standard_id-apple 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63120ccfea7a05fb35a42c90548f441a7d719aa3d5a46e0bb9d72ec97e1e5129
-  data.tar.gz: '0857aa7e1bbafae5621ce60aa2c3364b01931a836b8e0adc121b50bcfacf42af'
+  metadata.gz: 3c67afb888da7a7a20542d46149eaf86215d02de9c097a757b98223f4c992811
+  data.tar.gz: b905edd16718f7fee932b567250a7caa5136d1cf64f82030668b7bcb8dd40d87
 SHA512:
-  metadata.gz: da5566c05904516299901bc7cbafb42e97c59c6bfb516959c8a2e77b55afd34f976e07c503ac94781681b972349c82519f4053d97004c7dea6967738ded0fe4a
-  data.tar.gz: 95da64b4f2c8deee61e18867133aa36d7ddea30985c276c266dcba0e8448712de8807c1040f224783621cb7319a998264c982ed0b96cb1e3b52a91447bfd1e0f
+  metadata.gz: fdd51606e4a08272c10bae448cecbf0472e8449a5679229013138b5fed0abef6f2e404ef1ef495731a1744c58538fbfc1c141af974ad02c825212a5a51adffc1
+  data.tar.gz: 58e35ebc3804fd52719774db5a63229918e0c89462dca2b7f654a8a57820389549044c1ca42e27cf46155afc6617942084e1ce41b650866c9ba0a049e7599289

data/lib/standard_id/apple/providers/apple.rb

@@ -12,40 +12,47 @@ module StandardId
       JWKS_URI = "#{ISSUER}/auth/keys".freeze
       DEFAULT_SCOPE = "name email".freeze
       DEFAULT_RESPONSE_MODE = "form_post".freeze
+      AUTHORIZATION_PARAM_DEFAULTS = {
+        scope: DEFAULT_SCOPE,
+        response_mode: DEFAULT_RESPONSE_MODE
+      }.freeze
 
       class << self
         def provider_name
           "apple"
         end
 
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          response_mode = options[:response_mode] || DEFAULT_RESPONSE_MODE
+        def supported_authorization_params
+          [:nonce, :scope, :response_mode]
+        end
 
+        def authorization_url(state:, redirect_uri:, **options)
           ensure_basic_credentials!
 
           query = {
             client_id: StandardId.config.apple_client_id,
-            redirect_uri: redirect_uri,
+            redirect_uri:,
             response_type: "code",
-            scope: scope,
-            response_mode: response_mode,
-            state: state
+            state:
           }
 
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+          supported_authorization_params.each do |param|
+            query[param] = options[param] || AUTHORIZATION_PARAM_DEFAULTS[param]
+          end
+
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query.compact)}"
         end
 
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **options)
+        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **options)
           client_id = options[:client_id] || StandardId.config.apple_client_id
 
           if id_token.present?
             build_response(
-              verify_id_token(id_token: id_token, client_id: client_id),
+              verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce),
               tokens: { id_token: id_token }
             )
           elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id, nonce: nonce)
           elsif access_token.present?
             raise StandardId::InvalidRequestError, "Access token login flow is not supported for Apple"
           else
@@ -82,7 +89,7 @@ module StandardId
           params.merge(client_id: client_id)
         end
 
-        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id)
+        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id, nonce: nil)
           ensure_full_credentials!(client_id: client_id)
           raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
 
@@ -108,7 +115,7 @@ module StandardId
           raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?
 
           tokens = extract_token_payload(parsed_token)
-          user_info = verify_id_token(id_token: id_token, client_id: client_id)
+          user_info = verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce)
 
           build_response(user_info, tokens: tokens)
         rescue StandardError => e
@@ -117,7 +124,7 @@ module StandardId
           raise StandardId::OAuthError, e.message, cause: e
         end
 
-        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id)
+        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id, nonce: nil)
           raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
           raise StandardId::InvalidRequestError, "Apple client_id is not configured" if client_id.blank?
 
@@ -137,6 +144,15 @@ module StandardId
             verify_aud: true
           )
 
+          # Validate nonce if provided (web flow with server-generated nonce)
+          if nonce.present?
+            token_nonce = verified_payload["nonce"]
+            if token_nonce != nonce
+              raise StandardId::InvalidRequestError,
+                    "ID token nonce mismatch. Expected: #{nonce}, got: #{token_nonce}"
+            end
+          end
+
           {
             "sub" => verified_payload["sub"],
             "email" => verified_payload["email"],

data/lib/standard_id/apple/version.rb

@@ -2,6 +2,6 @@
 
 module StandardId
   module Apple
-    VERSION = "0.1.1"
+    VERSION = "0.1.2"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id-apple
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Jaryl Sim