[auth] login with apple

2025-09-25 22:19:28 -04:00 · 2023-04-29 09:42:11 +00:00 · 2023-04-29 09:42:11 +00:00 · 6f8c485980
commit 6f8c485980
parent d9e72283e4
6 changed files with 56 additions and 6 deletions
--- a/nuxt.config.js
+++ b/nuxt.config.js
@ -25,6 +25,9 @@ if (process.env.ENV) {
    process.env.NODE_ENV = process.env.ENV;
 }

+const applePrivateKeyFile = `${__dirname}/keys/AuthKey_${process.env.APLLE_KEY_ID}.p8`;
+process.env.APPLE_PRIVATE_KEY = fs.existsSync(applePrivateKeyFile) ? fs.readFileSync(applePrivateKeyFile).toString('utf-8') : null;
+
 const allVersionsUrls = buildList(function*() {
    if (process.env.NODE_ENV === 'development') {
        yield 'http://pronouns.test:3000';
--- a/package.json
+++ b/package.json
@ -29,7 +29,7 @@
    "express": "^4.17.1",
    "express-session": "^1.17.1",
    "generic-diff": "^1.0.1",
-    "grant": "^5.4.20",
+    "grant": "^5.4.21",
    "he-date": "^1.2.2",
    "html-loader": "^1.3.2",
    "html2canvas": "^1.4.1",
--- a/server/routes/user.js
+++ b/server/routes/user.js
@ -537,7 +537,9 @@ router.get('/user/social-redirect/:provider/:locale', handleErrorAsync(async (re

 // happens on home
 router.get('/user/social/:provider', handleErrorAsync(async (req, res) => {
-    if (!req.session.grant || !req.session.grant.response || !req.session.grant.response.access_token || !socialLoginHandlers[req.params.provider]) {
+    if (!req.session.grant || !req.session.grant.response
+        || (!req.session.grant.response.access_token && !req.session.grant.response.jwt)
+        || !socialLoginHandlers[req.params.provider]) {
        console.error('Social login failed, session incomplete.', req.params.provider, req.session, req.session.grant.response);
        return res.status(400).json({error: 'Something went wrong… Please try again.'})
    }
--- a/server/social.js
+++ b/server/social.js
@ -1,3 +1,22 @@
+const jwt = require('jsonwebtoken');
+
+const getAppleClientSecret = () => {
+    const headers = {
+        kid: process.env.APPLE_KEY_ID,
+        typ: undefined
+    }
+    const claims = {
+        'iss': process.env.APPLE_TEAM_ID,
+        'aud': 'https://appleid.apple.com',
+        'sub': process.env.APPLE_CLIENT_ID,
+    }
+    return jwt.sign(claims, process.env.APPLE_PRIVATE_KEY, {
+        algorithm: 'ES256',
+        header: headers,
+        expiresIn: '180d'
+    });
+}
+
 module.exports.config = {
    defaults: {
        origin: process.env.BASE_URL,
@ -30,6 +49,19 @@ module.exports.config = {
        callback: '/api/user/social/discord',
        scope: ['identify', 'email'],
    },
+    apple: {
+        key: process.env.APPLE_CLIENT_ID,
+        secret: getAppleClientSecret(),
+
+        callback: '/api/user/social/apple',
+        scope: ['openid', 'name', 'email'],
+        response: ['raw', 'jwt'],
+        nonce: true,
+        custom_params: {
+            response_type: 'code id_token',
+            response_mode: 'form_post',
+        },
+    },
    // non-grant, but things break if it's not there
    mastodon: {},
    indieauth: {},
@ -97,4 +129,12 @@ module.exports.handlers = {
            instance: r.instance,
        }
    },
+    apple(r) {
+        const payload = r.jwt.id_token.payload
+        return {
+            id: payload.email,
+            email: payload.email_verified ? payload.email : null,
+            name: payload.email,
+        };
+    }
 };
--- a/src/socialProviders.js
+++ b/src/socialProviders.js
@ -19,6 +19,11 @@ export const socialProviders = {
        redirectViaHome: true,
        avatars: true,
    },
+    apple: {
+        name: 'Apple',
+        redirectViaHome: true,
+        avatars: true,
+    },
    google: {
        name: 'Google',
        redirectViaHome: true,
--- a/yarn.lock
+++ b/yarn.lock
@ -5522,10 +5522,10 @@ graceful-fs@^4.2.6:
  resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.2.10.tgz#147d3a006da4ca3ce14728c7aefc287c367d7a6c"
  integrity sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==

-grant@^5.4.20:
-  version "5.4.20"
-  resolved "https://registry.yarnpkg.com/grant/-/grant-5.4.20.tgz#01ad40559057920e2297aa1d74043edee1056548"
-  integrity sha512-VwoKfA8IgMIbFDBVybb6iTqkSEyy+uZYeXRnaF6L/Dc9X2eq73ciEXQ71atCoVDy6yOD2YGszs+cGAACNK6NqQ==
+grant@^5.4.21:
+  version "5.4.21"
+  resolved "https://registry.yarnpkg.com/grant/-/grant-5.4.21.tgz#3306942f4a19e40d008e247d071104b19173c0c6"
+  integrity sha512-QaoZudI9Gmh2W415gd71Iul6gpVH9sG1SkjfnGHtqYZopQDQ5PUVxRol5zFCrwGi9S0EbExbelHlZScgdChg2w==
  dependencies:
    qs "^6.10.2"
    request-compose "^2.1.4"