UNPKG

verify-apple-id-token

Version:

Verify the Apple id token on the server side.

github.com/stefan-prokop-cz/verify-apple-id-token

stefan-prokop-cz/verify-apple-id-token

118 lines 6.39 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
"use strict"; var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; var __generator = (this && this.__generator) || function (thisArg, body) { var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g; return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g; function verb(n) { return function (v) { return step([n, v]); }; } function step(op) { if (f) throw new TypeError("Generator is already executing."); while (g && (g = 0, op[0] && (_ = 0)), _) try { if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t; if (y = 0, t) op = [op[0] & 2, t.value]; switch (op[0]) { case 0: case 1: t = op; break; case 4: _.label++; return { value: op[1], done: false }; case 5: _.label++; y = op[1]; op = [0]; continue; case 7: op = _.ops.pop(); _.trys.pop(); continue; default: if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; } if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; } if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; } if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; } if (t[2]) _.ops.pop(); _.trys.pop(); continue; } op = body.call(thisArg, _); } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; } if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true }; } }; Object.defineProperty(exports, "__esModule", { value: true }); exports.verifyToken = exports.getApplePublicKey = exports.getAppleJWK = exports.JWKS_APPLE_URI = exports.APPLE_BASE_URL = void 0; var jwt = require("jsonwebtoken"); var jwksClient = require("jwks-rsa"); exports.APPLE_BASE_URL = "https://appleid.apple.com"; exports.JWKS_APPLE_URI = "/auth/keys"; var getAppleJWK = function (kid) { return __awaiter(void 0, void 0, void 0, function () { var client, key; return __generator(this, function (_a) { switch (_a.label) { case 0: client = jwksClient({ cache: true, jwksUri: "".concat(exports.APPLE_BASE_URL).concat(exports.JWKS_APPLE_URI), }); return [4 /*yield*/, new Promise(function (resolve, reject) { client.getSigningKey(kid, function (error, result) { if (error) { return reject(error); } return resolve(result); }); })]; case 1: key = _a.sent(); return [2 /*return*/, { publicKey: key.getPublicKey(), kid: key.kid, alg: key.alg, }]; } }); }); }; exports.getAppleJWK = getAppleJWK; var getApplePublicKey = function (kid) { return __awaiter(void 0, void 0, void 0, function () { var jwk; return __generator(this, function (_a) { switch (_a.label) { case 0: return [4 /*yield*/, (0, exports.getAppleJWK)(kid)]; case 1: jwk = _a.sent(); return [2 /*return*/, jwk.publicKey]; } }); }); }; exports.getApplePublicKey = getApplePublicKey; var verifyToken = function (params) { return __awaiter(void 0, void 0, void 0, function () { var decoded, _a, kid, jwtAlg, _b, publicKey, jwkAlg, jwtClaims, isFounded; return __generator(this, function (_c) { switch (_c.label) { case 0: decoded = jwt.decode(params.idToken, { complete: true }); _a = decoded.header, kid = _a.kid, jwtAlg = _a.alg; return [4 /*yield*/, (0, exports.getAppleJWK)(kid)]; case 1: _b = _c.sent(), publicKey = _b.publicKey, jwkAlg = _b.alg; if (jwtAlg !== jwkAlg) { throw new Error("The alg does not match the jwk configuration - alg: ".concat(jwtAlg, " | expected: ").concat(jwkAlg)); } jwtClaims = jwt.verify(params.idToken, publicKey, { algorithms: [jwkAlg], nonce: params.nonce, }); if ((jwtClaims === null || jwtClaims === void 0 ? void 0 : jwtClaims.iss) !== exports.APPLE_BASE_URL) { throw new Error("The iss does not match the Apple URL - iss: ".concat(jwtClaims.iss, " | expected: ").concat(exports.APPLE_BASE_URL)); } isFounded = [].concat(jwtClaims.aud).some(function (aud) { return [].concat(params.clientId).includes(aud); }); if (isFounded) { ["email_verified", "is_private_email"].forEach(function (field) { if (jwtClaims[field] !== undefined) { jwtClaims[field] = Boolean(jwtClaims[field]); } }); return [2 /*return*/, jwtClaims]; } throw new Error("The aud parameter does not include this client - is: ".concat(jwtClaims.aud, " | expected: ").concat(params.clientId)); } }); }); }; exports.verifyToken = verifyToken; //# sourceMappingURL=verifyAppleIdToken.js.map