feat: implement Apple Sign-In and enhance account management features

- Added support for Apple Sign-In, including token verification and user account handling.
- Updated authentication routes to include Apple as a sign-in option.
- Introduced account deletion functionality, allowing users to permanently delete their accounts and associated data.
- Enhanced the user interface with a Data Consent Modal to inform users about data handling practices.
- Updated .gitignore files to exclude sensitive keys and configuration files for both iOS and Android platforms.

Author: Daniel-Robbins

.gitignore

@@ -44,3 +44,6 @@ ios/DerivedData/
 *.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/
 *.hmap
 *.ipa
+
+# Apple Sign in with Apple private keys
+*.p8

android/.gitignore

@@ -53,9 +53,9 @@ captures/
 .idea/navEditor.xml
 
 # Keystore files
-# Uncomment the following lines if you do not want to check your keystore files in.
-#*.jks
-#*.keystore
+*.jks
+*.keystore
+keystore.properties
 
 # External native build folder generated in Android Studio 2.2 and later
 .externalNativeBuild

android/app/build.gradle

@@ -1,5 +1,11 @@
 apply plugin: 'com.android.application'
 
+def keystorePropertiesFile = rootProject.file("keystore.properties")
+def keystoreProperties = new Properties()
+if (keystorePropertiesFile.exists()) {
+    keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
+}
+
 android {
     namespace = "app.botschat.console"
     compileSdk = rootProject.ext.compileSdkVersion
@@ -16,8 +22,17 @@ android {
             ignoreAssetsPattern = '!.svn:!.git:!.ds_store:!*.scc:.*:!CVS:!thumbs.db:!picasa.ini:!*~'
         }
     }
+    signingConfigs {
+        release {
+            storeFile file(keystoreProperties['storeFile'] ?: 'upload-keystore.jks')
+            storePassword keystoreProperties['storePassword'] ?: ''
+            keyAlias keystoreProperties['keyAlias'] ?: 'upload'
+            keyPassword keystoreProperties['keyPassword'] ?: ''
+        }
+    }
     buildTypes {
         release {
+            signingConfig signingConfigs.release
             minifyEnabled false
             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
         }

ios/App/App.xcodeproj/project.pbxproj

@@ -13,9 +13,9 @@
 		504EC3081FED79650016851F /* AppDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 504EC3071FED79650016851F /* AppDelegate.swift */; };
 		504EC30D1FED79650016851F /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 504EC30B1FED79650016851F /* Main.storyboard */; };
 		504EC30F1FED79650016851F /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 504EC30E1FED79650016851F /* Assets.xcassets */; };
-		A1B2C3D4E5F6A7B8C9D0E1F3 /* GoogleService-Info.plist in Resources */ = {isa = PBXBuildFile; fileRef = A1B2C3D4E5F6A7B8C9D0E1F2 /* GoogleService-Info.plist */; };
 		504EC3121FED79650016851F /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 504EC3101FED79650016851F /* LaunchScreen.storyboard */; };
 		50B271D11FEDC1A000F3C39B /* public in Resources */ = {isa = PBXBuildFile; fileRef = 50B271D01FEDC1A000F3C39B /* public */; };
+		A1B2C3D4E5F6A7B8C9D0E1F3 /* GoogleService-Info.plist in Resources */ = {isa = PBXBuildFile; fileRef = A1B2C3D4E5F6A7B8C9D0E1F2 /* GoogleService-Info.plist */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXFileReference section */
@@ -27,9 +27,9 @@
 		504EC30E1FED79650016851F /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = "<group>"; };
 		504EC3111FED79650016851F /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = "<group>"; };
 		504EC3131FED79650016851F /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
-		A1B2C3D4E5F6A7B8C9D0E1F2 /* GoogleService-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = "GoogleService-Info.plist"; path = "App/GoogleService-Info.plist"; sourceTree = "<group>"; };
 		50B271D01FEDC1A000F3C39B /* public */ = {isa = PBXFileReference; lastKnownFileType = folder; path = public; sourceTree = "<group>"; };
 		958DCC722DB07C7200EA8C5F /* debug.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = debug.xcconfig; path = ../debug.xcconfig; sourceTree = SOURCE_ROOT; };
+		A1B2C3D4E5F6A7B8C9D0E1F2 /* GoogleService-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = "GoogleService-Info.plist"; path = "App/GoogleService-Info.plist"; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -298,6 +298,7 @@
 			baseConfigurationReference = 958DCC722DB07C7200EA8C5F /* debug.xcconfig */;
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
+				CODE_SIGN_ENTITLEMENTS = App/App.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = C5N5PPC329;
@@ -321,6 +322,7 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
+				CODE_SIGN_ENTITLEMENTS = App/App.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = C5N5PPC329;

ios/App/App/App.entitlements

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.developer.applesignin</key>
+	<array>
+		<string>Default</string>
+	</array>
+</dict>
+</plist>

packages/api/src/routes/auth.ts

@@ -155,19 +155,28 @@ async function handleFirebaseAuth(c: {
     return c.json({ error: msg }, 401);
   }
 
-  const email = firebaseUser.email?.toLowerCase();
-  if (!email) {
-    return c.json({ error: "Account has no email address" }, 400);
-  }
-
   const firebaseUid = firebaseUser.sub;
   // Determine provider from Firebase token (google.com, github.com, etc.)
   const signInProvider = firebaseUser.firebase?.sign_in_provider ?? "unknown";
   const authProvider = signInProvider.includes("google")
     ? "google"
     : signInProvider.includes("github")
       ? "github"
-      : signInProvider;
+      : signInProvider.includes("apple")
+        ? "apple"
+        : signInProvider;
+
+  // Apple Sign-In may hide the user's real email; generate a short placeholder
+  let email = firebaseUser.email?.toLowerCase() || null;
+  if (!email && authProvider === "apple") {
+    const hash = Array.from(new Uint8Array(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(firebaseUid))))
+      .slice(0, 6).map(b => b.toString(16).padStart(2, "0")).join("");
+    email = `apple_${hash}@privaterelay.appleid.com`;
+  }
+  if (!email) {
+    return c.json({ error: "Account has no email address" }, 400);
+  }
+
   const displayName = firebaseUser.name ?? email.split("@")[0];
 
   // 2. Look up existing user by firebase_uid first, then by email
@@ -241,6 +250,7 @@ async function handleFirebaseAuth(c: {
 auth.post("/firebase", (c) => handleFirebaseAuth(c));
 auth.post("/google", (c) => handleFirebaseAuth(c));
 auth.post("/github", (c) => handleFirebaseAuth(c));
+auth.post("/apple", (c) => handleFirebaseAuth(c));
 
 /**
  * POST /api/auth/dev-login — development-only passwordless login by email.
@@ -307,6 +317,7 @@ auth.get("/config", (c) => {
     emailEnabled: isDev,
     googleEnabled: !!c.env.FIREBASE_PROJECT_ID,
     githubEnabled: !!c.env.FIREBASE_PROJECT_ID,
+    appleEnabled: !!c.env.FIREBASE_PROJECT_ID,
   });
 });
 
@@ -342,4 +353,26 @@ auth.get("/me", async (c) => {
   });
 });
 
+/** DELETE /api/auth/account — permanently delete the authenticated user's account and all data */
+auth.delete("/account", async (c) => {
+  const userId = c.get("userId" as never) as string;
+  if (!userId) return c.json({ error: "Unauthorized" }, 401);
+
+  // Delete all user media from R2
+  const prefix = `${userId}/`;
+  let cursor: string | undefined;
+  do {
+    const listed = await c.env.MEDIA.list({ prefix, cursor });
+    if (listed.objects.length > 0) {
+      await Promise.all(listed.objects.map(obj => c.env.MEDIA.delete(obj.key)));
+    }
+    cursor = listed.truncated ? listed.cursor : undefined;
+  } while (cursor);
+
+  // Delete user record — all related tables use ON DELETE CASCADE
+  await c.env.DB.prepare("DELETE FROM users WHERE id = ?").bind(userId).run();
+
+  return c.json({ ok: true });
+});
+
 export { auth };

packages/api/src/utils/firebase.ts

@@ -235,7 +235,7 @@ export async function verifyAnyGoogleToken(
   const { payload: peek } = parseJwtUnverified(idToken);
 
   if (peek.iss === `${FIREBASE_TOKEN_ISSUER_PREFIX}${firebaseProjectId}`) {
-    // Standard Firebase ID token
+    // Standard Firebase ID token (from web Firebase popup)
     return verifyFirebaseIdToken(idToken, firebaseProjectId);
   }
 
@@ -244,9 +244,97 @@ export async function verifyAnyGoogleToken(
     return verifyGoogleIdToken(idToken, allowedGoogleClientIds);
   }
 
+  if (peek.iss === "https://appleid.apple.com") {
+    // Native Apple ID token (from iOS Sign in with Apple)
+    return verifyAppleIdToken(idToken, []);
+  }
+
   throw new Error(`Unrecognized token issuer: ${peek.iss}`);
 }
 
+// ---------------------------------------------------------------------------
+// Apple ID Token verification (for native iOS Sign in with Apple)
+// ---------------------------------------------------------------------------
+
+const APPLE_JWKS_URL = "https://appleid.apple.com/auth/keys";
+
+let cachedAppleKeys: JsonWebKey[] | null = null;
+let cachedAppleAt = 0;
+
+async function getApplePublicKeys(): Promise<JsonWebKey[]> {
+  const now = Date.now();
+  if (cachedAppleKeys && now - cachedAppleAt < CACHE_TTL_MS) {
+    return cachedAppleKeys;
+  }
+  const resp = await fetch(APPLE_JWKS_URL);
+  if (!resp.ok) {
+    throw new Error(`Failed to fetch Apple JWKS: ${resp.status}`);
+  }
+  const jwks = (await resp.json()) as { keys: JsonWebKey[] };
+  cachedAppleKeys = jwks.keys;
+  cachedAppleAt = now;
+  return jwks.keys;
+}
+
+export async function verifyAppleIdToken(
+  idToken: string,
+  allowedAudiences: string[],
+): Promise<FirebaseTokenPayload> {
+  const { header, payload, signatureBytes, signedContent } =
+    parseJwtUnverified(idToken);
+
+  if (header.alg !== "RS256") {
+    throw new Error(`Unsupported algorithm: ${header.alg}`);
+  }
+
+  let keys = await getApplePublicKeys();
+  let matchingKey = keys.find((k) => (k as { kid?: string }).kid === header.kid);
+  if (!matchingKey) {
+    cachedAppleKeys = null;
+    keys = await getApplePublicKeys();
+    matchingKey = keys.find((k) => (k as { kid?: string }).kid === header.kid);
+    if (!matchingKey) {
+      throw new Error(`No matching Apple key for kid: ${header.kid}`);
+    }
+  }
+
+  const key = await crypto.subtle.importKey(
+    "jwk", matchingKey,
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false, ["verify"],
+  );
+
+  const valid = await crypto.subtle.verify(
+    "RSASSA-PKCS1-v1_5", key, signatureBytes,
+    new TextEncoder().encode(signedContent),
+  );
+  if (!valid) throw new Error("Invalid Apple token signature");
+
+  const now = Math.floor(Date.now() / 1000);
+  if (payload.exp < now) throw new Error("Apple token has expired");
+  if (payload.iat > now + 300) throw new Error("Apple token issued in the future");
+
+  if (payload.iss !== "https://appleid.apple.com") {
+    throw new Error(`Invalid Apple token issuer: ${payload.iss}`);
+  }
+
+  if (allowedAudiences.length > 0 && !allowedAudiences.includes(payload.aud)) {
+    throw new Error(`Invalid Apple token audience: ${payload.aud}`);
+  }
+
+  if (!payload.sub) throw new Error("Missing subject in Apple token");
+
+  // Synthesize firebase-like fields so the rest of the auth flow works
+  if (!payload.firebase) {
+    payload.firebase = {
+      sign_in_provider: "apple.com",
+      identities: { "apple.com": [payload.sub] },
+    };
+  }
+
+  return payload;
+}
+
 // ---------------------------------------------------------------------------
 // Shared verification helpers
 // ---------------------------------------------------------------------------

packages/web/src/App.tsx

@@ -19,9 +19,11 @@ import { ChatWindow } from "./components/ChatWindow";
 import { ThreadPanel } from "./components/ThreadPanel";
 import { JobList } from "./components/JobList";
 import { LoginPage } from "./components/LoginPage";
+import { DataConsentModal } from "./components/DataConsentModal";
 import { OnboardingPage } from "./components/OnboardingPage";
 import { ConnectionSettings } from "./components/ConnectionSettings";
 import { E2ESettings } from "./components/E2ESettings";
+import { AccountSettings } from "./components/AccountSettings";
 import { DebugLogPanel } from "./components/DebugLogPanel";
 import { CronSidebar } from "./components/CronSidebar";
 import { CronDetail } from "./components/CronDetail";
@@ -65,6 +67,15 @@ export default function App() {
   const mainLayout = useDefaultLayout({ id: "botschat-main" });
   const contentLayout = useDefaultLayout({ id: "botschat-content" });
 
+  const [dataConsentGiven, setDataConsentGiven] = useState(() => {
+    return localStorage.getItem("botschat_data_consent") === "1";
+  });
+
+  const handleDataConsent = useCallback(() => {
+    setDataConsentGiven(true);
+    localStorage.setItem("botschat_data_consent", "1");
+  }, []);
+
   // Onboarding: show setup page for new users who haven't connected OpenClaw yet.
   // Once dismissed (skip or connected), we remember it for this session.
   const [onboardingDismissed, setOnboardingDismissed] = useState(() => {
@@ -850,6 +861,16 @@ export default function App() {
     );
   }
 
+  if (!dataConsentGiven) {
+    return (
+      <AppStateContext.Provider value={state}>
+        <AppDispatchContext.Provider value={dispatch}>
+          <DataConsentModal onAccept={handleDataConsent} />
+        </AppDispatchContext.Provider>
+      </AppStateContext.Provider>
+    );
+  }
+
   // Show onboarding for new users: channels have been fetched (first API call completed)
   // and none exist. This prevents flashing onboarding for returning users whose
   // channel list simply hasn't loaded yet.
@@ -1097,6 +1118,9 @@ export default function App() {
                         {state.sessionModel ?? state.defaultModel ?? "Not connected"}
                       </span>
                     </div>
+
+                    {/* Account Settings */}
+                    <AccountSettings />
                   </div>
                 )}
 

packages/web/src/api.ts

@@ -128,6 +128,7 @@ export type AuthConfig = {
   emailEnabled: boolean;
   googleEnabled: boolean;
   githubEnabled: boolean;
+  appleEnabled: boolean;
 };
 
 export const authApi = {
@@ -141,6 +142,7 @@ export const authApi = {
   firebase: (idToken: string) =>
     request<AuthResponse>("POST", "/auth/firebase", { idToken }),
   me: () => request<{ id: string; email: string; displayName: string | null; settings: UserSettings }>("GET", "/me"),
+  deleteAccount: () => request<{ ok: boolean }>("DELETE", "/auth/account"),
 };
 
 // ---- User settings ----