Skip to content

Support Sign in with Apple #3521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Nov 22, 2024
Merged

Support Sign in with Apple #3521

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2059e7b
Support Sign in with Apple
sandhose Nov 15, 2024
3f07d45
Allow setting the response_mode on upstream OAuth 2.0 providers
sandhose Nov 15, 2024
c6954ea
Support receiving parameters through a form POST
sandhose Nov 15, 2024
ffe7622
Record extra query parameters during upstream callback
sandhose Nov 18, 2024
82e76f0
Document how to set up Sign-in with Apple
sandhose Nov 18, 2024
ac70632
Pass claims as context instead of globals during attr mapping
sandhose Nov 19, 2024
04e6960
Avoid using SameSite=None by re-submitting incoming form data
sandhose Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion crates/axum-utils/src/cookies.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,15 @@ impl CookieOption {
cookie.set_http_only(true);
cookie.set_secure(self.secure());
cookie.set_path(self.path().to_owned());
cookie.set_same_site(SameSite::Lax);

// The `form_post` callback requires that, as it means a 3rd party origin will
// POST to MAS. This is presumably fine, as our forms are protected with a CSRF
// token
cookie.set_same_site(if self.secure() {
SameSite::None
} else {
SameSite::Lax
});
cookie
}
}
Expand Down
3 changes: 2 additions & 1 deletion crates/handlers/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,7 +402,8 @@ where
)
.route(
mas_router::UpstreamOAuth2Callback::route(),
get(self::upstream_oauth2::callback::get),
get(self::upstream_oauth2::callback::handler)
.post(self::upstream_oauth2::callback::handler),
)
.route(
mas_router::UpstreamOAuth2Link::route(),
Expand Down
41 changes: 36 additions & 5 deletions crates/handlers/src/upstream_oauth2/callback.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,11 @@
use axum::{
extract::{Path, Query, State},
response::IntoResponse,
Form,
};
use hyper::StatusCode;
use mas_axum_utils::{cookies::CookieJar, sentry::SentryEventID};
use mas_data_model::UpstreamOAuthProvider;
use mas_data_model::{UpstreamOAuthProvider, UpstreamOAuthProviderResponseMode};
use mas_keystore::{Encrypter, Keystore};
use mas_oidc_client::requests::{
authorization_code::AuthorizationValidationData, jose::JwtVerificationData,
Expand All @@ -35,7 +36,7 @@ use super::{
use crate::{impl_from_error_for_route, upstream_oauth2::cache::MetadataCache};

#[derive(Deserialize)]
pub struct QueryParams {
pub struct Params {
state: String,

#[serde(flatten)]
Expand Down Expand Up @@ -91,6 +92,20 @@ pub(crate) enum RouteError {
#[error("Missing session cookie")]
MissingCookie,

#[error("Missing query parameters")]
MissingQueryParams,

#[error("Missing form parameters")]
MissingFormParams,

#[error("Ambiguous parameters: got both query and form parameters")]
AmbiguousParams,

#[error("Invalid response mode, expected '{expected}'")]
InvalidParamsMode {
expected: UpstreamOAuthProviderResponseMode,
},

#[error(transparent)]
Internal(Box<dyn std::error::Error>),
}
Expand All @@ -117,13 +132,13 @@ impl IntoResponse for RouteError {
}

#[tracing::instrument(
name = "handlers.upstream_oauth2.callback.get",
name = "handlers.upstream_oauth2.callback.handler",
fields(upstream_oauth_provider.id = %provider_id),
skip_all,
err,
)]
#[allow(clippy::too_many_lines, clippy::too_many_arguments)]
pub(crate) async fn get(
pub(crate) async fn handler(
mut rng: BoxRng,
clock: BoxClock,
State(metadata_cache): State<MetadataCache>,
Expand All @@ -134,7 +149,8 @@ pub(crate) async fn get(
State(client): State<reqwest::Client>,
cookie_jar: CookieJar,
Path(provider_id): Path<Ulid>,
Query(params): Query<QueryParams>,
query_params: Option<Query<Params>>,
form_params: Option<Form<Params>>,
) -> Result<impl IntoResponse, RouteError> {
let provider = repo
.upstream_oauth_provider()
Expand All @@ -143,6 +159,21 @@ pub(crate) async fn get(
.filter(UpstreamOAuthProvider::enabled)
.ok_or(RouteError::ProviderNotFound)?;

// Read the parameters from the query or the form, depending on what
// response_mode the provider uses
let params = match (provider.response_mode, query_params, form_params) {
(UpstreamOAuthProviderResponseMode::Query, Some(query_params), None) => query_params.0,
(UpstreamOAuthProviderResponseMode::FormPost, None, Some(form_params)) => form_params.0,
(UpstreamOAuthProviderResponseMode::Query, None, None) => {
return Err(RouteError::MissingQueryParams)
}
(UpstreamOAuthProviderResponseMode::FormPost, None, None) => {
return Err(RouteError::MissingFormParams)
}
(_, Some(_), Some(_)) => return Err(RouteError::AmbiguousParams),
(expected, _, _) => return Err(RouteError::InvalidParamsMode { expected }),
};

let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar);
let (session_id, _post_auth_action) = sessions_cookie
.find_session(provider_id, &params.state)
Expand Down