15b3edc1c3f509f90a83b297388e571ad47acc6151817521fb8e3744c31b4feb4d07934c69bbae3cdb7755a14ecf92eb669

data/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,20 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug] "
+labels: bug
+assignees: ''
+
+---
+
+## Bug report:
+* **Expected Behavior**: 
+* **Actual Behavior**: 
+* **Steps to Reproduce**: 
+  1.
+  2.
+  3.
+
+* **Version of the repo**:
+* **Ruby and Rails Version**: 
+* **Rails Stacktrace**: this can be found in the `log/development.log` or `log/test.log`, if this is applicable.

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,22 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: '[FEATURE]'
+labels: enhancement
+assignees: ''
+
+---
+<!-- Please note by far the quickest way to get a new feature is to file a Pull Request.
+We will consider your request but it may be closed if it's something we're not actively planning to work on. -->
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

data/.github/pull_request_template.md

@@ -0,0 +1,12 @@
+### Summary
+
+<!-- Provide a general description of the code changes in your pull
+request... were there any bugs you had fixed? If so, mention them. If
+these bugs have open GitHub issues, be sure to tag them here as well,
+to keep the conversation linked together. -->
+
+### Other Information
+
+<!-- If there's anything else that's important and relevant to your pull
+request, mention that information here.
+Thanks for contributing to this project! -->

data/CONTRIBUTING.md

@@ -0,0 +1,41 @@
+## Contributing ##
+
+You can contribute to this repo if you have an issue, found a bug or think there's some functionality required that would add value to the gem. To do so, please check if there's not already an [issue](https://github.com/rootstrap/apple_auth/issues) for that, if you find there's not, create a new one with as much detail as possible.
+
+If you want to contribute with code as well, please follow the next steps:
+
+1. Read, understand and agree to our [code of conduct](https://github.com/rootstrap/apple_auth/blob/master/CODE_OF_CONDUCT.md)
+2. [Fork the repo](https://help.github.com/articles/about-forks/)
+3. Clone the project into your machine:
+`$ git clone git@github.com:rootstrap/apple_auth.git`
+4. Access the repo:
+`$ cd apple_auth`
+5. Create your feature/bugfix branch:
+`$ git checkout -b your_new_feature`
+or
+`$ git checkout -b fix/your_fix` in case of a bug fix
+(if your PR is to address an existing issue, it would be good to name the branch after the issue, for example: if you are trying to solve issue 182, then a good idea for the branch name would be `182_your_new_feature`)
+6. Write tests for your changes (feature/bug)
+7. Code your (feature/bugfix)
+8. Run the code analysis tool by doing:
+`$ rake code_analysis`
+9. Run the tests:
+`$ bundle exec rspec`
+All tests must pass. If all tests (both code analysis and rspec) do pass, then you are ready to go to the next step:
+10. Commit your changes:
+`$ git commit -m 'Your feature or bugfix title'`
+11. Push to the branch `$ git push origin your_new_feature`
+12. Create a new [pull request](https://help.github.com/articles/creating-a-pull-request/)
+
+Some helpful guides that will help you know how we work:
+1. [Code review](https://github.com/rootstrap/tech-guides/tree/master/code-review)
+2. [GIT workflow](https://github.com/rootstrap/tech-guides/tree/master/git)
+3. [Ruby style guide](https://github.com/rootstrap/tech-guides/tree/master/ruby)
+4. [Rails style guide](https://github.com/rootstrap/tech-guides/blob/master/ruby/rails.md)
+5. [RSpec style guide](https://github.com/rootstrap/tech-guides/blob/master/ruby/rspec/README.md)
+
+For more information or guides like the ones mentioned above, please check our [tech guides](https://github.com/rootstrap/tech-guides). Keep in mind that the more you know about these guides, the easier it will be for your code to get approved and merged.
+
+Note: You can push as many commits as you want when working on a pull request, we just ask that they are descriptive and tell a story. Try to open a pull request with just one commit but if you think you need to divide what you did into more commits to convey what you are trying to do go for it.
+
+Thank you very much for your time and for considering helping in this project.

data/README.md

@@ -1,6 +1,6 @@
 # AppleAuth
 
-[![CI](https://api.travis-ci.org/rootstrap/apple_auth.svg?branch=master)](https://travis-ci.org/github/rootstrap/apple_auth)
+[![CI](https://api.travis-ci.com/rootstrap/apple_auth.svg?branch=master)](https://travis-ci.com/github/rootstrap/apple_auth)
 [![Maintainability](https://api.codeclimate.com/v1/badges/78453501221a76e3806e/maintainability)](https://codeclimate.com/github/rootstrap/apple_sign_in/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/78453501221a76e3806e/test_coverage)](https://codeclimate.com/github/rootstrap/apple_sign_in/test_coverage)
 
@@ -33,7 +33,7 @@ AppleAuth.configure do |config|
   # config.apple_private_key = <Your private key provided by Apple>
   # config.apple_key_id = <Your kid provided by Apple>
   # config.apple_team_id = <Your team id provided by Apple>
-  # config.redirect_uri = <Your app redicrect url>
+  # config.redirect_uri = <Your app redirect url>
 end
 ```
 Set your different credentials in the file by uncommenting the lines and adding your keys.
@@ -56,13 +56,13 @@ end
 
 We strongly recommend to use environment variables for these values.
 
-Apple sign-in workflow:
+### Apple sign-in workflow:
 
 ![alt text](https://docs-assets.developer.apple.com/published/360d59b776/rendered2x-1592224731.png)
 
 For more information, check the [Apple oficial documentation](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api).
 
-Validate JWT token and get user information:
+### Validate JWT token and get user information:
 
 ```ruby
 # with a valid JWT
@@ -79,7 +79,7 @@ AppleAuth::UserIdentity.new(user_id, invalid_jwt_token).validate!
 >>  AppleAuth::Conditions::JWTValidationError
 ```
 
-Verify user identity and get access and refresh tokens:
+### Verify user identity and get access and refresh tokens:
 
 ```ruby
 code = 'cfb77c21ecd444390a2c214cd33decdfb.0.mr...'
@@ -87,14 +87,59 @@ AppleAuth::Token.new(code).authenticate!
 >> { access_token: "a7058d...", expires_at: 1595894672, refresh_token: "r8f1ce..." }
 ```
 
+### Handle server to server notifications
+
+from the request parameter :payload
+
+```ruby
+# with a valid JWT
+params[:payload] = "eyJraWQiOiJZ......"
+AppleAuth::ServerIdentity.new(params[:payload]).validate!
+>> {iss: "https://appleid.apple.com", exp: 1632224024, iat: 1632137624, jti: "yctpp1ZHaGCzaNB9PWB4DA",...}
+
+# with an invalid JWT
+params[:payload] = "asdasdasdasd......"
+AppleAuth::ServerIdentity.new(params[:payload]).validate!
+>> JWT::VerificationError: Signature verification raised
+```
+
+Implementation in a controller would look like this:
+
+```ruby
+class Hooks::AuthController < ApplicationController
+
+  skip_before_action :verify_authenticity_token
+
+  # https://developer.apple.com/documentation/sign_in_with_apple/processing_changes_for_sign_in_with_apple_accounts
+  # NOTE: The Apple documentation states the events attribute as an array but is in fact a stringified json object
+  def apple
+    # will raise an error when the signature is invalid
+    payload = AppleAuth::ServerIdentity.new(params[:payload]).validate!
+    event = JSON.parse(payload[:events]).symbolize_keys
+    uid = event["sub"]
+    user = User.find_by!(provider: 'apple', uid: uid)
+
+    case event[:type]
+    when "email-enabled", "email-disabled"
+      # Here we should update the user with the relay state
+    when "consent-revoked", "account-delete"
+      user.destroy!
+    else
+      throw event
+    end
+    render plain: "200 OK", status: :ok
+  end
+end
+```
+
 ## Using with Devise
 
 If you are using devise_token_auth gem, run this generator.
 
-    $ rails g apple_sign_in:appple_auth_controller [scope]
+    $ rails g apple_sign_in:apple_auth_controller [scope]
 
 In the scope you need to write your path from controllers to your existent devise controllers.
-An example `$ rails g apple_auth:appple_auth_controller api/v1/`
+An example `$ rails g apple_auth:apple_auth_controller api/v1/`
 This will generate a new controller: `controllers/api/v1/apple_auth_controller.rb`.
 
 You should configure the route, you can wrap it in the devise_scope block like:

data/lib/apple_auth/base/version.rb

@@ -2,6 +2,6 @@
 
 module AppleAuth
   module Base
-    VERSION = '1.0.0'
+    VERSION = '1.1.0'
   end
 end

data/lib/apple_auth/helpers/jwt_decoder.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: false
+
+module AppleAuth
+  class JWTDecoder
+    APPLE_KEY_URL = 'https://appleid.apple.com/auth/keys'.freeze
+
+    attr_reader :jwt
+
+    def initialize(jwt)
+      @jwt = jwt
+    end
+
+    def call
+      decoded.first
+    end
+
+    private
+
+    def decoded
+      key_hash = apple_key_hash(jwt)
+      apple_jwk = JWT::JWK.import(key_hash)
+      JWT.decode(jwt, apple_jwk.public_key, true, algorithm: key_hash['alg'])
+    end
+
+    def apple_key_hash(jwt)
+      response = Net::HTTP.get(URI.parse(APPLE_KEY_URL))
+      certificate = JSON.parse(response)
+      matching_key = certificate['keys'].select { |key| key['kid'] == jwt_kid(jwt) }
+      ActiveSupport::HashWithIndifferentAccess.new(matching_key.first)
+    end
+
+    def jwt_kid(jwt)
+      header = JSON.parse(Base64.decode64(jwt.split('.').first))
+      header['kid']
+    end
+  end
+end

data/lib/apple_auth/helpers/jwt_server_conditions.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: false
+
+module AppleAuth
+  class JWTServerConditions
+    include Conditions
+
+    CONDITIONS = [
+      AudCondition,
+      IatCondition,
+      IssCondition
+    ].freeze
+
+    attr_reader :decoded_jwt
+
+    def initialize(decoded_jwt)
+      @decoded_jwt = decoded_jwt
+    end
+
+    def validate!
+      JWT::ClaimsValidator.new(decoded_jwt).validate! && jwt_conditions_validate!
+    rescue JWT::InvalidPayload => e
+      raise JWTValidationError, e.message
+    end
+
+    private
+
+    def jwt_conditions_validate!
+      conditions_results = CONDITIONS.map do |condition|
+        condition.new(decoded_jwt).validate!
+      end
+      conditions_results.all? { |value| value == true }
+    end
+  end
+end

data/lib/apple_auth/server_identity.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module AppleAuth
+  class ServerIdentity
+    attr_reader :jwt
+
+    def initialize(jwt)
+      @jwt = jwt
+    end
+
+    def validate!
+      token_data = JWTDecoder.new(jwt).call
+
+      JWTServerConditions.new(token_data).validate!
+
+      token_data.symbolize_keys
+    end
+  end
+end

data/lib/apple_auth/user_identity.rb

@@ -2,8 +2,6 @@
 
 module AppleAuth
   class UserIdentity
-    APPLE_KEY_URL = 'https://appleid.apple.com/auth/keys'
-
     attr_reader :user_identity, :jwt
 
     def initialize(user_identity, jwt)
@@ -12,31 +10,11 @@ module AppleAuth
     end
 
     def validate!
-      token_data = decoded_jwt
+      token_data = JWTDecoder.new(jwt).call
 
       JWTConditions.new(user_identity, token_data).validate!
 
       token_data.symbolize_keys
     end
-
-    private
-
-    def decoded_jwt
-      key_hash = apple_key_hash
-      apple_jwk = JWT::JWK.import(key_hash)
-      JWT.decode(jwt, apple_jwk.public_key, true, algorithm: key_hash['alg']).first
-    end
-
-    def apple_key_hash
-      response = Net::HTTP.get(URI.parse(APPLE_KEY_URL))
-      certificate = JSON.parse(response)
-      matching_key = certificate['keys'].select { |key| key['kid'] == jwt_kid }
-      ActiveSupport::HashWithIndifferentAccess.new(matching_key.first)
-    end
-
-    def jwt_kid
-      header = JSON.parse(Base64.decode64(jwt.split('.').first))
-      header['kid']
-    end
   end
 end

data/lib/apple_auth.rb

@@ -22,7 +22,10 @@ require 'apple_auth/helpers/conditions/exp_condition'
 require 'apple_auth/helpers/conditions/iat_condition'
 require 'apple_auth/helpers/conditions/iss_condition'
 require 'apple_auth/helpers/jwt_conditions'
+require 'apple_auth/helpers/jwt_decoder'
+require 'apple_auth/helpers/jwt_server_conditions'
 
+require 'apple_auth/server_identity'
 require 'apple_auth/user_identity'
 require 'apple_auth/token'
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apple_auth
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Timothy Peraza, Antonieta Alvarez, Martín Morón
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-08-14 00:00:00.000000000 Z
+date: 2024-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -178,13 +178,16 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.8'
-description: 
+description:
 email:
 - timothy@rootstrap.com, antonieta.alvarez@rootstrap.com, martin.jaime@rootstrap.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/ISSUE_TEMPLATE/bug_report.md"
+- ".github/ISSUE_TEMPLATE/feature_request.md"
+- ".github/pull_request_template.md"
 - ".gitignore"
 - ".reek.yml"
 - ".rspec"
@@ -192,6 +195,7 @@ files:
 - ".travis.yml"
 - CODEOWNERS
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -209,6 +213,9 @@ files:
 - lib/apple_auth/helpers/conditions/iss_condition.rb
 - lib/apple_auth/helpers/conditions/jwt_validation_error.rb
 - lib/apple_auth/helpers/jwt_conditions.rb
+- lib/apple_auth/helpers/jwt_decoder.rb
+- lib/apple_auth/helpers/jwt_server_conditions.rb
+- lib/apple_auth/server_identity.rb
 - lib/apple_auth/token.rb
 - lib/apple_auth/user_identity.rb
 - lib/generators/apple_auth/apple_auth_controller/apple_auth_controller_generator.rb
@@ -222,7 +229,7 @@ metadata:
   homepage_uri: https://github.com/rootstrap/apple_auth
   source_code_uri: https://github.com/rootstrap/apple_auth
   changelog_uri: https://github.com/rootstrap/apple_auth
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -237,8 +244,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.6
+signing_key:
 specification_version: 4
 summary: Integration with Apple Sign In and Devise for backend. Validate and Verify
   user token.