clavis 0.7.2 → 0.8.0

data/lib/clavis/providers/apple.rb

@@ -3,34 +3,63 @@
 require "jwt"
 require "base64"
 require "openssl"
+require "securerandom"
+require "net/http"
+require "json"
 
 module Clavis
   module Providers
     class Apple < Base
-      attr_reader :team_id, :key_id, :private_key, :private_key_path
+      attr_reader :team_id, :key_id, :private_key, :private_key_path, :authorized_client_ids, :client_options
 
-      APPLE_AUTH_URL = "https://appleid.apple.com/auth/authorize"
-      APPLE_TOKEN_URL = "https://appleid.apple.com/auth/token"
+      ISSUER = "https://appleid.apple.com"
+      APPLE_AUTH_URL = "#{ISSUER}/auth/authorize".freeze
+      APPLE_TOKEN_URL = "#{ISSUER}/auth/token".freeze
+      APPLE_JWKS_URL = "#{ISSUER}/auth/keys".freeze
+      DEFAULT_CLIENT_SECRET_EXPIRY = 300 # 5 minutes in seconds
 
       def initialize(config = {})
         @team_id = config[:team_id] || ENV.fetch("APPLE_TEAM_ID", nil)
         @key_id = config[:key_id] || ENV.fetch("APPLE_KEY_ID", nil)
         @private_key = config[:private_key] || ENV.fetch("APPLE_PRIVATE_KEY", nil)
         @private_key_path = config[:private_key_path] || ENV.fetch("APPLE_PRIVATE_KEY_PATH", nil)
+        @authorized_client_ids = config[:authorized_client_ids] || []
+        @client_secret_expiry = config[:client_secret_expiry] || DEFAULT_CLIENT_SECRET_EXPIRY
+        @client_options = config[:client_options] || {}
 
-        config[:authorization_endpoint] = APPLE_AUTH_URL
-        config[:token_endpoint] = APPLE_TOKEN_URL
-        config[:userinfo_endpoint] = nil # Apple doesn't have a userinfo endpoint
+        # Set up endpoints with potential overrides from client_options
+        endpoints = {
+          authorization_endpoint: @client_options[:authorize_url] || APPLE_AUTH_URL,
+          token_endpoint: @client_options[:token_url] || APPLE_TOKEN_URL,
+          userinfo_endpoint: nil # Apple doesn't have a userinfo endpoint
+        }
+
+        # Override base URL if site is specified
+        if @client_options[:site]
+          base_uri = URI.parse(@client_options[:site])
+          auth_uri = URI.parse(endpoints[:authorization_endpoint])
+          token_uri = URI.parse(endpoints[:token_endpoint])
+
+          # Only override the host, keep the paths
+          auth_uri.scheme = base_uri.scheme
+          auth_uri.host = base_uri.host
+          token_uri.scheme = base_uri.scheme
+          token_uri.host = base_uri.host
+
+          endpoints[:authorization_endpoint] = auth_uri.to_s
+          endpoints[:token_endpoint] = token_uri.to_s
+        end
 
+        config.merge!(endpoints)
         super
       end
 
       def authorization_endpoint
-        APPLE_AUTH_URL
+        @authorize_endpoint_url
       end
 
       def token_endpoint
-        APPLE_TOKEN_URL
+        @token_endpoint_url
       end
 
       def userinfo_endpoint
@@ -46,13 +75,13 @@ module Clavis
       end
 
       def refresh_token(_refresh_token)
-        # As of 2023, Apple does not support refresh tokens
+        # Apple doesn't support the standard OAuth refresh token flow
+        # Instead, they use long-lived tokens that don't need refreshing
         raise Clavis::UnsupportedOperation, "Apple does not support refresh tokens"
       end
 
-      # Using keyword arguments without expected_state to match the base class interface
-      # but we don't use expected_state in this implementation
-      def token_exchange(code:, **_kwargs)
+      # Using keyword arguments with support for state verification (for compatibility)
+      def token_exchange(code:, **kwargs)
         # Validate inputs
         raise Clavis::InvalidGrant unless Clavis::Security::InputValidator.valid_code?(code)
 
@@ -68,7 +97,30 @@ module Clavis
 
         handle_token_error_response(response) if response.status != 200
 
-        parse_token_response(response)
+        token_data = parse_token_response(response)
+
+        # If id_token is present, verify and extract claims
+        if token_data[:id_token] && !token_data[:id_token].empty?
+          begin
+            token_data[:id_token_claims] = verify_and_decode_id_token(
+              token_data[:id_token],
+              kwargs[:nonce]
+            )
+          rescue StandardError => e
+            Clavis.logger.warn("Failed to verify ID token: #{e.message}")
+          end
+        end
+
+        # Process user data if available
+        if kwargs[:user_data] && !kwargs[:user_data].empty?
+          begin
+            token_data[:user_info] = JSON.parse(kwargs[:user_data])
+          rescue JSON::ParserError => e
+            Clavis.logger.warn("Failed to parse user data: #{e.message}")
+          end
+        end
+
+        token_data
       end
 
       def get_user_info(_access_token)
@@ -76,6 +128,58 @@ module Clavis
         raise Clavis::UnsupportedOperation, "Apple does not have a userinfo endpoint"
       end
 
+      def authorize_url(state:, nonce:, scope: nil)
+        # Generate a more secure URL with form_post response mode
+        params = {
+          response_type: "code",
+          client_id: client_id,
+          redirect_uri: Clavis::Security::HttpsEnforcer.enforce_https(redirect_uri),
+          scope: scope || default_scopes,
+          state: state,
+          nonce: nonce,
+          response_mode: "form_post" # Required for getting user information
+        }
+
+        uri = URI.parse(authorization_endpoint)
+        uri.query = URI.encode_www_form(params)
+
+        # Enforce HTTPS
+        uri.scheme = "https" if Clavis.configuration.enforce_https && uri.scheme == "http"
+
+        uri.to_s
+      end
+
+      def process_callback(code, user_data = nil)
+        clean_code = code.to_s.gsub(/\A["']|["']\Z/, "")
+        token_data = token_exchange(code: clean_code, user_data: user_data)
+
+        # Extract user info from id_token and/or user_data
+        user_info = extract_user_info(token_data)
+
+        # For OpenID Connect, use sub claim as identifier
+        uid = if token_data[:id_token_claims]&.dig(:sub)
+                token_data[:id_token_claims][:sub]
+              else
+                # Generate a hash as fallback
+                data_for_hash = "#{provider_name}:#{token_data[:access_token] || ""}:#{user_info[:email] || ""}"
+                Digest::SHA1.hexdigest(data_for_hash)[0..19]
+              end
+
+        {
+          provider: provider_name,
+          uid: uid,
+          info: user_info,
+          credentials: {
+            token: token_data[:access_token],
+            refresh_token: token_data[:refresh_token],
+            expires_at: token_data[:expires_at],
+            expires: token_data[:expires_at] && !token_data[:expires_at].nil?
+          },
+          id_token: token_data[:id_token],
+          id_token_claims: token_data[:id_token_claims] || {}
+        }
+      end
+
       protected
 
       def validate_configuration!
@@ -115,8 +219,8 @@ module Clavis
           claims = {
             iss: team_id,
             iat: now,
-            exp: now + (86_400 * 180), # 180 days
-            aud: "https://appleid.apple.com",
+            exp: now + @client_secret_expiry,
+            aud: ISSUER,
             sub: client_id
           }
 
@@ -130,6 +234,136 @@ module Clavis
           raise
         end
       end
+
+      def fetch_jwk(kid)
+        uri = URI.parse(APPLE_JWKS_URL)
+
+        begin
+          response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
+            http.open_timeout = 5
+            http.read_timeout = 5
+            http.get(uri.path)
+          end
+
+          return nil unless response.is_a?(Net::HTTPSuccess)
+
+          jwks = JSON.parse(response.body)
+          jwks["keys"].find { |key| key["kid"] == kid }
+        rescue StandardError => e
+          Clavis.logger.error("Error fetching Apple JWK: #{e.message}")
+          nil
+        end
+      end
+
+      def verify_and_decode_id_token(id_token, expected_nonce = nil)
+        # Basic decode to get header and payload without verification
+        segments = id_token.split(".")
+        return {} if segments.length < 2
+
+        # Decode header to get kid
+        header_segment = segments[0]
+        # Add padding if needed
+        header_segment += "=" * ((4 - (header_segment.length % 4)) % 4)
+        header_json = Base64.urlsafe_decode64(header_segment)
+        header = JSON.parse(header_json)
+        kid = header["kid"]
+
+        # Decode payload for basic verification
+        payload_segment = segments[1]
+        # Add padding if needed
+        payload_segment += "=" * ((4 - (payload_segment.length % 4)) % 4)
+        payload_json = Base64.urlsafe_decode64(payload_segment)
+        payload = JSON.parse(payload_json, symbolize_names: true)
+
+        # Verify JWT claims
+        verify_issuer(payload)
+        verify_audience(payload)
+        verify_expiration(payload)
+        verify_issued_at(payload)
+        verify_nonce(payload, expected_nonce) if expected_nonce
+
+        # Optional: Verify signature with JWKS
+        if kid
+          jwk = fetch_jwk(kid)
+          if jwk
+            # Convert JWK to PEM format for verification
+            Clavis.logger.info("JWT signature verification with JWK is not implemented yet")
+            # Future implementation would verify the JWT signature here
+          end
+        end
+
+        # Return the verified claims
+        payload
+      rescue StandardError => e
+        Clavis.logger.error("ID token verification failed: #{e.message}")
+        {}
+      end
+
+      def verify_issuer(payload)
+        return if payload[:iss] == ISSUER
+
+        raise Clavis::InvalidToken, "Invalid issuer: expected #{ISSUER}, got #{payload[:iss]}"
+      end
+
+      def verify_audience(payload)
+        valid_audiences = [client_id] + authorized_client_ids
+        return if valid_audiences.include?(payload[:aud])
+
+        raise Clavis::InvalidToken, "Invalid audience: #{payload[:aud]}"
+      end
+
+      def verify_expiration(payload)
+        return if payload[:exp] && payload[:exp] > Time.now.to_i
+
+        raise Clavis::InvalidToken, "Token expired"
+      end
+
+      def verify_issued_at(payload)
+        return if payload[:iat] && payload[:iat] <= Time.now.to_i
+
+        raise Clavis::InvalidToken, "Invalid issued at time"
+      end
+
+      def verify_nonce(payload, expected_nonce)
+        return if payload[:nonce] && payload[:nonce] == expected_nonce
+
+        raise Clavis::InvalidToken, "Nonce mismatch"
+      end
+
+      def extract_user_info(token_data)
+        info = {}
+
+        # Extract from ID token claims (prioritized for security)
+        if token_data[:id_token_claims]
+          claims = token_data[:id_token_claims]
+          info[:email] = claims[:email]
+          info[:email_verified] = [true, "true"].include?(claims[:email_verified])
+          info[:is_private_email] = [true, "true"].include?(claims[:is_private_email])
+          info[:sub] = claims[:sub]
+        end
+
+        # Extract from user_info if available (comes from form_post)
+        if token_data[:user_info]
+          user_data = token_data[:user_info]
+          if user_data["name"]
+            info[:first_name] = user_data["name"]["firstName"]
+            info[:last_name] = user_data["name"]["lastName"]
+            # Combine name parts if available
+            if info[:first_name] || info[:last_name]
+              info[:name] = [info[:first_name], info[:last_name]].compact.join(" ")
+            end
+          end
+
+          # Only use email from user_data if not already set from ID token
+          # This prevents email spoofing attacks
+          info[:email] ||= user_data["email"]
+        end
+
+        # If no name was set but we have email, use that as name
+        info[:name] ||= info[:email]
+
+        info
+      end
     end
   end
 end

data/lib/clavis/providers/base.rb

@@ -16,10 +16,13 @@ require "clavis/security/redirect_uri_validator"
 require "clavis/security/csrf_protection"
 require "openssl"
 require "jwt"
+require "clavis/providers/token_exchange_handler"
 
 module Clavis
   module Providers
     class Base
+      include Clavis::Providers::TokenExchangeHandler
+
       attr_reader :client_id, :client_secret, :redirect_uri, :authorize_endpoint_url,
                   :token_endpoint_url, :userinfo_endpoint_url, :scope
 
@@ -86,39 +89,37 @@ module Clavis
         Clavis::Security::InputValidator.sanitize_hash(token_data)
       end
 
-      def token_exchange(code:)
-        # Validate inputs - temporarily bypass validation for debugging
-        # raise Clavis::InvalidGrant unless Clavis::Security::InputValidator.valid_code?(code)
-
-        # raise Clavis::InvalidState if expected_state && !Clavis::Security::InputValidator.valid_state?(expected_state)
-
-        params = {
-          grant_type: "authorization_code",
-          code: code,
-          redirect_uri: redirect_uri,
-          client_id: client_id,
-          client_secret: client_secret
-        }
+      def token_exchange(options = {})
+        code = options[:code]
+        redirect_uri = options[:redirect_uri] || @redirect_uri
 
-        response = http_client.post(token_endpoint, params)
+        Clavis::Logging.debug("#{provider_name}#token_exchange - Starting with options: #{options.inspect}")
 
-        if response.status != 200
-          Clavis::Logging.log_token_exchange(provider_name, false)
-          handle_token_error_response(response)
-        end
+        # Set up the token exchange parameters
+        params = build_token_exchange_params(code, redirect_uri)
 
-        Clavis::Logging.log_token_exchange(provider_name, true)
+        # Make the token exchange request
+        begin
+          response = make_token_request(params)
+          token_response = parse_response(response)
 
-        # Parse and validate the token response
-        token_data = parse_token_response(response)
+          # Check for error
+          handle_error_response(token_response, response.status)
 
-        # Temporarily bypass validation for debugging
-        # unless Clavis::Security::InputValidator.valid_token_response?(token_data)
-        #   raise Clavis::InvalidToken, "Invalid token response format"
-        # end
+          # Log the token exchange
+          Clavis::Logging.log_token_exchange(provider_name, true)
 
-        # Sanitize the token data to prevent XSS
-        Clavis::Security::InputValidator.sanitize_hash(token_data)
+          # Return the token data
+          process_id_token_if_present(token_response)
+        rescue Faraday::ConnectionFailed, Faraday::TimeoutError => e
+          handle_connection_error(e)
+        rescue Faraday::Error => e
+          handle_faraday_error(e)
+        rescue JSON::ParserError => e
+          handle_parser_error(e)
+        rescue StandardError => e
+          handle_standard_error(e)
+        end
       end
 
       def get_user_info(access_token)
@@ -191,59 +192,109 @@ module Clavis
         uri.to_s
       end
 
-      def process_callback(code)
-        # Clean the code to ensure it doesn't have quotes
-        clean_code = code.to_s.gsub(/\A["']|["']\Z/, "")
+      def process_callback(code, user_data = nil)
+        Clavis::Logging.debug("#{provider_name}#process_callback - Starting with code: #{code.inspect}")
+
+        # Normalize the code by removing quote characters and trimming whitespace
+        clean_code = code.gsub(/^"|"$/, "").strip
+        Clavis::Logging.debug("#{provider_name}#process_callback - Cleaned code: #{clean_code}")
 
+        Clavis::Logging.debug("#{provider_name}#process_callback - Calling token_exchange")
         token_data = token_exchange(code: clean_code)
+        Clavis::Logging.debug("#{provider_name}#process_callback - Token data received: #{token_data.inspect}")
 
+        # If we have a token, try to get user info
         user_info = {}
-        if token_data[:access_token] && !token_data[:access_token].empty?
+        if token_data[:access_token]
           begin
+            # Debug log excluding sensitive information
+            token_data.except(:access_token, :refresh_token, :id_token)
+            Clavis::Logging.debug(
+              "#{provider_name}#process_callback - Calling get_user_info with " \
+              "access_token: #{token_data[:access_token].inspect}"
+            )
             user_info = get_user_info(token_data[:access_token])
-          rescue Clavis::UnsupportedOperation
-            # Continue with empty user_info hash
+            Clavis::Logging.debug("#{provider_name}#process_callback - User info received: #{user_info.inspect}")
+          rescue Clavis::UnsupportedOperation => e
+            Clavis::Logging.debug("#{provider_name}#process_callback - UnsupportedOperation: #{e.message}")
+            user_info = {}
+          rescue StandardError => e
+            # Debug log error from user info
+            Clavis::Logging.debug(
+              "#{provider_name}#process_callback - Error getting user info: " \
+              "#{e.class.name}: #{e.message}"
+            )
+            Clavis::Logging.debug("#{provider_name}#process_callback - Error backtrace: #{e.backtrace.join("\n")}")
+            raise
           end
+        else
+          Clavis::Logging.debug("#{provider_name}#process_callback - No access_token available, skipping user_info")
         end
 
-        # For OpenID Connect providers, we should always use the sub claim as the identifier
-        # For non-OIDC providers, fall back to other options
-        uid = if openid_provider? && token_data[:id_token_claims]&.dig(:sub)
+        # Determine a unique identifier (UID) for the user
+        # Prefer ID token claims as the most reliable source
+        uid = if token_data[:id_token_claims] && token_data[:id_token_claims][:sub]
+                Clavis::Logging.debug("#{provider_name}#process_callback - Using sub from id_token_claims as UID")
                 token_data[:id_token_claims][:sub]
-              elsif user_info[:sub] && !user_info[:sub].to_s.empty?
+              elsif user_info[:sub]
+                Clavis::Logging.debug("#{provider_name}#process_callback - Using sub from user_info as UID")
                 user_info[:sub]
-              elsif user_info[:id] && !user_info[:id].to_s.empty?
+              elsif user_info[:id]
+                Clavis::Logging.debug("#{provider_name}#process_callback - Using id from user_info as UID")
                 user_info[:id]
               else
                 # Generate a hash of some token data for consistent ids
+                Clavis::Logging.debug("#{provider_name}#process_callback - Generating fallback UID")
                 data_for_hash = "#{provider_name}:#{token_data[:access_token] || ""}:#{user_info[:email] || ""}"
-                Digest::SHA1.hexdigest(data_for_hash)[0..19]
+                Digest::SHA1.hexdigest(data_for_hash)[0...20] # Use first 20 characters for a longer UID
               end
 
-        # Extract id_token claims if present
+        Clavis::Logging.debug("#{provider_name}#process_callback - UID determined: #{uid}")
+
+        # Merge data from ID token if available
         id_token_claims = {}
-        if token_data[:id_token] && !token_data[:id_token].to_s.empty?
+        if token_data[:id_token]
           begin
+            Clavis::Logging.debug("#{provider_name}#process_callback - Decoding ID token")
             id_token_claims = decode_id_token(token_data[:id_token])
-          rescue StandardError
-            # Continue with empty id_token_claims hash
+            Clavis::Logging.debug("#{provider_name}#process_callback - ID token claims: #{id_token_claims.inspect}")
+          rescue StandardError => e
+            Clavis::Logging.debug("#{provider_name}#process_callback - Error decoding ID token: #{e.message}")
+            # Don't fail if we can't decode the ID token
           end
         end
 
-        # Build the auth hash structure
-        {
+        # Debug log ID token claims
+        Clavis::Logging.debug(
+          "#{provider_name}#process_id_token_if_present - ID token claims: " \
+          "#{id_token_claims.inspect}"
+        )
+
+        # Do any provider-specific user data processing
+        processed_user_data = process_user_data(user_data) if user_data
+
+        # Build the standardized auth hash
+        result = {
           provider: provider_name,
           uid: uid,
-          info: user_info,
+          info: user_info.merge(processed_user_data || {}),
           credentials: {
             token: token_data[:access_token],
             refresh_token: token_data[:refresh_token],
             expires_at: token_data[:expires_at],
-            expires: token_data[:expires_at] && !token_data[:expires_at].nil?
-          },
-          id_token: token_data[:id_token],
-          id_token_claims: id_token_claims
+            expires: !token_data[:expires_at].nil?
+          }
         }
+
+        # Add ID token if available
+        result[:id_token] = token_data[:id_token] if token_data[:id_token]
+        if token_data[:id_token_claims] || !id_token_claims.empty?
+          result[:id_token_claims] =
+            token_data[:id_token_claims] || id_token_claims
+        end
+
+        Clavis::Logging.debug("#{provider_name}#process_callback - Returning auth hash: #{result.inspect}")
+        result
       end
 
       protected
@@ -269,23 +320,35 @@ module Clavis
         Clavis::Security::HttpsEnforcer.create_http_client
       end
 
-      def parse_token_response(response)
-        # If response.body is already a Hash, use it directly
-        if response.body.is_a?(Hash)
-          data = response.body
-        else
-          # Try to parse as JSON
-          begin
-            data = JSON.parse(response.body)
-          rescue JSON::ParserError
-            # Try to parse as form-encoded
-            begin
-              data = Rack::Utils.parse_nested_query(response.body)
-            rescue StandardError
-              return {}
-            end
-          end
-        end
+      def parse_token_response(response_or_body)
+        # Handle both response objects and direct body inputs
+        response_body = if response_or_body.respond_to?(:body)
+                          # It's a response object
+                          response_or_body.body
+                        else
+                          # It's already a body
+                          response_or_body
+                        end
+
+        # Process the body based on its type
+        data = if response_body.is_a?(Hash)
+                 response_body
+               elsif response_body.is_a?(String) && !response_body.empty?
+                 # For tests that might not use Faraday's JSON middleware
+                 begin
+                   JSON.parse(response_body)
+                 rescue JSON::ParserError
+                   # Try to parse as form-encoded for non-JSON responses
+                   begin
+                     Rack::Utils.parse_nested_query(response_body)
+                   rescue StandardError
+                     {}
+                   end
+                 end
+               else
+                 # Empty or nil response
+                 {}
+               end
 
         # Symbolize keys for consistency
         result = data.transform_keys(&:to_sym)
@@ -294,16 +357,12 @@ module Clavis
         result[:token_type] ||= "Bearer" # Default token type
 
         # Handle expires_in
-        if result[:expires_in] && !result[:expires_in].nil?
-          # Calculate expires_at from expires_in if not already set
-          result[:expires_at] ||= Time.now.to_i + result[:expires_in].to_i
+        if result[:expires_in]
+          # Convert to integer if possible
+          expires_in = result[:expires_in].to_i
+          result[:expires_at] = Time.now.to_i + expires_in if expires_in.positive?
         end
 
-        # Validate token response (disable for debugging)
-        # unless Clavis::Security::InputValidator.valid_token_response?(result)
-        #  return {}
-        # end
-
         result
       end
 
@@ -400,6 +459,35 @@ module Clavis
         Rails.application.credentials.dig(:clavis, :providers, provider_name, key)
       end
 
+      # Process ID token if present in the token response
+      def process_id_token_if_present(token_data)
+        # If there's an ID token in the response, and we're dealing with an OpenID provider,
+        # try to extract claims from it
+        if openid_provider? && token_data[:id_token] && !token_data[:id_token].to_s.empty?
+          begin
+            Clavis::Logging.debug("#{provider_name}#process_id_token_if_present - Processing ID token")
+            id_token_claims = decode_id_token(token_data[:id_token])
+            token_data[:id_token_claims] = id_token_claims
+
+            # Log claims with line breaks to avoid line length issues
+            log_message = "#{provider_name}#process_id_token_if_present - "
+            log_message += "ID token claims: #{id_token_claims.inspect}"
+            Clavis::Logging.debug(log_message)
+          rescue StandardError => e
+            # Log error with line breaks to avoid line length issues
+            log_message = "#{provider_name}#process_id_token_if_present - "
+            log_message += "Error decoding ID token: #{e.message}"
+            Clavis::Logging.debug(log_message)
+
+            # Continue with empty claims if we can't decode the token
+            token_data[:id_token_claims] = {}
+          end
+        end
+
+        # Return the token data, possibly with ID token claims
+        token_data
+      end
+
       private
 
       def set_provider_name