RubyGems - standard_id-apple - Versions diffs - 0.1.0 → 0.1.2 - Mend

standard_id-apple 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/README.md +5 -5
data/lib/standard_id/apple/providers/apple.rb +41 -25
data/lib/standard_id/apple/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a77a4c61dc7a649544a240e29a318dd89b3973a429fb796992214f043bdd176b
-  data.tar.gz: a119c315995c98edac369d3d1c96d645b1871811c343e81a3f30e90480d354b8
+  metadata.gz: 3c67afb888da7a7a20542d46149eaf86215d02de9c097a757b98223f4c992811
+  data.tar.gz: b905edd16718f7fee932b567250a7caa5136d1cf64f82030668b7bcb8dd40d87
 SHA512:
-  metadata.gz: 04a5fc1120b372888042832a64c3508f4dd2e85e6807da34365186ba77ed54846641c58c04880d0f2652776f0429d2abc57c8f613bd21ca417b19750723cc764
-  data.tar.gz: 609d9235c817d7e9d6805b8b9f91f19f7f213d7475b3d48578cbc4d28065b9a20762fa68968c6634db454bb3e53d842edb5699037b811f6214c29cebb1a7b489
+  metadata.gz: fdd51606e4a08272c10bae448cecbf0472e8449a5679229013138b5fed0abef6f2e404ef1ef495731a1744c58538fbfc1c141af974ad02c825212a5a51adffc1
+  data.tar.gz: 58e35ebc3804fd52719774db5a63229918e0c89462dca2b7f654a8a57820389549044c1ca42e27cf46155afc6617942084e1ce41b650866c9ba0a049e7599289

data/README.md CHANGED Viewed

@@ -26,11 +26,11 @@ Configure Apple credentials via the StandardId configuration block:
 ```ruby
 StandardId.configure do |config|
-  config.social.apple_client_id = ENV["APPLE_CLIENT_ID"]
-  config.social.apple_mobile_client_id = ENV["APPLE_MOBILE_CLIENT_ID"] # optional
-  config.social.apple_team_id = ENV["APPLE_TEAM_ID"]
-  config.social.apple_key_id = ENV["APPLE_KEY_ID"]
-  config.social.apple_private_key = ENV["APPLE_PRIVATE_KEY_PEM"]
+  config.apple_client_id = ENV["APPLE_CLIENT_ID"]
+  config.apple_mobile_client_id = ENV["APPLE_MOBILE_CLIENT_ID"] # optional
+  config.apple_team_id = ENV["APPLE_TEAM_ID"]
+  config.apple_key_id = ENV["APPLE_KEY_ID"]
+  config.apple_private_key = ENV["APPLE_PRIVATE_KEY_PEM"]
 end
 ```

data/lib/standard_id/apple/providers/apple.rb CHANGED Viewed

@@ -12,40 +12,47 @@ module StandardId
       JWKS_URI = "#{ISSUER}/auth/keys".freeze
       DEFAULT_SCOPE = "name email".freeze
       DEFAULT_RESPONSE_MODE = "form_post".freeze
+      AUTHORIZATION_PARAM_DEFAULTS = {
+        scope: DEFAULT_SCOPE,
+        response_mode: DEFAULT_RESPONSE_MODE
+      }.freeze
       class << self
         def provider_name
           "apple"
         end
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          response_mode = options[:response_mode] || DEFAULT_RESPONSE_MODE
+        def supported_authorization_params
+          [:nonce, :scope, :response_mode]
+        end
+        def authorization_url(state:, redirect_uri:, **options)
           ensure_basic_credentials!
           query = {
-            client_id: StandardId.config.social.apple_client_id,
-            redirect_uri: redirect_uri,
+            client_id: StandardId.config.apple_client_id,
+            redirect_uri:,
             response_type: "code",
-            scope: scope,
-            response_mode: response_mode,
-            state: state
+            state:
           }
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+          supported_authorization_params.each do |param|
+            query[param] = options[param] || AUTHORIZATION_PARAM_DEFAULTS[param]
+          end
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query.compact)}"
         end
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **options)
-          client_id = options[:client_id] || StandardId.config.social.apple_client_id
+        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **options)
+          client_id = options[:client_id] || StandardId.config.apple_client_id
           if id_token.present?
             build_response(
-              verify_id_token(id_token: id_token, client_id: client_id),
+              verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce),
               tokens: { id_token: id_token }
             )
           elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id, nonce: nonce)
           elsif access_token.present?
             raise StandardId::InvalidRequestError, "Access token login flow is not supported for Apple"
           else
@@ -77,12 +84,12 @@ module StandardId
         def resolve_params(params, context: {})
           flow = context[:flow] || :web
-          client_id = flow == :mobile ? StandardId.config.social.apple_mobile_client_id : StandardId.config.social.apple_client_id
+          client_id = flow == :mobile ? StandardId.config.apple_mobile_client_id : StandardId.config.apple_client_id
           params.merge(client_id: client_id)
         end
-        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.social.apple_client_id)
+        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id, nonce: nil)
           ensure_full_credentials!(client_id: client_id)
           raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
@@ -108,7 +115,7 @@ module StandardId
           raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?
           tokens = extract_token_payload(parsed_token)
-          user_info = verify_id_token(id_token: id_token, client_id: client_id)
+          user_info = verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce)
           build_response(user_info, tokens: tokens)
         rescue StandardError => e
@@ -117,7 +124,7 @@ module StandardId
           raise StandardId::OAuthError, e.message, cause: e
         end
-        def verify_id_token(id_token:, client_id: StandardId.config.social.apple_client_id)
+        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id, nonce: nil)
           raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
           raise StandardId::InvalidRequestError, "Apple client_id is not configured" if client_id.blank?
@@ -137,6 +144,15 @@ module StandardId
             verify_aud: true
           )
+          # Validate nonce if provided (web flow with server-generated nonce)
+          if nonce.present?
+            token_nonce = verified_payload["nonce"]
+            if token_nonce != nonce
+              raise StandardId::InvalidRequestError,
+                    "ID token nonce mismatch. Expected: #{nonce}, got: #{token_nonce}"
+            end
+          end
           {
             "sub" => verified_payload["sub"],
             "email" => verified_payload["email"],
@@ -155,7 +171,7 @@ module StandardId
         private
-        def ensure_basic_credentials!(client_id: StandardId.config.social.apple_client_id)
+        def ensure_basic_credentials!(client_id: StandardId.config.apple_client_id)
           return if client_id.present?
           raise StandardId::InvalidRequestError, "Apple OAuth is not configured"
@@ -165,9 +181,9 @@ module StandardId
           ensure_basic_credentials!(client_id: client_id)
           required = [
-            StandardId.config.social.apple_private_key,
-            StandardId.config.social.apple_key_id,
-            StandardId.config.social.apple_team_id
+            StandardId.config.apple_private_key,
+            StandardId.config.apple_key_id,
+            StandardId.config.apple_team_id
           ]
           return unless required.any?(&:blank?)
@@ -175,21 +191,21 @@ module StandardId
           raise StandardId::InvalidRequestError, "Apple OAuth credentials are incomplete"
         end
-        def generate_client_secret(client_id: StandardId.config.social.apple_client_id)
+        def generate_client_secret(client_id: StandardId.config.apple_client_id)
           header = {
             alg: "ES256",
-            kid: StandardId.config.social.apple_key_id
+            kid: StandardId.config.apple_key_id
           }
           payload = {
-            iss: StandardId.config.social.apple_team_id,
+            iss: StandardId.config.apple_team_id,
             iat: Time.current.to_i,
             exp: Time.current.to_i + 3600,
             aud: ISSUER,
             sub: client_id
           }
-          private_key = OpenSSL::PKey::EC.new(StandardId.config.social.apple_private_key)
+          private_key = OpenSSL::PKey::EC.new(StandardId.config.apple_private_key)
           JWT.encode(payload, private_key, "ES256", header)
         end

data/lib/standard_id/apple/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module StandardId
   module Apple
-    VERSION = "0.1.0"
+    VERSION = "0.1.2"
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id-apple
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors:
 - Jaryl Sim