Skip to content

Fix unused keys in https://appleid.apple.com/auth/keys leading to invalid signatures #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
codlab wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix unused keys in https://appleid.apple.com/auth/keys leading to invalid signatures #9

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f2dc6ef
fix wrong key signature
codlab Feb 14, 2020
19710e5
fix missing keys from rewriting code
codlab Feb 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 20 additions & 8 deletions source/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,21 +90,21 @@ const refreshAuthorizationToken = async (refreshToken, options) => {
return JSON.parse(body);
};

const getApplePublicKey = async () => {
const getApplePublicKeys = async () => {
const url = new URL(ENDPOINT_URL);
url.pathname = '/auth/keys';

const data = await request({ url: url.toString(), method: 'GET' });
const key = JSON.parse(data).keys[0];

const pubKey = new NodeRSA();
pubKey.importKey({ n: Buffer.from(key.n, 'base64'), e: Buffer.from(key.e, 'base64') }, 'components-public');
return pubKey.exportKey(['public']);
return (JSON.parse(data).keys || []).map(key => {
const pubKey = new NodeRSA();
pubKey.importKey({ n: Buffer.from(key.n, 'base64'), e: Buffer.from(key.e, 'base64') }, 'components-public');
return {pubKey: pubKey.exportKey(['public']), alg: key.alg};
})
};

const verifyIdToken = async (idToken, clientID) => {
const applePublicKey = await getApplePublicKey();
const jwtClaims = jwt.verify(idToken, applePublicKey, { algorithms: 'RS256' });
const verifyIdTokenForKey = async (appleKey, idToken, clientID) => {
const jwtClaims = jwt.verify(idToken, appleKey.pubKey, { algorithms: appleKey.alg });

if (jwtClaims.iss !== TOKEN_ISSUER) throw new Error('id token not issued by correct OpenID provider - expected: ' + TOKEN_ISSUER + ' | from: ' + jwtClaims.iss);
if (clientID !== undefined && jwtClaims.aud !== clientID) throw new Error('aud parameter does not include this client - is: ' + jwtClaims.aud + '| expected: ' + clientID);
Expand All @@ -113,6 +113,18 @@ const verifyIdToken = async (idToken, clientID) => {
return jwtClaims;
};

const verifyIdToken = async (idToken, clientID) => {
const keys = await getApplePublicKeys();
const res = key => verifyIdTokenForKey(key, idToken, clientID).then(r => ({r})).catch(err => ({err}));

const resolution = await Promise.all(keys.map(res));

const validity = resolution.find(item => item.r);

if(!validity) throw "invalid signature or issuance";
return validity.r;
};


module.exports = {
getAuthorizationUrl,
Expand Down