RubyGems - omniauth-apple - Versions diffs - 1.2.1 → 1.3.0.alpha - Mend

omniauth-apple 1.2.1 → 1.3.0.alpha

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/lib/omniauth/apple/version.rb +1 -1
data/lib/omniauth/strategies/apple.rb +59 -49
data/omniauth-apple.gemspec +1 -1
metadata +6 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 31e8e9835b469abca7611926aaa4da9b1f3e35804ea9c4e9fa5b06a1791dcdd1
-  data.tar.gz: c916fa50a22971da3f2f71a72566e43771531945b7d9e83bbaf0914a04a6253a
+  metadata.gz: dfa80b37505eab851337bde06806ca93b16a36d0bba69c25a379842107a53672
+  data.tar.gz: 001a183e434b6bca8096c78b6dd78d4eb44519bef7a063c0774ac0b269a8b261
 SHA512:
-  metadata.gz: 02bde67e85651dc85bacdb548248d240d9a3c501f24a204ad572253af8cd6468914fe3de86ee30bbc7a174bb6249d77ee6ae82222573beb829dc9b4f7f690099
-  data.tar.gz: 57a0b49a53f55a77470ad280c27acdb11bccfa93e43170ed0c34730b3fdb9918bb0d43a1ac20ae30f10eb101ef161bac5a79a90e54bee7186c8c813e7923f733
+  metadata.gz: 95c48a4e63f6d8a92655ad3537061cd3877f68114954645cce888e0e1456986164166e28b3c7adffff50bc650dce217a29b34f8004190ddcf346d33c657b1987
+  data.tar.gz: fde578a7e24aabdf416b46a622753ba86121581898313a367bdbee09495adca1b039c272101a521839294763381c8cb5514bcfc4f81cb469a576857231f46ac4

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 ## [Unreleased]
+## [1.2.2] - 2022-10-31
+### Fixed
+- [#94](https://github.com/nhosoya/omniauth-apple/pull/98) handle fail! in correct way
 ## [1.2.1] - 2022-10-25
 ### Fixed

data/lib/omniauth/apple/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module Apple
-    VERSION = "1.2.1"
+    VERSION = '1.3.0.alpha'
   end
 end

data/lib/omniauth/strategies/apple.rb CHANGED Viewed

@@ -1,15 +1,17 @@
 # frozen_string_literal: true
 require 'omniauth-oauth2'
-require 'net/https'
+require 'json/jwt'
 module OmniAuth
   module Strategies
     class Apple < OmniAuth::Strategies::OAuth2
+      ISSUER = 'https://appleid.apple.com'
       option :name, 'apple'
       option :client_options,
-             site: 'https://appleid.apple.com',
+             site: ISSUER,
              authorize_url: '/auth/authorize',
              token_url: '/auth/token',
              auth_scheme: :request_body
@@ -18,13 +20,13 @@ module OmniAuth
              scope: 'email name'
       option :authorized_client_ids, []
-      uid { id_info['sub'] }
+      uid { id_info[:sub] }
       # Documentation on parameters
       # https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
       info do
         prune!(
-          sub: id_info['sub'],
+          sub: id_info[:sub],
           email: email,
           first_name: first_name,
           last_name: last_name,
@@ -35,8 +37,8 @@ module OmniAuth
       end
       extra do
-        id_token = request.params['id_token'] || access_token&.params&.dig('id_token')
-        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token})
+        id_token_str = request.params['id_token'] || access_token&.params&.dig('id_token')
+        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token_str})
       end
       def client
@@ -44,12 +46,12 @@ module OmniAuth
       end
       def email_verified
-        value = id_info['email_verified']
+        value = id_info[:email_verified]
         value == true || value == "true"
       end
       def is_private_email
-        value = id_info['is_private_email']
+        value = id_info[:is_private_email]
         value == true || value == "true"
       end
@@ -73,54 +75,63 @@ module OmniAuth
       def id_info
         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
-                       id_token = request.params['id_token'] || access_token.params['id_token']
-                       if (verification_key = fetch_jwks)
-                         jwt_options = {
-                           verify_iss: true,
-                           iss: 'https://appleid.apple.com',
-                           verify_iat: true,
-                           verify_aud: true,
-                           aud: [options.client_id].concat(options.authorized_client_ids),
-                           algorithms: ['RS256'],
-                           jwks: verification_key
-                         }
-                         payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
-                         verify_nonce!(payload)
-                         payload
+                       id_token_str = request.params['id_token'] || access_token.params['id_token']
+                       id_token = JSON::JWT.decode(id_token_str, :skip_verification)
+                       if (jwk = fetch_jwk(id_token.kid))
+                         id_token.verify! jwk
+                         verify_claims!(id_token)
+                         id_token
                        else
                          {}
                        end
                      end
       end
-      def fetch_jwks
-        conn = Faraday.new(headers: {user_agent: 'ruby/omniauth-apple'}) do |c|
-          c.response :json, parser_options: { symbolize_names: true }
-          c.adapter Faraday.default_adapter
-        end
-        res = conn.get 'https://appleid.apple.com/auth/keys'
-        if res.success?
-          res.body
-        else
-          fail!(:jwks_fetching_failed, CallbackError.new(:jwks_fetching_failed, 'HTTP Error when fetching JWKs'))
-        end
-      rescue Faraday::Error => e
-        fail!(:jwks_fetching_failed, e)
+      def fetch_jwk(kid)
+        JSON::JWK::Set::Fetcher.fetch File.join(ISSUER, 'auth/keys'), kid: kid
+      rescue JSON::ParserError, JSON::JWT::Exception, Faraday::Error => e
+        fail!(:jwks_fetching_failed, e) and nil
+      end
+      def verify_claims!(id_token)
+        verify_iss!(id_token)
+        verify_aud!(id_token)
+        verify_iat!(id_token)
+        verify_exp!(id_token)
+        verify_nonce!(id_token) if id_token[:nonce_supported]
       end
-      def verify_nonce!(payload)
-        return unless payload['nonce_supported']
+      def verify_iss!(id_token)
+        invalid_claim! :iss unless id_token[:iss] == ISSUER
+      end
-        return if payload['nonce'] && payload['nonce'] == stored_nonce
+      def verify_aud!(id_token)
+        invalid_claim! :aud unless [options.client_id].concat(options.authorized_client_ids).include?(id_token[:aud])
+      end
-        fail!(:nonce_mismatch, CallbackError.new(:nonce_mismatch, 'nonce mismatch'))
+      def verify_iat!(id_token)
+        invalid_claim! :iat unless id_token[:iat] <= Time.now.to_i
+      end
+      def verify_exp!(id_token)
+        invalid_claim! :exp unless id_token[:exp] >= Time.now.to_i
+      end
+      def verify_nonce!(id_token)
+        invalid_claim! :nonce unless id_token[:nonce] && id_token[:nonce] == stored_nonce
+      end
+      def invalid_claim!(claim)
+        key = :"#{claim}_invalid"
+        message = "#{claim} invalid"
+        fail! key, CallbackError.new(key, message)
       end
       def client_id
         @client_id ||= if id_info.nil?
                          options.client_id
                        else
-                         id_info['aud'] if options.authorized_client_ids.include? id_info['aud']
+                         id_info[:aud] if options.authorized_client_ids.include? id_info[:aud]
                        end
       end
@@ -132,7 +143,7 @@ module OmniAuth
       end
       def email
-        id_info['email']
+        id_info[:email]
       end
       def first_name
@@ -151,16 +162,15 @@ module OmniAuth
       end
       def client_secret
-        payload = {
+        jwt = JSON::JWT.new(
           iss: options.team_id,
-          aud: 'https://appleid.apple.com',
+          aud: ISSUER,
           sub: client_id,
-          iat: Time.now.to_i,
-          exp: Time.now.to_i + 60
-        }
-        headers = { kid: options.key_id }
-        ::JWT.encode(payload, private_key, 'ES256', headers)
+          iat: Time.now,
+          exp: Time.now + 60
+        )
+        jwt.kid = options.key_id
+        jwt.sign(private_key).to_s
       end
       def private_key

data/omniauth-apple.gemspec CHANGED Viewed

@@ -37,7 +37,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency 'omniauth-oauth2'
-  spec.add_dependency 'jwt'
+  spec.add_dependency 'json-jwt'
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.9"

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-apple
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0.alpha
 platform: ruby
 authors:
 - nhosoya
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-10-25 00:00:00.000000000 Z
+date: 2022-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -26,7 +26,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -146,11 +146,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Sign In with Apple