omniauth-apple 0.0.3 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9209606bc989d401e7a3b4df233f14b0d126a25a8e5fa4aaf39e52bdc86f8518
-  data.tar.gz: 863dbd6c01b45573d5e2fba5fc84078bff8415a265c4e99098495d49737b4bb2
+  metadata.gz: 41d5662d5a5e982f5c81c143ea79beb20fcfaab848ec2c6bcfacb5b9495d3046
+  data.tar.gz: 6b7c3a2463cbc7587a782689cb515a5dbf046290033ec48ba06fc50025a98847
 SHA512:
-  metadata.gz: ec26c40908a1c669daa5adb25d985ce9d583466544e35094d0dc81089a3fe973bc71f1182cdbbe83614aa426de3a99560f28691d3f35b9641969d8c824b28511
-  data.tar.gz: b51d3b1ea9738f76cdc383cb5a616fe71b4d1e0a3acb72f16145e5c1d71556d0b0082d6b724a3c9c82c8ab28e8c3711c4489772a00b897941896a881e7d82aaa
+  metadata.gz: d14394af75cb4d4b0dc144a2b6bdae4937da6e82244e41c0ba8ee2aa2b11a1643de51e3021bde630f9d0a21a6ae452ffbe8ca229637f882ffd958cf771196b7e
+  data.tar.gz: 64774e5e62eb203c01e3a080f76e02463e64526722e6d036155d4b89ecf2ba2e80453320c5f128cf16192f263ce840e98121f0bd581c13d5ecf707968cb491b0

data/.github/workflows/rspec.yml

@@ -0,0 +1,26 @@
+name: RSpec
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ['2.5', '2.6', '2.7']
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby ${{ matrix.ruby }}
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Build and test with Rake on Ruby ${{ matrix.ruby }}
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rake spec

data/CHANGELOG.md

@@ -0,0 +1,35 @@
+## [Unreleased]
+
+## [1.0.0] - 2020-06-26
+
+### Added
+
+- [#26](https://github.com/nhosoya/omniauth-apple/pull/26) Support ID Token verification
+- [#40](https://github.com/nhosoya/omniauth-apple/pull/40) Add rspec test cases
+- [#42](https://github.com/nhosoya/omniauth-apple/pull/42) [#43](https://github.com/nhosoya/omniauth-apple/pull/43) Setup CI
+
+
+### Fixed
+
+- [#31](https://github.com/nhosoya/omniauth-apple/pull/31) Stop relying on ActiveSupport
+- [#37](https://github.com/nhosoya/omniauth-apple/pull/37) Fix nonce validation
+- [#41](https://github.com/nhosoya/omniauth-apple/pull/41) Fix where the RoR extension is used
+- [#46](https://github.com/nhosoya/omniauth-apple/pull/46) Fix naming of Omniauth module to OmniAuth
+- [#48](https://github.com/nhosoya/omniauth-apple/pull/48) Remove .rakeTasks
+
+
+### Changed
+
+- [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency 
+- [#28](https://github.com/nhosoya/omniauth-apple/pull/28) Update README.md
+- [#38](https://github.com/nhosoya/omniauth-apple/pull/38) Refine AuthHash
+- [#39](https://github.com/nhosoya/omniauth-apple/pull/39) Set the default scope to 'email name'
+
+## [0.0.3] - 2020-05-15
+
+## [0.0.2] - 2020-01-16
+
+## [0.0.1] - 2019-06-07
+
+[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...master
+[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0

data/README.md

@@ -1,3 +1,5 @@
+![build](https://github.com/nhosoya/omniauth-apple/workflows/RSpec/badge.svg?branch=master&event=push)
+
 # OmniAuth::Apple
 
 OmniAuth strategy for [Sign In with Apple](https://developer.apple.com/sign-in-with-apple/).
@@ -7,7 +9,7 @@ OmniAuth strategy for [Sign In with Apple](https://developer.apple.com/sign-in-w
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'omniauth-apple', github: 'nhosoya/omniauth-apple', branch: 'master'
+gem 'omniauth-apple'
 ```
 
 And then execute:

data/Rakefile

@@ -1,2 +1,6 @@
 require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
 task :default => :spec

data/lib/omniauth/apple/version.rb

@@ -1,5 +1,5 @@
-module Omniauth
+module OmniAuth
   module Apple
-    VERSION = "0.0.3"
+    VERSION = "1.0.0"
   end
 end

data/lib/omniauth/strategies/apple.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'omniauth-oauth2'
+require 'net/https'
 
 module OmniAuth
   module Strategies
@@ -12,57 +13,94 @@ module OmniAuth
              authorize_url: '/auth/authorize',
              token_url: '/auth/token'
       option :authorize_params,
-             response_mode: 'form_post'
+             response_mode: 'form_post',
+             scope: 'email name'
       option :authorized_client_ids, []
-      
+
       uid { id_info['sub'] }
 
       info do
-        {
+        prune!(
           sub: id_info['sub'],
           email: email,
           first_name: first_name,
-          last_name: last_name
-        }
+          last_name: last_name,
+          name: (first_name || last_name) ? [first_name, last_name].join(' ') : email,
+        )
       end
 
       extra do
-        {
-          raw_info: id_info.merge(user_info)
-        }
+        id_token = request.params['id_token'] || access_token&.params&.dig('id_token')
+        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token})
       end
 
       def client
         ::OAuth2::Client.new(client_id, client_secret, deep_symbolize(options.client_options))
       end
 
+      def authorize_params
+        super.merge(nonce: new_nonce)
+      end
+
       def callback_url
         options[:redirect_uri] || (full_host + script_name + callback_path)
       end
 
       private
 
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
+      end
+
+      def stored_nonce
+        session.delete('omniauth.nonce')
+      end
+
       def id_info
-        if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
-          id_token = request.params['id_token'] || access_token.params['id_token']
-          log(:info, "id_token: #{id_token}")
-          @id_info ||= ::JWT.decode(id_token, nil, false)[0] # payload after decoding
-        end
+        @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
+                       id_token = request.params['id_token'] || access_token.params['id_token']
+                       jwt_options = {
+                         verify_iss: true,
+                         iss: 'https://appleid.apple.com',
+                         verify_iat: true,
+                         verify_aud: true,
+                         aud: [options.client_id].concat(options.authorized_client_ids),
+                         algorithms: ['RS256'],
+                         jwks: fetch_jwks
+                       }
+                       payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
+                       verify_nonce!(payload)
+                       payload
+                     end
       end
 
-      def client_id
-        unless id_info.nil?
-          return id_info['aud'] if options.authorized_client_ids.include? id_info['aud']
-        end
+      def fetch_jwks
+        uri = URI.parse('https://appleid.apple.com/auth/keys')
+        response = Net::HTTP.get_response(uri)
+        JSON.parse(response.body, symbolize_names: true)
+      end
+
+      def verify_nonce!(payload)
+        return unless payload['nonce_supported']
+
+        return if payload['nonce'] && payload['nonce'] == stored_nonce
+
+        fail!(:nonce_mismatch, CallbackError.new(:nonce_mismatch, 'nonce mismatch'))
+      end
 
-        options.client_id
+      def client_id
+        @client_id ||= if id_info.nil?
+                         options.client_id
+                       else
+                         id_info['aud'] if options.authorized_client_ids.include? id_info['aud']
+                       end
       end
 
       def user_info
-        return {} unless request.params['user'].present?
+        user = request.params['user']
+        return {} if user.nil?
 
-        log(:info, "user_info: #{request.params['user']}")
-        @user_info ||= JSON.parse(request.params['user'])
+        @user_info ||= JSON.parse(user)
       end
 
       def email
@@ -77,6 +115,13 @@ module OmniAuth
         user_info.dig('name', 'lastName')
       end
 
+      def prune!(hash)
+        hash.delete_if do |_, v|
+          prune!(v) if v.is_a?(Hash)
+          v.nil? || (v.respond_to?(:empty?) && v.empty?)
+        end
+      end
+
       def client_secret
         payload = {
           iss: options.team_id,

data/omniauth-apple.gemspec

@@ -5,7 +5,7 @@ require "omniauth/apple/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "omniauth-apple"
-  spec.version       = Omniauth::Apple::VERSION
+  spec.version       = OmniAuth::Apple::VERSION
   spec.authors       = ["nhosoya", "Fabian Jäger"]
   spec.email         = ["hnhnnhnh@gmail.com", "fabian@mailbutler.io"]
 
@@ -39,5 +39,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'omniauth-oauth2'
   spec.add_dependency 'jwt'
   spec.add_development_dependency "bundler", "~> 2.0"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.9"
+  spec.add_development_dependency "webmock", "~> 3.8"
+  spec.add_development_dependency 'simplecov', "~> 0.18"
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-apple
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 1.0.0
 platform: ruby
 authors:
 - nhosoya
 - Fabian Jäger
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-15 00:00:00.000000000 Z
+date: 2020-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -59,14 +59,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.18'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.18'
 description: OmniAuth strategy for Sign In with Apple
 email:
 - hnhnnhnh@gmail.com
@@ -75,8 +117,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/rspec.yml"
 - ".gitignore"
-- ".rakeTasks"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
@@ -92,7 +135,7 @@ homepage: https://github.com/nhosoya/omniauth-apple
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -107,8 +150,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Sign In with Apple
 test_files: []

data/.rakeTasks

@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Settings><!--This file was automatically generated by Ruby plugin.
-You are allowed to: 
-1. Remove rake task
-2. Add existing rake tasks
-To add existing rake tasks automatically delete this file and reload the project.
---><RakeGroup description="" fullCmd="" taksId="rake" /></Settings>