omniauth-apple 0.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7998a38a969afb6c44b52111e0ce267a2f64e39c8e1059c7a3b2d4804c2ac5c
-  data.tar.gz: e151d17ba689527597adf1a7ce5c152c005e3dd3c51865dd0b297aeffeb56e5b
+  metadata.gz: a5e32b1f9b3dfe8859855b86ffdb6da18d238c0f065d2aa83fd8494ae49a3dc5
+  data.tar.gz: bab7b98074c2a989120b1a7d3188a9ba85037c55956efc5e2e462373ed9d0d4f
 SHA512:
-  metadata.gz: ea94526792b55a24852ea3e2a637a44f9565c59399707dcef0079358f03e71311f90d274f2390f18b80593c113ad5dd9adb16a0c34d9ac16fb9a60e6bb0b09e2
-  data.tar.gz: 152441ec7c484bf1ee451113e65e94f3d8427e18418a75c2013cedd61ed22ffb9043f52246b73d141c562d0774f63db1bafe2f04bc0a9822bfebaae892ce1463
+  metadata.gz: bce3e4e1a4feb3df68f3d2d5361a56e6977dfe765068b2bee6cef743a41f59212d1b533a1cdefbeb1eaebf8a7cf832dd0f53dbd080f4efa1311bd30942b7ea86
+  data.tar.gz: c67ff848f44f6061c6f319db5a708e0e407977446252bea63af9e94799df2ce140c93dd7a5be5c1afbbdf3fdcdeafaeb7650cad4de199749d8edb436f21896e8

data/.github/workflows/rspec.yml

@@ -0,0 +1,26 @@
+name: RSpec
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ['2.5', '2.6', '2.7']
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby ${{ matrix.ruby }}
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Build and test with Rake on Ruby ${{ matrix.ruby }}
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rake spec

data/.gitignore

@@ -42,9 +42,10 @@ build-iPhoneSimulator/
 
 # for a library or gem, you might want to ignore these files since the code is
 # intended to run in multiple environments; otherwise, check them in:
-# Gemfile.lock
-# .ruby-version
+Gemfile.lock
+.ruby-version
 # .ruby-gemset
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
+.idea

data/CHANGELOG.md

@@ -0,0 +1,50 @@
+## [Unreleased]
+
+## [1.0.2] - 2021-05-19
+
+### Fixed
+
+- [#59](https://github.com/nhosoya/omniauth-apple/pull/59) Provide User-Agent when fetching JWKs
+
+
+## [1.0.1] - 2020-12-03
+
+### Security
+
+- Use only verified email address to prevent fake email address
+
+## [1.0.0] - 2020-06-26
+
+### Added
+
+- [#26](https://github.com/nhosoya/omniauth-apple/pull/26) Support ID Token verification
+- [#40](https://github.com/nhosoya/omniauth-apple/pull/40) Add rspec test cases
+- [#42](https://github.com/nhosoya/omniauth-apple/pull/42) [#43](https://github.com/nhosoya/omniauth-apple/pull/43) Setup CI
+
+
+### Fixed
+
+- [#31](https://github.com/nhosoya/omniauth-apple/pull/31) Stop relying on ActiveSupport
+- [#37](https://github.com/nhosoya/omniauth-apple/pull/37) Fix nonce validation
+- [#41](https://github.com/nhosoya/omniauth-apple/pull/41) Fix where the RoR extension is used
+- [#46](https://github.com/nhosoya/omniauth-apple/pull/46) Fix naming of Omniauth module to OmniAuth
+- [#48](https://github.com/nhosoya/omniauth-apple/pull/48) Remove .rakeTasks
+
+
+### Changed
+
+- [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency 
+- [#28](https://github.com/nhosoya/omniauth-apple/pull/28) Update README.md
+- [#38](https://github.com/nhosoya/omniauth-apple/pull/38) Refine AuthHash
+- [#39](https://github.com/nhosoya/omniauth-apple/pull/39) Set the default scope to 'email name'
+
+## [0.0.3] - 2020-05-15
+
+## [0.0.2] - 2020-01-16
+
+## [0.0.1] - 2019-06-07
+
+[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...master
+[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0
+[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
+[1.0.2]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.1...v1.0.2

data/README.md

@@ -1,3 +1,5 @@
+![build](https://github.com/nhosoya/omniauth-apple/workflows/RSpec/badge.svg?branch=master&event=push)
+
 # OmniAuth::Apple
 
 OmniAuth strategy for [Sign In with Apple](https://developer.apple.com/sign-in-with-apple/).
@@ -7,7 +9,7 @@ OmniAuth strategy for [Sign In with Apple](https://developer.apple.com/sign-in-w
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'omniauth-apple' github: 'nhosoya/omniauth-apple', branch: master
+gem 'omniauth-apple'
 ```
 
 And then execute:
@@ -22,9 +24,12 @@ Or install it yourself as:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :apple, ENV['CLIENT_ID'], ENV['TEAM_ID'], ENV['KEY_ID'], ENV['PRIVATE_KEY'],
+  provider :apple, ENV['CLIENT_ID'], '',
            {
              scope: 'email name',
+             team_id: ENV['TEAM_ID'],
+             key_id: ENV['KEY_ID'],
+             pem: ENV['PRIVATE_KEY']
            }
 end
 ```

data/Rakefile

@@ -1,2 +1,6 @@
 require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
 task :default => :spec

data/lib/omniauth-apple.rb

@@ -1,4 +1,3 @@
 # frozen_string_literal: true
 
-require 'omniauth-apple/version'
-require 'omniauth/strategies/apple'
+require 'omniauth/apple'

data/lib/omniauth/apple.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/apple/version'
+require 'omniauth/strategies/apple'

data/lib/omniauth/apple/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Apple
+    VERSION = "1.0.2"
+  end
+end

data/lib/omniauth/strategies/apple.rb

@@ -1,51 +1,140 @@
+# frozen_string_literal: true
+
 require 'omniauth-oauth2'
+require 'net/https'
 
 module OmniAuth
   module Strategies
     class Apple < OmniAuth::Strategies::OAuth2
-
-      attr_reader :id_token
-      args %i[client_id team_id key_id pem]
-
       option :name, 'apple'
-      option :client_options, {
-        site: 'https://appleid.apple.com',
-        authorize_url: '/auth/authorize',
-        token_url: '/auth/token',
-      }
 
-      uid { id_token['sub'] }
+      option :client_options,
+             site: 'https://appleid.apple.com',
+             authorize_url: '/auth/authorize',
+             token_url: '/auth/token'
+      option :authorize_params,
+             response_mode: 'form_post',
+             scope: 'email name'
+      option :authorized_client_ids, []
+
+      uid { id_info['sub'] }
 
       info do
-        { sub: id_token['sub'] }
+        prune!(
+          sub: id_info['sub'],
+          email: email,
+          first_name: first_name,
+          last_name: last_name,
+          name: (first_name || last_name) ? [first_name, last_name].join(' ') : email,
+        )
+      end
+
+      extra do
+        id_token = request.params['id_token'] || access_token&.params&.dig('id_token')
+        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token})
       end
 
       def client
-        ::OAuth2::Client.new(options.client_id, client_secret, deep_symbolize(options.client_options))
+        ::OAuth2::Client.new(client_id, client_secret, deep_symbolize(options.client_options))
       end
 
-      def callback_url
-        full_host + script_name + callback_path
+      def authorize_params
+        super.merge(nonce: new_nonce)
       end
 
-      def build_access_token
-        _access_token = super
-        @id_token = ::JSON::JWT.decode(_access_token.params['id_token'], :skip_verification)
-        _access_token
+      def callback_url
+        options[:redirect_uri] || (full_host + script_name + callback_path)
       end
 
       private
 
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
+      end
+
+      def stored_nonce
+        session.delete('omniauth.nonce')
+      end
+
+      def id_info
+        @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
+                       id_token = request.params['id_token'] || access_token.params['id_token']
+                       jwt_options = {
+                         verify_iss: true,
+                         iss: 'https://appleid.apple.com',
+                         verify_iat: true,
+                         verify_aud: true,
+                         aud: [options.client_id].concat(options.authorized_client_ids),
+                         algorithms: ['RS256'],
+                         jwks: fetch_jwks
+                       }
+                       payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
+                       verify_nonce!(payload)
+                       payload
+                     end
+      end
+
+      def fetch_jwks
+        http = Net::HTTP.new('appleid.apple.com', 443)
+        http.use_ssl = true
+        request = Net::HTTP::Get.new('/auth/keys', 'User-Agent' => 'ruby/omniauth-apple')
+        response = http.request(request)
+        JSON.parse(response.body, symbolize_names: true)
+      end
+
+      def verify_nonce!(payload)
+        return unless payload['nonce_supported']
+
+        return if payload['nonce'] && payload['nonce'] == stored_nonce
+
+        fail!(:nonce_mismatch, CallbackError.new(:nonce_mismatch, 'nonce mismatch'))
+      end
+
+      def client_id
+        @client_id ||= if id_info.nil?
+                         options.client_id
+                       else
+                         id_info['aud'] if options.authorized_client_ids.include? id_info['aud']
+                       end
+      end
+
+      def user_info
+        user = request.params['user']
+        return {} if user.nil?
+
+        @user_info ||= JSON.parse(user)
+      end
+
+      def email
+        id_info['email']
+      end
+
+      def first_name
+        user_info.dig('name', 'firstName')
+      end
+
+      def last_name
+        user_info.dig('name', 'lastName')
+      end
+
+      def prune!(hash)
+        hash.delete_if do |_, v|
+          prune!(v) if v.is_a?(Hash)
+          v.nil? || (v.respond_to?(:empty?) && v.empty?)
+        end
+      end
+
       def client_secret
-        jwt = ::JSON::JWT.new(
+        payload = {
           iss: options.team_id,
           aud: 'https://appleid.apple.com',
-          sub: options.client_id,
-          iat: Time.current,
-          exp: 1.minutes.after
-        )
-        jwt.kid = options.key_id
-        jwt.sign(private_key).to_s
+          sub: client_id,
+          iat: Time.now.to_i,
+          exp: Time.now.to_i + 60
+        }
+        headers = { kid: options.key_id }
+
+        ::JWT.encode(payload, private_key, 'ES256', headers)
       end
 
       def private_key

data/omniauth-apple.gemspec

@@ -1,13 +1,13 @@
 
 lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "omniauth-apple/version"
+require "omniauth/apple/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "omniauth-apple"
-  spec.version       = Omniauth::Apple::VERSION
-  spec.authors       = ["nhosoya"]
-  spec.email         = ["hnhnnhnh@gmail.com"]
+  spec.version       = OmniAuth::Apple::VERSION
+  spec.authors       = ["nhosoya", "Fabian Jäger"]
+  spec.email         = ["hnhnnhnh@gmail.com", "fabian@mailbutler.io"]
 
   spec.summary       = %q{OmniAuth strategy for Sign In with Apple}
   spec.description   = %q{OmniAuth strategy for Sign In with Apple}
@@ -37,6 +37,10 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'omniauth-oauth2'
+  spec.add_dependency 'jwt'
   spec.add_development_dependency "bundler", "~> 2.0"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.9"
+  spec.add_development_dependency "webmock", "~> 3.8"
+  spec.add_development_dependency 'simplecov', "~> 0.18"
 end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-apple
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - nhosoya
-autorequire: 
+- Fabian Jäger
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-06-07 00:00:00.000000000 Z
+date: 2021-05-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -24,6 +25,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -44,22 +59,67 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0.18'
 description: OmniAuth strategy for Sign In with Apple
 email:
 - hnhnnhnh@gmail.com
+- fabian@mailbutler.io
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/rspec.yml"
 - ".gitignore"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
@@ -67,14 +127,15 @@ files:
 - bin/console
 - bin/setup
 - lib/omniauth-apple.rb
-- lib/omniauth-apple/version.rb
+- lib/omniauth/apple.rb
+- lib/omniauth/apple/version.rb
 - lib/omniauth/strategies/apple.rb
 - omniauth-apple.gemspec
 homepage: https://github.com/nhosoya/omniauth-apple
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -89,8 +150,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Sign In with Apple
 test_files: []

data/lib/omniauth-apple/version.rb

@@ -1,5 +0,0 @@
-module Omniauth
-  module Apple
-    VERSION = "0.0.1"
-  end
-end