apple_sign_in 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 612f3cbaf5a755093433a7ca8c3814c87de9100074a217be935ac37655bee813
+  data.tar.gz: 13bcf7886feddc8ddbbb479e0f1112dd00744c8300dc5256f08d34b29a2accc2
+SHA512:
+  metadata.gz: 50a886815d10532a2a9d68cf9d843f36072137982369f44b048506144817c6dea46c6b3a3572c40021f07d699103fc7a6f64a5a290067a30a8a3744a8c93fa66
+  data.tar.gz: 035db6c66a46299f654c2cedaa8b5827951778a5f93139eb0dc97d21e429e6204e463ab4dccbdb678f326662028e88323818137fc93cd4f6829510b9148346a6

data/lib/apple_sign_in.rb

@@ -0,0 +1,13 @@
+module AppleSignIn
+  require "dry/types"
+  require "dry/auto_inject"
+
+  require 'apple_sign_in/config/container'
+  require 'apple_sign_in/config/auto_inject'
+
+  require 'apple_sign_in/api_caller'
+  require 'apple_sign_in/client_secret_generator'
+  require 'apple_sign_in/identity_token_verifier'
+  require 'apple_sign_in/refresh_token_retriever'
+  require 'apple_sign_in/error'
+end

data/lib/apple_sign_in/api_caller.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module AppleSignIn
+  class ApiCaller
+    include AutoInject[
+      :httparty,
+      :apple_base_url
+    ]
+
+    def post(url, body)
+      httparty.post("#{apple_base_url}#{url}", body: body)
+    end
+
+    def get(url, body = {})
+      httparty.get("#{apple_base_url}#{url}", body: body)
+    end
+  end
+end

data/lib/apple_sign_in/client_secret_generator.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module AppleSignIn
+  class ClientSecretGenerator
+    include AutoInject[
+      :apple_team_id,
+      :apple_base_url,
+      :apple_key_id,
+      :apple_private_key
+    ]
+
+    def generate(identity_token)
+      apple_client_id = extract_apple_client_id(identity_token)
+      claims = create_claims(apple_client_id)
+      jwt(claims)
+    end
+
+    private
+
+    def jwt(claims)
+      jwt = JSON::JWT.new(claims)
+      jwt.kid = apple_key_id
+      jws = jwt.sign(private_key, :ES256)
+      jws.to_s
+    end
+
+    def create_claims(apple_client_id)
+      {
+        "iss" => apple_team_id,
+        "iat" => Time.now.to_i,
+        "exp" => 5.months.from_now.to_i,
+        "aud" => apple_base_url,
+        "sub" => apple_client_id
+      }
+    end
+
+    def private_key
+      OpenSSL::PKey::EC.new apple_private_key
+    end
+
+    def headers
+      {
+        "kid" => apple_key_id
+      }
+    end
+
+    def extract_apple_client_id(identity_token)
+      token_payload = JSON::JWT.decode(identity_token, :skip_verification)
+      token_payload["aud"]
+    end
+  end
+end

data/lib/apple_sign_in/config/auto_inject.rb

@@ -0,0 +1,3 @@
+module AppleSignIn
+  AutoInject = Dry::AutoInject(Container)
+end

data/lib/apple_sign_in/config/container.rb

@@ -0,0 +1,25 @@
+module AppleSignIn
+  Container = Dry::Container.new
+
+  APPLE_BASE_URL = "https://appleid.apple.com".freeze
+
+  PROVIDER_NAMES = %w(apple).freeze
+
+  # Constants
+  Container.register(:provider_names, -> { PROVIDER_NAMES })
+  Container.register(:apple_base_url, -> { APPLE_BASE_URL })
+  Container.register(:apple_team_id, -> { ENV["APPLE_TEAM_ID"] })
+  Container.register(:apple_key_id, -> { ENV["APPLE_KEY_ID"] })
+  Container.register(:apple_private_key, -> { ENV("APPLE_PRIVATE_KEY") })
+  Container.register(:apple_redirect_uri, -> { ENV["APPLE_REDIRECT_URI"] })
+  Container.register(:apple_client_ids, -> { ENV["APPLE_CLIENT_IDS"].split(",") })
+  
+  # 3rd Party
+  Container.register(:httparty, -> { HTTParty })
+
+  # Actions
+  Container.register(:apple_client_secret_generator, -> { AppleSignIn::ClientSecretGenerator.new })
+  Container.register(:apple_api_caller, -> { AppleSignIn::ApiCaller.new })
+  Container.register(:apple_identity_token_verifier, -> { AppleSignIn::IdentityTokenVerifier.new })
+  Container.register(:apple_refresh_token_retriever, -> { AppleSignIn::RefreshTokenRetriever.new })
+end

data/lib/apple_sign_in/error.rb

@@ -0,0 +1,7 @@
+module AppleSignIn
+  class Error < StandardError
+    class InvalidProviderToken < AppleSignIn::Error; end
+    class InvalidCredentials < AppleSignIn::Error; end
+    class InvalidRefreshToken < AppleSignIn::Error; end
+  end
+end

data/lib/apple_sign_in/identity_token_verifier.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module AppleSignIn
+  class IdentityTokenVerifier
+    include AutoInject[
+      :apple_base_url,
+      :apple_api_caller,
+      :apple_client_ids
+    ]
+
+    def valid?(identity_token)
+      decoded_token = JSON::JWT.decode(identity_token, :skip_verification)
+
+      valid_claims?(decoded_token) && 
+        valid_headers?(decoded_token.header) &&
+        valid_signature?(identity_token)
+    end
+
+    private
+
+    def valid_claims?(claims)
+      valid_issuer?(claims) &&
+        valid_audience?(claims) &&
+        valid_time?(claims) &&
+        valid_expiry_time?(claims)
+    end
+
+    def valid_issuer?(claims)
+      claims["iss"].include?(apple_base_url.to_s)
+    end
+
+    def valid_audience?(claims)
+      apple_client_ids.include?(claims["aud"])
+    end
+
+    def valid_time?(claims)
+      claims["iat"].between?(30.seconds.ago.to_i, Time.now.to_i)
+    end
+
+    def valid_expiry_time?(claims)
+      claims["exp"] > Time.now.to_i
+    end
+
+    def valid_headers?(headers)
+      headers["alg"] == "RS256"
+    end
+
+    def valid_signature?(identity_token)
+      jwt = JSON::JWT.decode(identity_token, :skip_verification)
+      kid = jwt.header["kid"]
+      key = select_public_key(kid)
+      jwt.verify!(key)
+    end
+
+    def apple_public_keys
+      response = apple_api_caller.get("/auth/keys")
+      JSON.parse(response.body)["keys"]
+    end
+
+    def select_public_key(kid)
+      jwk_set = JSON::JWK::Set.new(apple_public_keys)
+      appropriate_key = jwk_set.select { |key| key["kid"] == kid }.first
+      appropriate_key.to_key
+    end
+  end
+end

data/lib/apple_sign_in/refresh_token_retriever.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module AppleSignIn
+  class RefreshTokenRetriever
+    include AutoInject[
+      :apple_api_caller,
+      :apple_client_secret_generator,
+      :apple_redirect_uri
+    ]
+
+    def call(authorization_data)
+      body = build_body(authorization_data)
+      response = apple_api_caller.post("/auth/token", body)
+      parse(response)
+    end
+
+    private
+
+    def parse(response)
+      return JSON.parse(response.body) if response.code == 200
+
+      handle_error(response)
+    end
+
+    def handle_error(response)
+      Rollbar.error(response)
+      return raise(AppleSignIn::Error, response.body.to_s) if response.code == 400
+
+      raise(AppleSignIn::Error, response.code.to_s)
+    end
+
+    def build_body(authorization_data)
+      {
+        "client_id" => extract_apple_client_id(authorization_data["identity_token"]),
+        "client_secret" => secret(authorization_data["identity_token"]),
+        "grant_type" => "authorization_code",
+        "code" => authorization_data["authorization_code"],
+        "redirect_uri" => apple_redirect_uri
+      }
+    end
+
+    def extract_apple_client_id(identity_token)
+      token_payload = JSON::JWT.decode(identity_token, :skip_verification)
+      token_payload["aud"]
+    end
+
+    def secret(identity_token)
+      apple_client_secret_generator.generate(identity_token)
+    end
+  end
+end

metadata

@@ -0,0 +1,210 @@
+--- !ruby/object:Gem::Specification
+name: apple_sign_in
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Gui Heurich
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-06-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-container
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dry-auto_inject
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dry-types
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rollbar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Validate identity token claims, headers, and signatures.Exchange authorization
+  codes for refresh tokens.
+email: guilherme.heurich@protonmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/apple_sign_in.rb
+- lib/apple_sign_in/api_caller.rb
+- lib/apple_sign_in/client_secret_generator.rb
+- lib/apple_sign_in/config/auto_inject.rb
+- lib/apple_sign_in/config/container.rb
+- lib/apple_sign_in/error.rb
+- lib/apple_sign_in/identity_token_verifier.rb
+- lib/apple_sign_in/refresh_token_retriever.rb
+homepage: https://github.com/GuiHeurich/apple_sign_in
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/GuiHeurich/apple_sign_in/issues
+  changelog_uri: https://github.com/GuiHeurich/apple_sign_in/blob/master/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/apple_sign_in
+  homepage_uri: https://github.com/GuiHeurich/apple_sign_in
+  source_code_uri: https://github.com/GuiHeurich/apple_sign_in
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key: 
+specification_version: 4
+summary: Backend functionality for Sign in with Apple
+test_files: []