search

subhendukundu / worker-auth-providers

worker-auth-providers is an open-source providers to make authentication easy with workers. Very lightweight script which doesn't need a lot of dependencies. Plug it with any framework or template of workers.
https://authc1.com
293 stars 31 forks source link

URGENT Apple OAUTH implementation incorrect #40

Open OultimoCoder opened 10 months ago

OultimoCoder commented 10 months ago 
async function getUser(token) {
    try {
        const data = decodeJwt(token);
        logger.log(`[provider user data], ${JSON.stringify(data)}`, "info");
        return data;
    }
    catch (e) {
        logger.log(`[error], ${JSON.stringify(e.stack)}`, "error");
        throw new ProviderGetUserError({
            message: "There was an error fetching the user",
        });
    }
}

export default async function callback({ options, request, }) {
    const { query } = parseQuerystring(request);
    logger.setEnabled(options?.isLogEnabled || false);
    logger.log(`[code], ${JSON.stringify(query.code)}`, "info");
    if (!query.code) {
        throw new ConfigError({
            message: "No code is passed!",
        });
    }
    const tokens = await getTokensFromCode(query.code, options);
    const accessToken = tokens.access_token;
    logger.log(`[access_token], ${JSON.stringify(accessToken)}`, "info");
    const providerUser = await getUser(accessToken);
    return {
        user: providerUser,
        tokens,
    };
}

Current, implementation tries to get the user information by decoding the access token from Apple.

It should be decoding the id_token.