Merge pull request #996 from firebase/rosalyntan.nonce

rosalyntan · web-flow · commit 91da16acb117 · 2021-07-28T18:48:13.000-04:00
Attach a nonce to Sign in with Apple requests.
diff --git a/FirebaseAuthUI/FirebaseAuthUITests/FUIAuthTest.m b/FirebaseAuthUI/FirebaseAuthUITests/FUIAuthTest.m
@@ -152,4 +152,13 @@ - (void)testUseEmulatorSetsFIRAuthEmulator {
   OCMVerify([mockAuth useEmulatorWithHost:@"host" port:12345]);
 }
 
+- (void)testStringBySHA256HashingString {
+  NSString *inputString = @"abc-123.ZYX_987";
+  NSString *expectedSHA256HashedString = @"d858d78754a50c8ccdc414946f656fe854e6ba76bf09a79a7e7d9ca135e4b58d";
+
+  NSString *actualSHA256HashedString = [FUIAuthUtils stringBySHA256HashingString:inputString];
+
+  XCTAssertEqualObjects(actualSHA256HashedString, expectedSHA256HashedString);
+}
+
 @end
diff --git a/FirebaseAuthUI/Sources/FUIAuthUtils.m b/FirebaseAuthUI/Sources/FUIAuthUtils.m
@@ -16,6 +16,8 @@
 
 #import "FirebaseAuthUI/Sources/Public/FirebaseAuthUI/FUIAuthUtils.h"
 
+#import <CommonCrypto/CommonCrypto.h>
+
 #if SWIFT_PACKAGE
 NSString *const FUIAuthBundleName = @"FirebaseUI_FirebaseAuthUI";
 #else
@@ -74,4 +76,51 @@ + (nullable UIImage *)imageNamed:(NSString *)name fromBundle:(nullable NSBundle
   }
 }
 
++ (NSString *)randomNonce {
+  // Adapted from https://auth0.com/docs/api-auth/tutorials/nonce#generate-a-cryptographically-random-nonce
+  NSString *characterSet = @"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz-._";
+  NSMutableString *result = [NSMutableString string];
+  NSInteger remainingLength = 32;
+
+  while (remainingLength > 0) {
+    NSMutableArray *randoms = [NSMutableArray arrayWithCapacity:16];
+    for (NSInteger i = 0; i < 16; i++) {
+      uint8_t random = 0;
+      int errorCode = SecRandomCopyBytes(kSecRandomDefault, 1, &random);
+      if (errorCode != errSecSuccess) {
+        [NSException raise:@"FUIAuthGenerateRandomNonce"
+                    format:@"Unable to generate nonce: OSStatus %i", errorCode];
+      }
+
+      [randoms addObject:@(random)];
+    }
+
+    for (NSNumber *random in randoms) {
+      if (remainingLength == 0) {
+        break;
+      }
+
+      if (random.unsignedIntValue < characterSet.length) {
+        unichar character = [characterSet characterAtIndex:random.unsignedIntValue];
+        [result appendFormat:@"%C", character];
+        remainingLength--;
+      }
+    }
+  }
+
+  return result;
+}
+
++ (NSString *)stringBySHA256HashingString:(NSString *)input {
+  const char *string = [input UTF8String];
+  unsigned char result[CC_SHA256_DIGEST_LENGTH];
+  CC_SHA256(string, (CC_LONG)strlen(string), result);
+
+  NSMutableString *hashed = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
+  for (NSInteger i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
+    [hashed appendFormat:@"%02x", result[i]];
+  }
+  return hashed;
+}
+
 @end
diff --git a/FirebaseAuthUI/Sources/Public/FirebaseAuthUI/FUIAuthUtils.h b/FirebaseAuthUI/Sources/Public/FirebaseAuthUI/FUIAuthUtils.h
@@ -47,6 +47,17 @@ extern NSString *const FUIAuthBundleName;
  */
 + (nullable UIImage *)imageNamed:(NSString *)name fromBundle:(nullable NSBundle *)bundle;
 
+/** @fn randomNonce
+    @brief Generates a random 32-character nonce.
+ */
++ (NSString *)randomNonce;
+
+/** @fn stringBySHA256HashingString:
+    @brief Generates the SHA-256 hash of the input string.
+    @param input The input string to be hashed.
+ */
++ (NSString *)stringBySHA256HashingString:(NSString *)input;
+
 @end
 
 NS_ASSUME_NONNULL_END
diff --git a/FirebaseOAuthUI/Sources/FUIOAuth.m b/FirebaseOAuthUI/Sources/FUIOAuth.m
@@ -99,6 +99,8 @@ @interface FUIOAuth () <ASAuthorizationControllerDelegate, ASAuthorizationContro
  */
 @property(nonatomic, copy, nullable) NSString *loginHintKey;
 
+@property(nonatomic, copy, nullable) NSString *currentNonce;
+
 /** @property provider
     @brief The OAuth provider that does the actual sign in.
  */
@@ -292,8 +294,11 @@ - (void)signInWithDefaultValue:(nullable NSString *)defaultValue
 
   if ([self.providerID isEqualToString:@"apple.com"] && !self.authUI.isEmulatorEnabled) {
     if (@available(iOS 13.0, *)) {
+      NSString *nonce = [FUIAuthUtils randomNonce];
+      self.currentNonce = nonce;
       ASAuthorizationAppleIDRequest *request = [[[ASAuthorizationAppleIDProvider alloc] init] createRequest];
       request.requestedScopes = @[ASAuthorizationScopeFullName, ASAuthorizationScopeEmail];
+      request.nonce = [FUIAuthUtils stringBySHA256HashingString:nonce];
       ASAuthorizationController* controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]];
       controller.delegate = self;
       controller.presentationContextProvider = self;
@@ -368,9 +373,10 @@ - (void)authorizationController:(ASAuthorizationController *)controller didCompl
     _providerSignInCompletion(nil, nil, nil, nil);
   }
   NSString *idToken = [[NSString alloc] initWithData:appleIDCredential.identityToken encoding:NSUTF8StringEncoding];
+  NSString *rawNonce = self.currentNonce;
   FIROAuthCredential *credential = [FIROAuthProvider credentialWithProviderID:@"apple.com"
                                                                       IDToken:idToken
-                                                                  accessToken:nil];
+                                                                     rawNonce:rawNonce];
   FIRAuthResultCallback result;
   NSPersonNameComponents *nameComponents = appleIDCredential.fullName;
   if (nameComponents != nil) {
