search

ananay / passport-apple

Passport strategy for Sign in with Apple
https://passport-apple.ananay.dev
142 stars 49 forks source link

Question about Init options keyId and privateKeyLocation #35

Closed cchacholiades closed 2 years ago

cchacholiades commented 2 years ago

Hi @ananay! Great work on this, thank you. I have a question about the initialise options keyId and privateKeyLocation. Are these really required?

Login seems to redirect the user to apple even without these.

const AppleStrategy = require('passport-apple');
passport.use(
  new AppleStrategy({
    clientID: process.env.APPLE_CLIENT_ID,
    teamID: process.env.APPLE_TEAM_IDENTIFIER,
    callbackURL: process.env.APPLE_REDIRECT_URI,
    passReqToCallback: true
  }, function(req, accessToken, refreshToken, idToken, profile, done) {
    // The idToken returned is encoded. You can use the jsonwebtoken library via jwt.decode(idToken)
    // to access the properties of the decoded idToken properties which contains the user's
    // identity information.
    // Here, check if the idToken.sub exists in your database!
    // idToken should contains email too if user authorized it but will not contain the name
    // `profile` parameter is REQUIRED for the sake of passport implementation
    // it should be profile in the future but apple hasn't implemented passing data
    // in access token yet https://developer.apple.com/documentation/sign_in_with_apple/tokenresponse
    done(null, idToken);
  }
));

Thank you in advance.

ananay commented 2 years ago

Hi @cchacholiades, thank you! Yes, keyId and privateKeyLocation are required as they are used to generate the Client Secret. I doubt it'll work after redirecting to Apple.

Here's how you can create a key: https://github.com/ananay/apple-auth/blob/master/SETUP.md#create-a-key

cchacholiades commented 2 years ago

Great! Thank you for the prompt reply.

I am using this package to get the routes / api necessary to login someone with apple in a node/express/nuxt setup. I was wondering if there are any security related concerns (I should be aware of) in regards to where the .p8 file should be stored?

For now I have it in a folder ../configurations/AuthKey_.p8 - this file shouldn't be in git either, right?

ananay commented 2 years ago

Yes, the p8 file should not be checked in. For the config, I would suggest using a filled out json file for local dev testing but on a server you can use environment variables

cchacholiades commented 2 years ago

@ananay I'll still need to figure out a way to efficiently store the p8 key for a node setup in production, but this helps a lot! Thanks again.

cchacholiades commented 2 years ago

@ananay one last question in case you can help. Is it possible to store the contents of the .p8 file in an env var and load it through the privateKeyLocation option?

edit: I should be able to achieve this with the option privateKeyString 🎉