RubyGems - apple_sign_in - Versions diffs - 0.1.0 - Mend

apple_sign_in 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +7 -0
data/lib/apple_sign_in.rb +13 -0
data/lib/apple_sign_in/api_caller.rb +18 -0
data/lib/apple_sign_in/client_secret_generator.rb +52 -0
data/lib/apple_sign_in/config/auto_inject.rb +3 -0
data/lib/apple_sign_in/config/container.rb +25 -0
data/lib/apple_sign_in/error.rb +7 -0
data/lib/apple_sign_in/identity_token_verifier.rb +66 -0
data/lib/apple_sign_in/refresh_token_retriever.rb +51 -0
metadata +210 -0

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 612f3cbaf5a755093433a7ca8c3814c87de9100074a217be935ac37655bee813
+  data.tar.gz: 13bcf7886feddc8ddbbb479e0f1112dd00744c8300dc5256f08d34b29a2accc2
+SHA512:
+  metadata.gz: 50a886815d10532a2a9d68cf9d843f36072137982369f44b048506144817c6dea46c6b3a3572c40021f07d699103fc7a6f64a5a290067a30a8a3744a8c93fa66
+  data.tar.gz: 035db6c66a46299f654c2cedaa8b5827951778a5f93139eb0dc97d21e429e6204e463ab4dccbdb678f326662028e88323818137fc93cd4f6829510b9148346a6

data/lib/apple_sign_in.rb ADDED

@@ -0,0 +1,13 @@
+module AppleSignIn
+  require "dry/types"
+  require "dry/auto_inject"
+  require 'apple_sign_in/config/container'
+  require 'apple_sign_in/config/auto_inject'
+  require 'apple_sign_in/api_caller'
+  require 'apple_sign_in/client_secret_generator'
+  require 'apple_sign_in/identity_token_verifier'
+  require 'apple_sign_in/refresh_token_retriever'
+  require 'apple_sign_in/error'
+end

data/lib/apple_sign_in/api_caller.rb ADDED

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module AppleSignIn
+  class ApiCaller
+    include AutoInject[
+      :httparty,
+      :apple_base_url
+    ]
+    def post(url, body)
+      httparty.post("#{apple_base_url}#{url}", body: body)
+    end
+    def get(url, body = {})
+      httparty.get("#{apple_base_url}#{url}", body: body)
+    end
+  end
+end

data/lib/apple_sign_in/client_secret_generator.rb ADDED

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+module AppleSignIn
+  class ClientSecretGenerator
+    include AutoInject[
+      :apple_team_id,
+      :apple_base_url,
+      :apple_key_id,
+      :apple_private_key
+    ]
+    def generate(identity_token)
+      apple_client_id = extract_apple_client_id(identity_token)
+      claims = create_claims(apple_client_id)
+      jwt(claims)
+    end
+    private
+    def jwt(claims)
+      jwt = JSON::JWT.new(claims)
+      jwt.kid = apple_key_id
+      jws = jwt.sign(private_key, :ES256)
+      jws.to_s
+    end
+    def create_claims(apple_client_id)
+      {
+        "iss" => apple_team_id,
+        "iat" => Time.now.to_i,
+        "exp" => 5.months.from_now.to_i,
+        "aud" => apple_base_url,
+        "sub" => apple_client_id
+      }
+    end
+    def private_key
+      OpenSSL::PKey::EC.new apple_private_key
+    end
+    def headers
+      {
+        "kid" => apple_key_id
+      }
+    end
+    def extract_apple_client_id(identity_token)
+      token_payload = JSON::JWT.decode(identity_token, :skip_verification)
+      token_payload["aud"]
+    end
+  end
+end

data/lib/apple_sign_in/config/auto_inject.rb ADDED

@@ -0,0 +1,3 @@
+module AppleSignIn
+  AutoInject = Dry::AutoInject(Container)
+end

data/lib/apple_sign_in/config/container.rb ADDED

@@ -0,0 +1,25 @@
+module AppleSignIn
+  Container = Dry::Container.new
+  APPLE_BASE_URL = "https://appleid.apple.com".freeze
+  PROVIDER_NAMES = %w(apple).freeze
+  # Constants
+  Container.register(:provider_names, -> { PROVIDER_NAMES })
+  Container.register(:apple_base_url, -> { APPLE_BASE_URL })
+  Container.register(:apple_team_id, -> { ENV["APPLE_TEAM_ID"] })
+  Container.register(:apple_key_id, -> { ENV["APPLE_KEY_ID"] })
+  Container.register(:apple_private_key, -> { ENV("APPLE_PRIVATE_KEY") })
+  Container.register(:apple_redirect_uri, -> { ENV["APPLE_REDIRECT_URI"] })
+  Container.register(:apple_client_ids, -> { ENV["APPLE_CLIENT_IDS"].split(",") })
+  # 3rd Party
+  Container.register(:httparty, -> { HTTParty })
+  # Actions
+  Container.register(:apple_client_secret_generator, -> { AppleSignIn::ClientSecretGenerator.new })
+  Container.register(:apple_api_caller, -> { AppleSignIn::ApiCaller.new })
+  Container.register(:apple_identity_token_verifier, -> { AppleSignIn::IdentityTokenVerifier.new })
+  Container.register(:apple_refresh_token_retriever, -> { AppleSignIn::RefreshTokenRetriever.new })
+end

data/lib/apple_sign_in/error.rb ADDED

@@ -0,0 +1,7 @@
+module AppleSignIn
+  class Error < StandardError
+    class InvalidProviderToken < AppleSignIn::Error; end
+    class InvalidCredentials < AppleSignIn::Error; end
+    class InvalidRefreshToken < AppleSignIn::Error; end
+  end
+end

data/lib/apple_sign_in/identity_token_verifier.rb ADDED

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+module AppleSignIn
+  class IdentityTokenVerifier
+    include AutoInject[
+      :apple_base_url,
+      :apple_api_caller,
+      :apple_client_ids
+    ]
+    def valid?(identity_token)
+      decoded_token = JSON::JWT.decode(identity_token, :skip_verification)
+      valid_claims?(decoded_token) &&
+        valid_headers?(decoded_token.header) &&
+        valid_signature?(identity_token)
+    end
+    private
+    def valid_claims?(claims)
+      valid_issuer?(claims) &&
+        valid_audience?(claims) &&
+        valid_time?(claims) &&
+        valid_expiry_time?(claims)
+    end
+    def valid_issuer?(claims)
+      claims["iss"].include?(apple_base_url.to_s)
+    end
+    def valid_audience?(claims)
+      apple_client_ids.include?(claims["aud"])
+    end
+    def valid_time?(claims)
+      claims["iat"].between?(30.seconds.ago.to_i, Time.now.to_i)
+    end
+    def valid_expiry_time?(claims)
+      claims["exp"] > Time.now.to_i
+    end
+    def valid_headers?(headers)
+      headers["alg"] == "RS256"
+    end
+    def valid_signature?(identity_token)
+      jwt = JSON::JWT.decode(identity_token, :skip_verification)
+      kid = jwt.header["kid"]
+      key = select_public_key(kid)
+      jwt.verify!(key)
+    end
+    def apple_public_keys
+      response = apple_api_caller.get("/auth/keys")
+      JSON.parse(response.body)["keys"]
+    end
+    def select_public_key(kid)
+      jwk_set = JSON::JWK::Set.new(apple_public_keys)
+      appropriate_key = jwk_set.select { |key| key["kid"] == kid }.first
+      appropriate_key.to_key
+    end
+  end
+end

data/lib/apple_sign_in/refresh_token_retriever.rb ADDED

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+module AppleSignIn
+  class RefreshTokenRetriever
+    include AutoInject[
+      :apple_api_caller,
+      :apple_client_secret_generator,
+      :apple_redirect_uri
+    ]
+    def call(authorization_data)
+      body = build_body(authorization_data)
+      response = apple_api_caller.post("/auth/token", body)
+      parse(response)
+    end
+    private
+    def parse(response)
+      return JSON.parse(response.body) if response.code == 200
+      handle_error(response)
+    end
+    def handle_error(response)
+      Rollbar.error(response)
+      return raise(AppleSignIn::Error, response.body.to_s) if response.code == 400
+      raise(AppleSignIn::Error, response.code.to_s)
+    end
+    def build_body(authorization_data)
+      {
+        "client_id" => extract_apple_client_id(authorization_data["identity_token"]),
+        "client_secret" => secret(authorization_data["identity_token"]),
+        "grant_type" => "authorization_code",
+        "code" => authorization_data["authorization_code"],
+        "redirect_uri" => apple_redirect_uri
+      }
+    end
+    def extract_apple_client_id(identity_token)
+      token_payload = JSON::JWT.decode(identity_token, :skip_verification)
+      token_payload["aud"]
+    end
+    def secret(identity_token)
+      apple_client_secret_generator.generate(identity_token)
+    end
+  end
+end

metadata ADDED

@@ -0,0 +1,210 @@
+--- !ruby/object:Gem::Specification
+name: apple_sign_in
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Gui Heurich
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2020-06-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-container
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dry-auto_inject
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dry-types
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rollbar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Validate identity token claims, headers, and signatures.Exchange authorization
+  codes for refresh tokens.
+email: guilherme.heurich@protonmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/apple_sign_in.rb
+- lib/apple_sign_in/api_caller.rb
+- lib/apple_sign_in/client_secret_generator.rb
+- lib/apple_sign_in/config/auto_inject.rb
+- lib/apple_sign_in/config/container.rb
+- lib/apple_sign_in/error.rb
+- lib/apple_sign_in/identity_token_verifier.rb
+- lib/apple_sign_in/refresh_token_retriever.rb
+homepage: https://github.com/GuiHeurich/apple_sign_in
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/GuiHeurich/apple_sign_in/issues
+  changelog_uri: https://github.com/GuiHeurich/apple_sign_in/blob/master/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/apple_sign_in
+  homepage_uri: https://github.com/GuiHeurich/apple_sign_in
+  source_code_uri: https://github.com/GuiHeurich/apple_sign_in
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key:
+specification_version: 4
+summary: Backend functionality for Sign in with Apple
+test_files: []