Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
passport-apple
Advanced tools
Passport strategy for the new Sign in with Apple feature, now with fetching profile information ✅!
⚠️ Important note: Apple will only provide you with the name and email ONCE which is when the user taps "Sign in with Apple" on your app the first time. Keep in mind that you have to store this in your database at this time! For every login after that, Apple will provide you with a unique ID that you can use to lookup the username in your database.
Live on https://passport-apple.ananay.dev
Example repo: https://github.com/ananay/passport-apple-example
Install the package via npm / yarn:
npm install --save passport-apple
You will also need to install & configure body-parser
if using Express:
npm install --save body-parser
const bodyParser = require("body-parser");
app.use(bodyParser.urlencoded({ extended: true }));
Next, you need to configure your Apple Developer Account with Sign in with Apple.
Steps for that are given here: https://github.com/ananay/apple-auth/blob/master/SETUP.md
Initialize the strategy as follows:
const AppleStrategy = require('passport-apple');
passport.use(new AppleStrategy({
clientID: "",
teamID: "",
callbackURL: "",
keyID: "",
privateKeyLocation: "",
passReqToCallback: true
}, function(req, accessToken, refreshToken, idToken, profile, cb) {
// The idToken returned is encoded. You can use the jsonwebtoken library via jwt.decode(idToken)
// to access the properties of the decoded idToken properties which contains the user's
// identity information.
// Here, check if the idToken.sub exists in your database!
// idToken should contains email too if user authorized it but will not contain the name
// `profile` parameter is REQUIRED for the sake of passport implementation
// it should be profile in the future but apple hasn't implemented passing data
// in access token yet https://developer.apple.com/documentation/sign_in_with_apple/tokenresponse
cb(null, idToken);
}));
Add the login route:
app.get("/login", passport.authenticate('apple'));
Finally, add the callback route and handle the response:
app.post("/auth", function(req, res, next) {
passport.authenticate('apple', function(err, user, info) {
if (err) {
if (err == "AuthorizationError") {
res.send("Oops! Looks like you didn't allow the app to proceed. Please sign in again! <br /> \
<a href=\"/login\">Sign in with Apple</a>");
} else if (err == "TokenError") {
res.send("Oops! Couldn't get a valid token from Apple's servers! <br /> \
<a href=\"/login\">Sign in with Apple</a>");
}
} else {
res.json(user);
}
})(req, res, next);
});
Check out my other sign in with Apple Repos here.
apple-auth
:
https://github.com/ananay/apple-auth
https://npmjs.com/package/apple-auth
apple-auth
and passport-apple
?apple-auth
is a standalone library for Sign in with Apple. It does not require you to use Passport.js where as passport-apple is used with Passport.js.
This repository is NOT developed, endorsed by Apple Inc. or even related at all to Apple Inc. This library was implemented solely by the community's hardwork, and based on information that is public on Apple Developer's website. The library merely acts as a helper tool for anyone trying to implement Apple's Sign in with Apple.
@nicokaiser/passport-apple
is a fork of passport-apple
that was made when passport-apple
couldn't support fetching profile information. passport-apple
now supports fetching profile information as well by using a simpler workaround (shoutout to @MotazAbuElnasr for this!) instead of rewriting all of passport-oauth2
.
Feel free to open issues and pull requests. If you would like to be one of the core creators of this library, please reach out to me at i@ananayarora.com or message me on twitter @ananayarora!
FAQs
Passport strategy for Sign in with Apple
We found that passport-apple demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.