Sign in with Apple Auth Provider (#5694)

dplewis · web-flow · commit fcdf2d794793 · 2019-06-19T16:05:09.000-05:00
* Sign in with Apple Auth Provider Closes: #5632 Should work out of the box. * remove required options
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -30,10 +30,12 @@
     "express": "4.17.1",
     "follow-redirects": "1.7.0",
     "intersect": "1.0.1",
+    "jsonwebtoken": "8.5.1",
     "lodash": "4.17.11",
     "lru-cache": "5.1.1",
     "mime": "2.4.4",
     "mongodb": "3.2.7",
+    "node-rsa": "1.0.5",
     "parse": "2.4.0",
     "pg-promise": "8.7.2",
     "redis": "2.8.0",
diff --git a/spec/AuthenticationAdapters.spec.js b/spec/AuthenticationAdapters.spec.js
@@ -17,6 +17,7 @@ const responses = {
 
 describe('AuthenticationProviders', function() {
   [
+    'apple-signin',
     'facebook',
     'facebookaccountkit',
     'github',
@@ -50,7 +51,7 @@ describe('AuthenticationProviders', function() {
     });
 
     it(`should provide the right responses for adapter ${providerName}`, async () => {
-      if (providerName === 'twitter') {
+      if (providerName === 'twitter' || providerName === 'apple-signin') {
         return;
       }
       spyOn(require('../lib/Adapters/Auth/httpsRequest'), 'get').and.callFake(
@@ -1033,3 +1034,83 @@ describe('oauth2 auth adapter', () => {
     }
   });
 });
+
+describe('apple signin auth adapter', () => {
+  const apple = require('../lib/Adapters/Auth/apple-signin');
+  const jwt = require('jsonwebtoken');
+
+  it('should throw error with missing id_token', async () => {
+    try {
+      await apple.validateAuthData({}, { client_id: 'secret' });
+      fail();
+    } catch (e) {
+      expect(e.message).toBe('id_token is invalid for this user.');
+    }
+  });
+
+  it('should not verify invalid id_token', async () => {
+    try {
+      await apple.validateAuthData(
+        { id_token: 'the_token' },
+        { client_id: 'secret' }
+      );
+      fail();
+    } catch (e) {
+      expect(e.message).toBe('jwt malformed');
+    }
+  });
+
+  it('should verify id_token', async () => {
+    const fakeClaim = {
+      iss: 'https://appleid.apple.com',
+      aud: 'secret',
+      exp: Date.now(),
+    };
+    spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
+
+    const result = await apple.validateAuthData(
+      { id_token: 'the_token' },
+      { client_id: 'secret' }
+    );
+    expect(result).toEqual(fakeClaim);
+  });
+
+  it('should throw error with with invalid jwt issuer', async () => {
+    const fakeClaim = {
+      iss: 'https://not.apple.com',
+    };
+    spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
+
+    try {
+      await apple.validateAuthData(
+        { id_token: 'the_token' },
+        { client_id: 'secret' }
+      );
+      fail();
+    } catch (e) {
+      expect(e.message).toBe(
+        'id_token not issued by correct OpenID provider - expected: https://appleid.apple.com | from: https://not.apple.com'
+      );
+    }
+  });
+
+  it('should throw error with with invalid jwt client_id', async () => {
+    const fakeClaim = {
+      iss: 'https://appleid.apple.com',
+      aud: 'invalid_client_id',
+    };
+    spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
+
+    try {
+      await apple.validateAuthData(
+        { id_token: 'the_token' },
+        { client_id: 'secret' }
+      );
+      fail();
+    } catch (e) {
+      expect(e.message).toBe(
+        'jwt aud parameter does not include this client - is: invalid_client_id | expected: secret'
+      );
+    }
+  });
+});
diff --git a/src/Adapters/Auth/apple-signin.js b/src/Adapters/Auth/apple-signin.js
@@ -0,0 +1,58 @@
+const Parse = require('parse/node').Parse;
+const httpsRequest = require('./httpsRequest');
+const NodeRSA = require('node-rsa');
+const jwt = require('jsonwebtoken');
+
+const TOKEN_ISSUER = 'https://appleid.apple.com';
+
+const getApplePublicKey = async () => {
+  const data = await httpsRequest.get('https://appleid.apple.com/auth/keys');
+  const key = data.keys[0];
+
+  const pubKey = new NodeRSA();
+  pubKey.importKey(
+    { n: Buffer.from(key.n, 'base64'), e: Buffer.from(key.e, 'base64') },
+    'components-public'
+  );
+  return pubKey.exportKey(['public']);
+};
+
+const verifyIdToken = async (token, clientID) => {
+  if (!token) {
+    throw new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      'id_token is invalid for this user.'
+    );
+  }
+  const applePublicKey = await getApplePublicKey();
+  const jwtClaims = jwt.verify(token, applePublicKey, { algorithms: 'RS256' });
+
+  if (jwtClaims.iss !== TOKEN_ISSUER) {
+    throw new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      `id_token not issued by correct OpenID provider - expected: ${TOKEN_ISSUER} | from: ${jwtClaims.iss}`
+    );
+  }
+  if (clientID !== undefined && jwtClaims.aud !== clientID) {
+    throw new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      `jwt aud parameter does not include this client - is: ${jwtClaims.aud} | expected: ${clientID}`
+    );
+  }
+  return jwtClaims;
+};
+
+// Returns a promise that fulfills if this id_token is valid
+function validateAuthData(authData, options = {}) {
+  return verifyIdToken(authData.id_token, options.client_id);
+}
+
+// Returns a promise that fulfills if this app id is valid.
+function validateAppId() {
+  return Promise.resolve();
+}
+
+module.exports = {
+  validateAppId: validateAppId,
+  validateAuthData: validateAuthData,
+};
