renarsvilnis / apple-sign-in-rest Goto Github PK

While using the appleSignIn.getAuthorizationToken() method I was getting the following error rejection:

Error: Authorization request failed with reason "invalid_grant" and status code "400"
    at AppleSignIn.getAuthorizationToken (/home/tlhunter/FOO/server/node_modules/apple-sign-in-rest/lib/AppleSignIn.js:114:23)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Object.handler (file:///home/tlhunter/FOO/server/lib/routes/v1/auth.mjs:279:32)

That error made it difficult to find the true issue.

I did some research and saw suggestions that the Apple server returns additional metadata in the error response. I edited the compiled code in AppleSignIn.js line 114 and threw in a console.error(err) and got the following data on the Axios request object.

    data: {
      error: 'invalid_grant',
      error_description: 'redirect_uri mismatch. The code was not issued to https://example.org/account-create-FOO/apple.'
    }

I'd like to request that the rejected promise contain the additional error_description metadata from the response object.

scope?: "name" | "email"[];

Is incorrect. You meant ("name" | "email")[] but this is also not perfect :-).

Don't be clever, just unfold it:

scope?: ["email","name"]|["name","email"]|["name"]|["email"]|[]

This library depends on jsonwebtoken@8 which contains a security vulnerability. It should instead update to use jsonwebtoken@9.

Note that this project is no longer maintained. But it's possible to force the underlying dependency to be updated by adding this to one's package.json:

"overrides": {
  "apple-sign-in-rest": {
    "jsonwebtoken": "^9.0.0"
  }
}

In step 1.

privateKeyPath: '/Users/arnold/my-project/credentials/AuthKey.p8';

Remove ;.

In step 2.

const authorizationUrl = appleSignin.getAuthorizationUrl({

The instance was declared as appleSignIn (note capital I).

redirectUrl: "http://localhost:3000/auth/apple/callback",

It's not Url it's Uri.

Apple introduced a real_user_status which is not returned by apple-sign-in-rest. You can find more about it here.

Here's a gist of it:

real_user_status:
An Integer value that indicates whether the user appears to be a real person. Use the value of this claim to mitigate fraud. The possible values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For more information, see [ASUserDetectionStatus](https://developer.apple.com/documentation/authenticationservices/asuserdetectionstatus). This claim is present only on iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14 and later; the claim isn’t present or supported for web-based apps.

Will push a PR regarding this.