AppleAuth

CI Maintainability Test Coverage

Installation

Add this line to your Gemfile:

gem 'apple_auth'

And then execute:

$ bundle install

Or install it yourself:

$ gem install apple_auth

After installing the gem, you need to run this generator.

$ rails g apple_auth:config

This will generate a new initializer: apple_auth.rb with the following default configuration:

AppleAuth.configure do |config|
  # config.apple_client_id = <Your client_id in your Apple Developer account>
  # config.apple_private_key = <Your private key provided by Apple>
  # config.apple_key_id = <Your kid provided by Apple>
  # config.apple_team_id = <Your team id provided by Apple>
  # config.redirect_uri = <Your app redirect url>
end

Set your different credentials in the file by uncommenting the lines and adding your keys.

Usage

Here's an example of how to configure the gem:

AppleAuth.configure do |config|
  config.apple_client_id = 'com.yourapp...'
  config.apple_private_key = "-----BEGIN PRIVATE KEY-----\nMIGTAgEA....\n-----END PRIVATE KEY-----"
  config.apple_key_id = 'RTZ...'
  config.apple_team_id = 'WNU...'
  config.redirect_uri = 'https://localhost:3000'
end

We strongly recommend to use environment variables for these values.

Apple sign-in workflow:

alt text

For more information, check the Apple oficial documentation.

Validate JWT token and get user information:

# with a valid JWT
user_id = '000343.1d22d2937c7a4e56806dfb802b06c430...'
valid_jwt_token = 'eyJraWQiOiI4NkQ4OEtmIiwiYWxnIjoiUlMyNTYifQ.eyJpc...'
AppleAuth::UserIdentity.new(user_id, valid_jwt_token).validate!
>>  { exp: 1595279622, email: "[email protected]", email_verified: true , ...}

# with an invalid JWT
invalid_jwt_token = 'eyJraWQiOiI4NkQsd4OEtmIiwiYWxnIjoiUlMyNTYifQ.edsyJpc...'
AppleAuth::UserIdentity.new(user_id, invalid_jwt_token).validate!
>> Traceback (most recent call last):..
>> ...
>>  AppleAuth::Conditions::JWTValidationError

Verify user identity and get access and refresh tokens:

code = 'cfb77c21ecd444390a2c214cd33decdfb.0.mr...'
AppleAuth::Token.new(code).authenticate!
>> { access_token: "a7058d...", expires_at: 1595894672, refresh_token: "r8f1ce..." }

Handle server to server notifications

from the request parameter :payload

# with a valid JWT
params[:payload] = "eyJraWQiOiJZ......"
AppleAuth::ServerIdentity.new(params[:payload]).validate!
>> {iss: "https://appleid.apple.com", exp: 1632224024, iat: 1632137624, jti: "yctpp1ZHaGCzaNB9PWB4DA",...}

# with an invalid JWT
params[:payload] = "asdasdasdasd......"
AppleAuth::ServerIdentity.new(params[:payload]).validate!
>> JWT::VerificationError: Signature verification raised

Implementation in a controller would look like this:

class Hooks::AuthController < ApplicationController

  skip_before_action :verify_authenticity_token

  # https://developer.apple.com/documentation/sign_in_with_apple/processing_changes_for_sign_in_with_apple_accounts
  # NOTE: The Apple documentation states the events attribute as an array but is in fact a stringified json object
  def apple
    # will raise an error when the signature is invalid
    payload = AppleAuth::ServerIdentity.new(params[:payload]).validate!
    event = JSON.parse(payload[:events]).symbolize_keys
    uid = event["sub"]
    user = User.find_by!(provider: 'apple', uid: uid)

    case event[:type]
    when "email-enabled", "email-disabled"
      # Here we should update the user with the relay state
    when "consent-revoked", "account-delete"
      user.destroy!
    else
      throw event
    end
    render plain: "200 OK", status: :ok
  end
end

Using with Devise

If you are using devise_token_auth gem, run this generator.

$ rails g apple_sign_in:apple_auth_controller [scope]

In the scope you need to write your path from controllers to your existent devise controllers. An example $ rails g apple_auth:apple_auth_controller api/v1/ This will generate a new controller: controllers/api/v1/apple_auth_controller.rb.

You should configure the route, you can wrap it in the devise_scope block like:

devise_scope :user do
  resource :user, only: %i[update show] do
    controller :apple_auth do
      post :apple_auth, on: :collection, to: 'apple_auth#create'
    end
  end
end

Demo

You can find a full implementation of this gem in this demo.

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/rootstrap/apple_auth/issues. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the AppleAuth project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

Credits

apple_auth gem is maintained by Rootstrap with the help of our contributors.