fix apple auth adapter to verify using the correct public key for token #6410
Conversation
|
looks like I was running the tests wrong locally. I'll fix these up |
Codecov Report
@@ Coverage Diff @@
## master #6410 +/- ##
==========================================
- Coverage 93.94% 93.79% -0.15%
==========================================
Files 169 169
Lines 11734 11736 +2
==========================================
- Hits 11023 11008 -15
- Misses 711 728 +17
Continue to review full report at Codecov.
|
|
Nice catch! Let me run this locally. |
|
|
||
| const decodedToken = jwt.decode(token, { complete: true }); | ||
| const keyId = decodedToken.header.kid; | ||
| const applePublicKey = await getApplePublicKey(keyId); | ||
| const jwtClaims = jwt.verify(token, applePublicKey, { algorithms: 'RS256' }); |
There was a problem hiding this comment.
We should probably parse the "alg" key from the JWT dict for the used algorithm and pass it in here, to avoid hardcoding RS256 in case Apple changes this at some point
There was a problem hiding this comment.
Nice catch! We will open a new PR with these changes.
There was a problem hiding this comment.
I'll get the new PR submitted today, sorry I broke the source branch for this one working on a different thing.
There was a problem hiding this comment.
There is an existing issue #6394. I'll get that in shortly so you won't have merge conflicts.
|
Hi, I'm just chiming in here to say I'm also experiencing random auth failures on my server through Back4app, so thank you for submitting your patch! It would be amazing to get this merged so back4app can easily update my backend. 👍 |
Fixes: #6408
The appleid auth token endpoint https://appleid.apple.com/auth/keys returns three different keys. The current apple auth adapter implementation always selects the first key to verify the token. This works often but if the client did not encode using the first key then the verification will fail. This fix checks the header of the token to get the key ID used for the encoding and then selects the correct public key with which to perform verification of the token.