@nauth-toolkit/social-apple 0.1.13 → 0.1.17

package/dist/src/token-verifier.service.js

@@ -35,6 +35,24 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.TokenVerifierService = void 0;
 const core_1 = require("@nauth-toolkit/core");
+/**
+ * Token Verifier Service for Apple OAuth (Platform-Agnostic)
+ *
+ * Handles secure verification of Apple ID tokens using JWKS public keys.
+ * Uses cryptographic signature verification to ensure tokens are authentic.
+ *
+ * Security Features:
+ * - Apple: Verifies JWT signature with Apple's JWKS public keys
+ *
+ * This is a plain TypeScript class with no framework dependencies.
+ *
+ * @example
+ * ```typescript
+ * const verifier = new TokenVerifierService(config);
+ * const profile = await verifier.verifyAppleToken(idToken, clientId);
+ * console.log(profile.email); // Verified email from Apple
+ * ```
+ */
 class TokenVerifierService {
     appleJWKS = null;
     logger;
@@ -54,9 +72,31 @@ class TokenVerifierService {
         if (this.appleJWKS)
             return this.appleJWKS;
         const jose = await this.getJose();
+        // Initialize Apple Remote JWKS (fetched and cached by jose)
         this.appleJWKS = jose.createRemoteJWKSet(new URL('https://appleid.apple.com/auth/keys'));
         return this.appleJWKS;
     }
+    /**
+     * Verify Apple ID token with JWT signature validation
+     *
+     * Fetches Apple's public keys from their JWKS endpoint and verifies the
+     * JWT signature to ensure authenticity.
+     *
+     * @param idToken - ID token from Apple Sign In
+     * @param clientId - Apple Services ID (client ID) for audience validation
+     * @returns Verified user profile data
+     * @throws {BadRequestException} When token is invalid, expired, or signature fails
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   const profile = await verifier.verifyAppleToken(idToken, 'com.yourapp.service');
+     *   console.log(`Verified email: ${profile.email}`);
+     * } catch (error) {
+     *   console.error('Token verification failed:', error.message);
+     * }
+     * ```
+     */
     async verifyAppleToken(idToken, clientId) {
         try {
             this.logger?.debug?.(`[TokenVerifier] Verifying Apple token`);
@@ -65,7 +105,7 @@ class TokenVerifierService {
             const { payload } = await jose.jwtVerify(idToken, appleJWKS, {
                 issuer: 'https://appleid.apple.com',
                 audience: clientId,
-                clockTolerance: 300,
+                clockTolerance: 300, // 5 minutes leeway
             });
             const p = payload;
             this.logger?.log?.(`[TokenVerifier] Apple token verified (secure): ${p.email}`);

package/dist/src/token-verifier.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-verifier.service.js","sourceRoot":"","sources":["../../src/token-verifier.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,8CAAqH;AA6BrH,MAAa,oBAAoB;IACvB,SAAS,GAAwD,IAAI,CAAC;IAC7D,MAAM,CAAc;IACpB,QAAQ,CAA4B;IAC7C,iBAAiB,GAA+B,IAAI,CAAC;IAE7D,YAAY,MAAmB,EAAE,QAAoC;QACnE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAqB,CAAC;QAC3C,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,CAAC,GAAG,EAAE,CAAC,kDAAO,MAAM,GAAwB,CAAC,CAAC;IAC5E,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC5B,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC3C,CAAC;QACD,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QAC1C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAElC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,qCAAqC,CAAC,CAAC,CAAC;QACzF,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAuBD,KAAK,CAAC,gBAAgB,CAAC,OAAe,EAAE,QAAgB;QACtD,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uCAAuC,CAAC,CAAC;YAE9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAE5C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,EAAE;gBAC3D,MAAM,EAAE,2BAA2B;gBACnC,QAAQ,EAAE,QAAQ;gBAClB,cAAc,EAAE,GAAG;aACpB,CAAC,CAAC;YAEH,MAAM,CAAC,GAAG,OAIT,CAAC;YAEF,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kDAAkD,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YAEhF,OAAO;gBACL,GAAG,EAAE,CAAC,CAAC,GAAa;gBACpB,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,EAAE;gBACpB,cAAc,EAAE,CAAC,CAAC,cAAc,KAAK,MAAM,IAAI,CAAC,CAAC,cAAc,KAAK,IAAI;gBACxE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;aACrC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,oDAAoD,YAAY,EAAE,CAAC,CAAC;YACzF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,oCAAoC,YAAY,EAAE,CAAC,CAAC;QACnH,CAAC;IACH,CAAC;CACF;AAhFD,oDAgFC"}
+{"version":3,"file":"token-verifier.service.js","sourceRoot":"","sources":["../../src/token-verifier.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,8CAAqH;AAWrH;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAa,oBAAoB;IACvB,SAAS,GAAwD,IAAI,CAAC;IAC7D,MAAM,CAAc;IACpB,QAAQ,CAA4B;IAC7C,iBAAiB,GAA+B,IAAI,CAAC;IAE7D,YAAY,MAAmB,EAAE,QAAoC;QACnE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAqB,CAAC;QAC3C,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,CAAC,GAAG,EAAE,CAAC,kDAAO,MAAM,GAAwB,CAAC,CAAC;IAC5E,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC5B,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC3C,CAAC;QACD,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QAC1C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,4DAA4D;QAC5D,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,qCAAqC,CAAC,CAAC,CAAC;QACzF,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAAe,EAAE,QAAgB;QACtD,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uCAAuC,CAAC,CAAC;YAE9D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAE5C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,EAAE;gBAC3D,MAAM,EAAE,2BAA2B;gBACnC,QAAQ,EAAE,QAAQ;gBAClB,cAAc,EAAE,GAAG,EAAE,mBAAmB;aACzC,CAAC,CAAC;YAEH,MAAM,CAAC,GAAG,OAIT,CAAC;YAEF,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,kDAAkD,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YAEhF,OAAO;gBACL,GAAG,EAAE,CAAC,CAAC,GAAa;gBACpB,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,EAAE;gBACpB,cAAc,EAAE,CAAC,CAAC,cAAc,KAAK,MAAM,IAAI,CAAC,CAAC,cAAc,KAAK,IAAI;gBACxE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;aACrC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,oDAAoD,YAAY,EAAE,CAAC,CAAC;YACzF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,oCAAoC,YAAY,EAAE,CAAC,CAAC;QACnH,CAAC;IACH,CAAC;CACF;AAhFD,oDAgFC"}

package/dist/src/verified-token-profile.interface.d.ts

@@ -1,7 +1,26 @@
+/**
+ * Verified Token Profile - Apple OAuth
+ *
+ * Standardized return type for Apple token verification.
+ * This is provider-specific and should not be in core.
+ */
 export interface VerifiedAppleTokenProfile {
+    /**
+     * Apple user ID (sub claim)
+     */
     sub: string;
+    /**
+     * User's email address
+     * May be empty string if not provided or using private relay
+     */
     email: string;
+    /**
+     * Whether the email is verified by Apple
+     */
     email_verified: boolean;
+    /**
+     * Whether the email is a private relay email (iCloud Private Relay)
+     */
     is_private_email?: boolean;
 }
 //# sourceMappingURL=verified-token-profile.interface.d.ts.map

package/dist/src/verified-token-profile.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verified-token-profile.interface.d.ts","sourceRoot":"","sources":["../../src/verified-token-profile.interface.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,yBAAyB;IAIxC,GAAG,EAAE,MAAM,CAAC;IAMZ,KAAK,EAAE,MAAM,CAAC;IAKd,cAAc,EAAE,OAAO,CAAC;IAKxB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B"}
+{"version":3,"file":"verified-token-profile.interface.d.ts","sourceRoot":"","sources":["../../src/verified-token-profile.interface.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,WAAW,yBAAyB;IACxC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,cAAc,EAAE,OAAO,CAAC;IAExB;;OAEG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B"}