passport-apple icon indicating copy to clipboard operation
passport-apple copied to clipboard

Published 20 hours ago verified publisher icon ananay

Verification of incoming token

Open marcesengel opened this issue 1 year ago • 4 comments

Hi,

first of all thanks a lot for the work on this package! Looking through the README, I was wondering if jwt.decode(idToken) is actually the right thing to do, or if it'd make sense to also verify the incoming token? For now I'm verifying them, is this redundant? I'm not aware of the exact auth flow. Thanks in advance!

Best regards

marcesengel avatar Jul 15 '23 12:07 marcesengel

Verification is great - and in fact recommended. I feel this should be part of the repo itself where it does that step just to ensure its not a replay attack or the token hasn't been tampered with. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user

ananay avatar Jul 15 '23 19:07 ananay

@ananay thanks for the response! I've actually implemented getting the public keys from the api endpoint, caching them etc. - would you like me to share a gist so you might be able to copy & paste it?

I'd suggest to say so in the docs instead of suggesting jwt.decode(...), what do you think? 🤔

marcesengel avatar Jul 19 '23 17:07 marcesengel

@marcesengel Thanks! Please feel free to share a gist or make a pull request with the code added! :D

ananay avatar Jul 19 '23 18:07 ananay

@ananay sorry for the delay, I've prepared a gist: https://gist.github.com/marcesengel/f14ea18b850d87e89b2a51e6d74b29b6

Feel free to reach out if you'd like to discuss anything, maybe in the comments of the gist?

marcesengel avatar Jul 21 '23 17:07 marcesengel