Skip to content

Commit b246bad

Browse files
SebC99dplewis
SebC99
authored and
dplewis
committed
Fix apple signin authAdapter (#5891)
* Fix apple signin authAdapter to use the user id instead of the user token * Update spec
1 parent 0e9462b commit b246bad

File tree

2 files changed

+15
-6
lines changed

2 files changed

+15
-6
lines changed

spec/AuthenticationAdapters.spec.js

+7-4
Original file line numberDiff line numberDiff line change
@@ -1104,7 +1104,7 @@ describe('apple signin auth adapter', () => {
11041104
it('should not verify invalid id_token', async () => {
11051105
try {
11061106
await apple.validateAuthData(
1107-
{ id: 'the_token' },
1107+
{ id: 'the_user_id', token: 'the_token' },
11081108
{ client_id: 'secret' }
11091109
);
11101110
fail();
@@ -1118,11 +1118,12 @@ describe('apple signin auth adapter', () => {
11181118
iss: 'https://appleid.apple.com',
11191119
aud: 'secret',
11201120
exp: Date.now(),
1121+
sub: 'the_user_id',
11211122
};
11221123
spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
11231124

11241125
const result = await apple.validateAuthData(
1125-
{ id: 'the_token' },
1126+
{ id: 'the_user_id', token: 'the_token' },
11261127
{ client_id: 'secret' }
11271128
);
11281129
expect(result).toEqual(fakeClaim);
@@ -1131,12 +1132,13 @@ describe('apple signin auth adapter', () => {
11311132
it('should throw error with with invalid jwt issuer', async () => {
11321133
const fakeClaim = {
11331134
iss: 'https://not.apple.com',
1135+
sub: 'the_user_id',
11341136
};
11351137
spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
11361138

11371139
try {
11381140
await apple.validateAuthData(
1139-
{ id: 'the_token' },
1141+
{ id: 'the_user_id', token: 'the_token' },
11401142
{ client_id: 'secret' }
11411143
);
11421144
fail();
@@ -1151,12 +1153,13 @@ describe('apple signin auth adapter', () => {
11511153
const fakeClaim = {
11521154
iss: 'https://appleid.apple.com',
11531155
aud: 'invalid_client_id',
1156+
sub: 'the_user_id',
11541157
};
11551158
spyOn(jwt, 'verify').and.callFake(() => fakeClaim);
11561159

11571160
try {
11581161
await apple.validateAuthData(
1159-
{ id: 'the_token' },
1162+
{ id: 'the_user_id', token: 'the_token' },
11601163
{ client_id: 'secret' }
11611164
);
11621165
fail();

src/Adapters/Auth/apple.js

+8-2
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ const getApplePublicKey = async () => {
2929
return currentKey;
3030
};
3131

32-
const verifyIdToken = async (token, clientID) => {
32+
const verifyIdToken = async ({ token, id }, clientID) => {
3333
if (!token) {
3434
throw new Parse.Error(
3535
Parse.Error.OBJECT_NOT_FOUND,
@@ -45,6 +45,12 @@ const verifyIdToken = async (token, clientID) => {
4545
`id token not issued by correct OpenID provider - expected: ${TOKEN_ISSUER} | from: ${jwtClaims.iss}`
4646
);
4747
}
48+
if (jwtClaims.sub !== id) {
49+
throw new Parse.Error(
50+
Parse.Error.OBJECT_NOT_FOUND,
51+
`auth data is invalid for this user.`
52+
);
53+
}
4854
if (clientID !== undefined && jwtClaims.aud !== clientID) {
4955
throw new Parse.Error(
5056
Parse.Error.OBJECT_NOT_FOUND,
@@ -56,7 +62,7 @@ const verifyIdToken = async (token, clientID) => {
5662

5763
// Returns a promise that fulfills if this id token is valid
5864
function validateAuthData(authData, options = {}) {
59-
return verifyIdToken(authData.id, options.client_id);
65+
return verifyIdToken(authData, options.client_id);
6066
}
6167

6268
// Returns a promise that fulfills if this app id is valid.

0 commit comments

Comments
 (0)