Skip to content

fix: #1354 - allow customisable leeway for JWT issued time in Apple provider … #1439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
harrowmykel wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: #1354 - allow customisable leeway for JWT issued time in Apple provider … #1439

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions src/Apple/Provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,12 +59,12 @@ class Provider extends AbstractProvider
*/
protected function getAuthUrl($state): string
{
return $this->buildAuthUrlFromBase(self::URL.'/auth/authorize', $state);
return $this->buildAuthUrlFromBase(self::URL . '/auth/authorize', $state);
}

protected function getTokenUrl(): string
{
return self::URL.'/auth/token';
return self::URL . '/auth/token';
}

/**
Expand All @@ -82,7 +82,7 @@ protected function getCodeFields($state = null)

if ($this->usesState()) {
$fields['state'] = $state;
$fields['nonce'] = Str::uuid().'.'.$state;
$fields['nonce'] = Str::uuid() . '.' . $state;
}

return array_merge($fields, $this->parameters);
Expand All @@ -94,7 +94,7 @@ protected function getCodeFields($state = null)
public function getAccessTokenResponse($code)
{
$response = $this->getHttpClient()->post($this->getTokenUrl(), [
RequestOptions::HEADERS => ['Authorization' => 'Basic '.base64_encode($this->clientId.':'.$this->getClientSecret())],
RequestOptions::HEADERS => ['Authorization' => 'Basic ' . base64_encode($this->clientId . ':' . $this->getClientSecret())],
RequestOptions::FORM_PARAMS => $this->getTokenFields($code),
]);

Expand Down Expand Up @@ -182,7 +182,7 @@ public function checkToken($jwt)
$token = $this->getJwtConfig()->parser()->parse($jwt);

$data = Cache::remember('socialite:Apple-JWKSet', 5 * 60, function () {
$response = (new Client)->get(self::URL.'/auth/keys');
$response = (new Client)->get(self::URL . '/auth/keys');

return json_decode((string) $response->getBody(), true);
});
Expand All @@ -196,7 +196,7 @@ public function checkToken($jwt)
new SignedWith(new Sha256, AppleSignerInMemory::plainText($publicKey['key'])),
new IssuedBy(self::URL),
// fix for #1354
new LooseValidAt(SystemClock::fromSystemTimezone(), new DateInterval('PT3S')),
new LooseValidAt(SystemClock::fromSystemTimezone(), new DateInterval($this->getConfig('jwt_issued_time_leeway', 'PT3S'))),
];

try {
Expand Down Expand Up @@ -278,8 +278,8 @@ protected function mapUserToObject(array $user)
$user['name'] = $userRequest['name'];
$fullName = trim(
($user['name']['firstName'] ?? '')
.' '
.($user['name']['lastName'] ?? '')
. ' '
. ($user['name']['lastName'] ?? '')
);
}

Expand Down Expand Up @@ -314,7 +314,7 @@ private function getUserRequest(): array
*/
protected function getRevokeUrl(): string
{
return self::URL.'/auth/revoke';
return self::URL . '/auth/revoke';
}

/**
Expand Down Expand Up @@ -365,6 +365,6 @@ public function refreshToken($refreshToken): ResponseInterface
*/
public static function additionalConfigKeys()
{
return ['private_key', 'passphrase', 'signer'];
return ['private_key', 'passphrase', 'signer', 'jwt_issued_time_leeway'];
}
}
16 changes: 15 additions & 1 deletion src/Apple/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ Add lines to the configuration as follows:
'private_key' => env('APPLE_PRIVATE_KEY'), // Required. Must be absolute path, e.g. /var/www/cert/AuthKey_XYZ.p8
'passphrase' => env('APPLE_PASSPHRASE'), // Optional. Set if your private key have a passphrase.
'signer' => env('APPLE_SIGNER'), // Optional. Signer used for Configuration::forSymmetricSigner(). Default: \Lcobucci\JWT\Signer\Ecdsa\Sha256
'redirect' => env('APPLE_REDIRECT_URI') // Required.
'redirect' => env('APPLE_REDIRECT_URI'), // Required.

'jwt_issued_time_leeway' => env('APPLE_JWT_ISSUED_TIME_LEEWAY'), // Optional. Set this to add a leeway to your JWT issued_time value. See section below
],
```

Expand Down Expand Up @@ -86,6 +88,18 @@ return Socialite::driver('apple')->redirect();
- ``name``
- ``email``

### Known Issues

#### JWT Issued_at
Sometimes the plugin may throw an exception due to a mismatch in time - See #1354. Use `config('services.apple.jwt_issued_time_leeway')` to 'rewind' the time. Default value is 3 seconds (PT3S).

Examples of possible values are PT3S -> 3 seconds, PT1M -> 1 Minute etc ...

The thrown exception may look like this:
```
[object] (Laravel\\Socialite\\Two\\InvalidStateException(code: 0): The token violates some mandatory constraints, details: - The token was issued in the future at /vendor/socialiteproviders/apple/Provider.php:207) [stacktrace]
```

### Reference

- [Apple API Reference](https://developer.apple.com/documentation/signinwithapplerestapi/)
Loading