src/Adapters/Auth/apple.js

// Apple SignIn Auth
// https://developer.apple.com/documentation/signinwithapplerestapi

const Parse = require('parse/node').Parse;
const jwksClient = require('jwks-rsa');
const util = require('util');
const jwt = require('jsonwebtoken');

const TOKEN_ISSUER = 'https://appleid.apple.com';

const getAppleKeyByKeyId = async (keyId, cacheMaxEntries, cacheMaxAge) => {
  const client = jwksClient({
    jwksUri: `${TOKEN_ISSUER}/auth/keys`,
    cache: true,
    cacheMaxEntries,
    cacheMaxAge,
  });

  const asyncGetSigningKeyFunction = util.promisify(client.getSigningKey);

  let key;
  try {
    key = await asyncGetSigningKeyFunction(keyId);
  } catch (error) {
    throw new Parse.Error(
      Parse.Error.OBJECT_NOT_FOUND,
      `Unable to find matching key for Key ID: ${keyId}`
    );
  }
  return key;
};

const getHeaderFromToken = token => {
  const decodedToken = jwt.decode(token, { complete: true });
  if (!decodedToken) {
    throw new Parse.Error(
      Parse.Error.OBJECT_NOT_FOUND,
      `provided token does not decode as JWT`
    );
  }

  return decodedToken.header;
};

const verifyIdToken = async (
  { token, id },
  { clientId, cacheMaxEntries, cacheMaxAge }
) => {
  if (!token) {
    throw new Parse.Error(
      Parse.Error.OBJECT_NOT_FOUND,
      `id token is invalid for this user.`
    );
  }

  const { kid: keyId, alg: algorithm } = getHeaderFromToken(token);
  const ONE_HOUR_IN_MS = 3600000;
  let jwtClaims;

  cacheMaxAge = cacheMaxAge || ONE_HOUR_IN_MS;
  cacheMaxEntries = cacheMaxEntries || 5;

  const appleKey = await getAppleKeyByKeyId(
    keyId,
    cacheMaxEntries,
    cacheMaxAge
  );
  const signingKey = appleKey.publicKey || appleKey.rsaPublicKey;

  try {
    jwtClaims = jwt.verify(token, signingKey, {
      algorithms: algorithm,
      // the audience can be checked against a string, a regular expression or a list of strings and/or regular expressions.
      audience: clientId,
    });
  } catch (exception) {
    const message = exception.message;

    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `${message}`);
  }

  if (jwtClaims.iss !== TOKEN_ISSUER) {
    throw new Parse.Error(
      Parse.Error.OBJECT_NOT_FOUND,
      `id token not issued by correct OpenID provider - expected: ${TOKEN_ISSUER} | from: ${jwtClaims.iss}`
    );
  }

  if (jwtClaims.sub !== id) {
    throw new Parse.Error(
      Parse.Error.OBJECT_NOT_FOUND,
      `auth data is invalid for this user.`
    );
  }
  return jwtClaims;
};

// Returns a promise that fulfills if this id token is valid
function validateAuthData(authData, options = {}) {
  return verifyIdToken(authData, options);
}

// Returns a promise that fulfills if this app id is valid.
function validateAppId() {
  return Promise.resolve();
}

module.exports = {
  validateAppId,
  validateAuthData,
};
Support Apple Game Center Auth (#6143) Fixes: https://github.com/parse-community/parse-server/issues/5984 2019-10-18 19:04:01 -05:00			`// Apple SignIn Auth`
			`// https://developer.apple.com/documentation/signinwithapplerestapi`

Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`const Parse = require('parse/node').Parse;`
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`const jwksClient = require('jwks-rsa');`
			`const util = require('util');`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`const jwt = require('jsonwebtoken');`

			`const TOKEN_ISSUER = 'https://appleid.apple.com';`

use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`const getAppleKeyByKeyId = async (keyId, cacheMaxEntries, cacheMaxAge) => {`
			`const client = jwksClient({`
			jwksUri: `${TOKEN_ISSUER}/auth/keys`,
			`cache: true,`
			`cacheMaxEntries,`
			`cacheMaxAge,`
			`});`
Cache apple public key for the case it fails to fetch again (#5848) 2019-07-25 10:20:28 -07:00
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`const asyncGetSigningKeyFunction = util.promisify(client.getSigningKey);`

			`let key;`
Cache apple public key for the case it fails to fetch again (#5848) 2019-07-25 10:20:28 -07:00			`try {`
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`key = await asyncGetSigningKeyFunction(keyId);`
			`} catch (error) {`
			`throw new Parse.Error(`
			`Parse.Error.OBJECT_NOT_FOUND,`
			`Unable to find matching key for Key ID: ${keyId}`
			`);`
Cache apple public key for the case it fails to fetch again (#5848) 2019-07-25 10:20:28 -07:00			`}`
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`return key;`
			`};`
Cache apple public key for the case it fails to fetch again (#5848) 2019-07-25 10:20:28 -07:00
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`const getHeaderFromToken = token => {`
			`const decodedToken = jwt.decode(token, { complete: true });`
			`if (!decodedToken) {`
updated 2 files for allowing multiple client ids (#6523) * updated 2 files for allowing multiple client ids * updated tests that fail due to user inputting data in code, added todo comment to them stating what we need to do to fix them 2020-03-21 17:04:10 -07:00			`throw new Parse.Error(`
			`Parse.Error.OBJECT_NOT_FOUND,`
			`provided token does not decode as JWT`
			`);`
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`}`
updated 2 files for allowing multiple client ids (#6523) * updated 2 files for allowing multiple client ids * updated tests that fail due to user inputting data in code, added todo comment to them stating what we need to do to fix them 2020-03-21 17:04:10 -07:00
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`return decodedToken.header;`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`};`

use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`const verifyIdToken = async (`
			`{ token, id },`
			`{ clientId, cacheMaxEntries, cacheMaxAge }`
			`) => {`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`if (!token) {`
			`throw new Parse.Error(`
			`Parse.Error.OBJECT_NOT_FOUND,`
updated 2 files for allowing multiple client ids (#6523) * updated 2 files for allowing multiple client ids * updated tests that fail due to user inputting data in code, added todo comment to them stating what we need to do to fix them 2020-03-21 17:04:10 -07:00			`id token is invalid for this user.`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`);`
			`}`
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00
			`const { kid: keyId, alg: algorithm } = getHeaderFromToken(token);`
			`const ONE_HOUR_IN_MS = 3600000;`
updated 2 files for allowing multiple client ids (#6523) * updated 2 files for allowing multiple client ids * updated tests that fail due to user inputting data in code, added todo comment to them stating what we need to do to fix them 2020-03-21 17:04:10 -07:00			`let jwtClaims;`

use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`cacheMaxAge = cacheMaxAge \|\| ONE_HOUR_IN_MS;`
			`cacheMaxEntries = cacheMaxEntries \|\| 5;`

			`const appleKey = await getAppleKeyByKeyId(`
			`keyId,`
			`cacheMaxEntries,`
			`cacheMaxAge`
			`);`
			`const signingKey = appleKey.publicKey \|\| appleKey.rsaPublicKey;`

updated 2 files for allowing multiple client ids (#6523) * updated 2 files for allowing multiple client ids * updated tests that fail due to user inputting data in code, added todo comment to them stating what we need to do to fix them 2020-03-21 17:04:10 -07:00			`try {`
			`jwtClaims = jwt.verify(token, signingKey, {`
			`algorithms: algorithm,`
			`// the audience can be checked against a string, a regular expression or a list of strings and/or regular expressions.`
			`audience: clientId,`
			`});`
			`} catch (exception) {`
			`const message = exception.message;`

			throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `${message}`);
			`}`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00
			`if (jwtClaims.iss !== TOKEN_ISSUER) {`
			`throw new Parse.Error(`
			`Parse.Error.OBJECT_NOT_FOUND,`
Fix: Linking with Apple Auth (#5755) Rename from apple-signin to apple (key names can't have hyphens Rename id_token to id (auth adapters require id) 2019-07-03 16:28:29 -05:00			`id token not issued by correct OpenID provider - expected: ${TOKEN_ISSUER} \| from: ${jwtClaims.iss}`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`);`
			`}`
updated 2 files for allowing multiple client ids (#6523) * updated 2 files for allowing multiple client ids * updated tests that fail due to user inputting data in code, added todo comment to them stating what we need to do to fix them 2020-03-21 17:04:10 -07:00
Fix apple signin authAdapter (#5891) * Fix apple signin authAdapter to use the user id instead of the user token * Update spec 2019-08-08 01:08:14 +02:00			`if (jwtClaims.sub !== id) {`
			`throw new Parse.Error(`
			`Parse.Error.OBJECT_NOT_FOUND,`
			`auth data is invalid for this user.`
			`);`
			`}`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`return jwtClaims;`
			`};`

Fix: Linking with Apple Auth (#5755) Rename from apple-signin to apple (key names can't have hyphens Rename id_token to id (auth adapters require id) 2019-07-03 16:28:29 -05:00			`// Returns a promise that fulfills if this id token is valid`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`function validateAuthData(authData, options = {}) {`
use token and algo from jwt header (#6416) * use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name 2020-03-11 15:29:20 -05:00			`return verifyIdToken(authData, options);`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`}`

			`// Returns a promise that fulfills if this app id is valid.`
			`function validateAppId() {`
			`return Promise.resolve();`
			`}`

			`module.exports = {`
Fix: Linking with Apple Auth (#5755) Rename from apple-signin to apple (key names can't have hyphens Rename id_token to id (auth adapters require id) 2019-07-03 16:28:29 -05:00			`validateAppId,`
			`validateAuthData,`
Sign in with Apple Auth Provider (#5694) * Sign in with Apple Auth Provider Closes: https://github.com/parse-community/parse-server/issues/5632 Should work out of the box. * remove required options 2019-06-19 16:05:09 -05:00			`};`