search

ananay / passport-apple

Passport strategy for Sign in with Apple
https://passport-apple.ananay.dev
142 stars 49 forks source link

Missing idToken decryption in verifying block #40

Open ton252 opened 1 year ago

ton252 commented 1 year ago

The problem is in missing decoding idToken before sending it in verifying block. It needs to change idToken annotation to "string" in TypeScript interface and return it without decoding or decode it before returning to conform DecodedIdToken interface.

AppleStrategy({
        clientID: config.clientId,
        teamID: config.teamId,
        callbackURL: config.callbackURL,
        keyID: config.keyId,
        privateKeyLocation: config.privateKeyLocation,
        passReqToCallback: true,
}, function(req, accessToken, refreshToken, idToken, profile, cb) {
        idToken // is a JWT-encoded string, not a DecodedIdToken
        console.log("idToken encrypted")
        console.log(idToken)

        // We need to decode it using jwt.decode(idToken) to get correct result
        console.log("idToken decrypted")
        console.log(jwt.decode(idToken as any))
})

Console log will be something like that:

idToken encrypted
xxxxxXXXXXXXXXXXXscscsdcasdcsdcsadcasdcasdcasdcasdcasdcasdcasdcasdcasdcasdcasdcasdvewrvwefvwerfvwrtbvwrtbvwrtbvwrtbvwrbvwrtbvwrtbvwrtbvw4rtbgwrtbvwrtbvwrtbvwrtbvwrtbvwrtbvwrtbvwrtbvwrtwrtevwtgwertgewrgwerfgwerfgwergfwergwergwergwergwergwergwergwergwergwergfwergfwergfwergwergwergwergwergfwergfwergwertgwetrgwetrgkwertgjwetrjgwjergfwerifowerfqwerfwqeirfqeirfjiworetgjweoirgjerqiogfqjerfiqjerfioqerjfoiqernfgowqerfgjeoirgjeqoirgfejqroifqejrfioqjewrfoiqeirfjqwefqwierqi34fr34r234r3fefvdfgwetg425g245gi2j4tgiowetjrgjiowergjeoirgj034t22i324jgfoeoigj20435gijenrogfwnet0ig25gneorgn45og4n5go45gn45iog4i25ign2o45ngoi245jg245egiqerjfgpergweprgiwehrpg9245goirtnhpoghi245-g2405gn24o5[g

idToken decrypted
{
  iss: 'https://appleid.apple.com',
  aud: 'id',
  exp: 100000000,
  iat: 100000000,
  sub: 'xxxxxx.xxxxxxxxxxxxxx.xxxxx',
  at_hash: 'xxxxxxxxxxx',
  auth_time: 1667349187,
  nonce_supported: true
}
wojtekmaj commented 1 year ago

That is an expected change in v2: https://github.com/ananay/passport-apple/commit/6b8c1ce0fecf6cac2c8a0f669824dc2640fb5112

Please note that TypeScript typings were not updated to reflect this change: https://github.com/DefinitelyTyped/DefinitelyTyped/discussions/66925