omniauth-apple 1.2.2 → 1.3.0.alpha

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81a5350ae8be48914ee324f8586b5d58f83927467bc87106cab846e028e38beb
-  data.tar.gz: 42db86865c9120c95e7326359e3ac02dd58dbd28bfe84c7fc0bbb002488b0a1b
+  metadata.gz: dfa80b37505eab851337bde06806ca93b16a36d0bba69c25a379842107a53672
+  data.tar.gz: 001a183e434b6bca8096c78b6dd78d4eb44519bef7a063c0774ac0b269a8b261
 SHA512:
-  metadata.gz: 18a1bf098d7687ed17df039b9b2f4b0a388f0d6858a4a54aa8c94a7233622f7cb1d4485a38d870ae430f873aadaaee8d9d1b42c9f8a91545c0bdb10c4cffbe11
-  data.tar.gz: f53179d2a247e0fd2559614fece6b3b734579d756be44c1b4c40ab9c6911479e38dc7f74800dcc59b36b09749656bb93aff6c8eeccc422238e95667049064b63
+  metadata.gz: 95c48a4e63f6d8a92655ad3537061cd3877f68114954645cce888e0e1456986164166e28b3c7adffff50bc650dce217a29b34f8004190ddcf346d33c657b1987
+  data.tar.gz: fde578a7e24aabdf416b46a622753ba86121581898313a367bdbee09495adca1b039c272101a521839294763381c8cb5514bcfc4f81cb469a576857231f46ac4

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 ## [Unreleased]
 
+## [1.2.2] - 2022-10-31
+
+### Fixed
+
+- [#94](https://github.com/nhosoya/omniauth-apple/pull/98) handle fail! in correct way
+
 ## [1.2.1] - 2022-10-25
 
 ### Fixed

data/lib/omniauth/apple/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Apple
-    VERSION = "1.2.2"
+    VERSION = '1.3.0.alpha'
   end
 end

data/lib/omniauth/strategies/apple.rb

@@ -1,21 +1,17 @@
 # frozen_string_literal: true
 
 require 'omniauth-oauth2'
-require 'net/https'
+require 'json/jwt'
 
 module OmniAuth
   module Strategies
     class Apple < OmniAuth::Strategies::OAuth2
-      class JWTFetchingFailed < CallbackError
-        def initialize(error_reason = nil, error_uri = nil)
-          super :jwks_fetching_failed, error_reason, error_uri
-        end
-      end
+      ISSUER = 'https://appleid.apple.com'
 
       option :name, 'apple'
 
       option :client_options,
-             site: 'https://appleid.apple.com',
+             site: ISSUER,
              authorize_url: '/auth/authorize',
              token_url: '/auth/token',
              auth_scheme: :request_body
@@ -24,13 +20,13 @@ module OmniAuth
              scope: 'email name'
       option :authorized_client_ids, []
 
-      uid { id_info['sub'] }
+      uid { id_info[:sub] }
 
       # Documentation on parameters
       # https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
       info do
         prune!(
-          sub: id_info['sub'],
+          sub: id_info[:sub],
           email: email,
           first_name: first_name,
           last_name: last_name,
@@ -41,8 +37,8 @@ module OmniAuth
       end
 
       extra do
-        id_token = request.params['id_token'] || access_token&.params&.dig('id_token')
-        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token})
+        id_token_str = request.params['id_token'] || access_token&.params&.dig('id_token')
+        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token_str})
       end
 
       def client
@@ -50,12 +46,12 @@ module OmniAuth
       end
 
       def email_verified
-        value = id_info['email_verified']
+        value = id_info[:email_verified]
         value == true || value == "true"
       end
 
       def is_private_email
-        value = id_info['is_private_email']
+        value = id_info[:is_private_email]
         value == true || value == "true"
       end
 
@@ -79,54 +75,63 @@ module OmniAuth
 
       def id_info
         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
-                       id_token = request.params['id_token'] || access_token.params['id_token']
-                       if (verification_key = fetch_jwks)
-                         jwt_options = {
-                           verify_iss: true,
-                           iss: 'https://appleid.apple.com',
-                           verify_iat: true,
-                           verify_aud: true,
-                           aud: [options.client_id].concat(options.authorized_client_ids),
-                           algorithms: ['RS256'],
-                           jwks: verification_key
-                         }
-                         payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
-                         verify_nonce!(payload)
-                         payload
+                       id_token_str = request.params['id_token'] || access_token.params['id_token']
+                       id_token = JSON::JWT.decode(id_token_str, :skip_verification)
+                       if (jwk = fetch_jwk(id_token.kid))
+                         id_token.verify! jwk
+                         verify_claims!(id_token)
+                         id_token
                        else
                          {}
                        end
                      end
       end
 
-      def fetch_jwks
-        conn = Faraday.new(headers: {user_agent: 'ruby/omniauth-apple'}) do |c|
-          c.response :json, parser_options: { symbolize_names: true }
-          c.adapter Faraday.default_adapter
-        end
-        res = conn.get 'https://appleid.apple.com/auth/keys'
-        if res.success?
-          res.body
-        else
-          raise JWTFetchingFailed.new('HTTP Error when fetching JWKs')
-        end
-      rescue JWTFetchingFailed, Faraday::Error => e
+      def fetch_jwk(kid)
+        JSON::JWK::Set::Fetcher.fetch File.join(ISSUER, 'auth/keys'), kid: kid
+      rescue JSON::ParserError, JSON::JWT::Exception, Faraday::Error => e
         fail!(:jwks_fetching_failed, e) and nil
       end
 
-      def verify_nonce!(payload)
-        return unless payload['nonce_supported']
+      def verify_claims!(id_token)
+        verify_iss!(id_token)
+        verify_aud!(id_token)
+        verify_iat!(id_token)
+        verify_exp!(id_token)
+        verify_nonce!(id_token) if id_token[:nonce_supported]
+      end
+
+      def verify_iss!(id_token)
+        invalid_claim! :iss unless id_token[:iss] == ISSUER
+      end
+
+      def verify_aud!(id_token)
+        invalid_claim! :aud unless [options.client_id].concat(options.authorized_client_ids).include?(id_token[:aud])
+      end
+
+      def verify_iat!(id_token)
+        invalid_claim! :iat unless id_token[:iat] <= Time.now.to_i
+      end
+
+      def verify_exp!(id_token)
+        invalid_claim! :exp unless id_token[:exp] >= Time.now.to_i
+      end
 
-        return if payload['nonce'] && payload['nonce'] == stored_nonce
+      def verify_nonce!(id_token)
+        invalid_claim! :nonce unless id_token[:nonce] && id_token[:nonce] == stored_nonce
+      end
 
-        fail!(:nonce_mismatch, CallbackError.new(:nonce_mismatch, 'nonce mismatch'))
+      def invalid_claim!(claim)
+        key = :"#{claim}_invalid"
+        message = "#{claim} invalid"
+        fail! key, CallbackError.new(key, message)
       end
 
       def client_id
         @client_id ||= if id_info.nil?
                          options.client_id
                        else
-                         id_info['aud'] if options.authorized_client_ids.include? id_info['aud']
+                         id_info[:aud] if options.authorized_client_ids.include? id_info[:aud]
                        end
       end
 
@@ -138,7 +143,7 @@ module OmniAuth
       end
 
       def email
-        id_info['email']
+        id_info[:email]
       end
 
       def first_name
@@ -157,16 +162,15 @@ module OmniAuth
       end
 
       def client_secret
-        payload = {
+        jwt = JSON::JWT.new(
           iss: options.team_id,
-          aud: 'https://appleid.apple.com',
+          aud: ISSUER,
           sub: client_id,
-          iat: Time.now.to_i,
-          exp: Time.now.to_i + 60
-        }
-        headers = { kid: options.key_id }
-
-        ::JWT.encode(payload, private_key, 'ES256', headers)
+          iat: Time.now,
+          exp: Time.now + 60
+        )
+        jwt.kid = options.key_id
+        jwt.sign(private_key).to_s
       end
 
       def private_key

data/omniauth-apple.gemspec

@@ -37,7 +37,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'omniauth-oauth2'
-  spec.add_dependency 'jwt'
+  spec.add_dependency 'json-jwt'
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.9"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-apple
 version: !ruby/object:Gem::Version
-  version: 1.2.2
+  version: 1.3.0.alpha
 platform: ruby
 authors:
 - nhosoya
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-10-31 00:00:00.000000000 Z
+date: 2022-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -26,7 +26,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -146,11 +146,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Sign In with Apple