Attach a nonce to Sign in with Apple requests.

Author: rosalyntan

FirebaseAuthUI/Sources/FUIAuthUtils.m

@@ -16,6 +16,8 @@
 
 #import "FirebaseAuthUI/Sources/Public/FirebaseAuthUI/FUIAuthUtils.h"
 
+#import <CommonCrypto/CommonCrypto.h>
+
 #if SWIFT_PACKAGE
 NSString *const FUIAuthBundleName = @"FirebaseUI_FirebaseAuthUI";
 #else
@@ -74,4 +76,47 @@ + (nullable UIImage *)imageNamed:(NSString *)name fromBundle:(nullable NSBundle
   }
 }
 
++ (NSString *)randomNonce {
+  NSString *characterSet = @"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz-._";
+  NSMutableString *result = [NSMutableString string];
+  NSInteger remainingLength = 32;
+
+  while (remainingLength > 0) {
+    NSMutableArray *randoms = [NSMutableArray arrayWithCapacity:16];
+    for (NSInteger i = 0; i < 16; i++) {
+      uint8_t random = 0;
+      int errorCode = SecRandomCopyBytes(kSecRandomDefault, 1, &random);
+      NSAssert(errorCode == errSecSuccess, @"Unable to generate nonce: OSStatus %i", errorCode);
+
+      [randoms addObject:@(random)];
+    }
+
+    for (NSNumber *random in randoms) {
+      if (remainingLength == 0) {
+        break;
+      }
+
+      if (random.unsignedIntValue < characterSet.length) {
+        unichar character = [characterSet characterAtIndex:random.unsignedIntValue];
+        [result appendFormat:@"%C", character];
+        remainingLength--;
+      }
+    }
+  }
+
+  return result;
+}
+
++ (NSString *)stringBySha256HashingString:(NSString *)input {
+  const char *string = [input UTF8String];
+  unsigned char result[CC_SHA256_DIGEST_LENGTH];
+  CC_SHA256(string, (CC_LONG)strlen(string), result);
+
+  NSMutableString *hashed = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
+  for (NSInteger i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
+    [hashed appendFormat:@"%02x", result[i]];
+  }
+  return hashed;
+}
+
 @end

FirebaseAuthUI/Sources/Public/FirebaseAuthUI/FUIAuthUtils.h

@@ -47,6 +47,17 @@ extern NSString *const FUIAuthBundleName;
  */
 + (nullable UIImage *)imageNamed:(NSString *)name fromBundle:(nullable NSBundle *)bundle;
 
+/** @fn randomNonce
+    @brief Generates a random 32-character nonce.
+ */
++ (NSString *)randomNonce;
+
+/** @fn stringBySha256HashingString:
+    @brief Generates the SHA-256 hash of the input string.
+    @param input The input string to be hashed.
+ */
++ (NSString *)stringBySha256HashingString:(NSString *)input;
+
 @end
 
 NS_ASSUME_NONNULL_END

FirebaseOAuthUI/Sources/FUIOAuth.m

@@ -99,6 +99,8 @@ @interface FUIOAuth () <ASAuthorizationControllerDelegate, ASAuthorizationContro
  */
 @property(nonatomic, copy, nullable) NSString *loginHintKey;
 
+@property(nonatomic, copy, nullable) NSString *currentNonce;
+
 /** @property provider
     @brief The OAuth provider that does the actual sign in.
  */
@@ -292,8 +294,11 @@ - (void)signInWithDefaultValue:(nullable NSString *)defaultValue
 
   if ([self.providerID isEqualToString:@"apple.com"] && !self.authUI.isEmulatorEnabled) {
     if (@available(iOS 13.0, *)) {
+      NSString *nonce = [FUIAuthUtils randomNonce];
+      self.currentNonce = nonce;
       ASAuthorizationAppleIDRequest *request = [[[ASAuthorizationAppleIDProvider alloc] init] createRequest];
       request.requestedScopes = @[ASAuthorizationScopeFullName, ASAuthorizationScopeEmail];
+      request.nonce = [FUIAuthUtils stringBySha256HashingString:nonce];
       ASAuthorizationController* controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]];
       controller.delegate = self;
       controller.presentationContextProvider = self;
@@ -368,9 +373,10 @@ - (void)authorizationController:(ASAuthorizationController *)controller didCompl
     _providerSignInCompletion(nil, nil, nil, nil);
   }
   NSString *idToken = [[NSString alloc] initWithData:appleIDCredential.identityToken encoding:NSUTF8StringEncoding];
+  NSString *rawNonce = self.currentNonce;
   FIROAuthCredential *credential = [FIROAuthProvider credentialWithProviderID:@"apple.com"
                                                                       IDToken:idToken
-                                                                  accessToken:nil];
+                                                                     rawNonce:rawNonce];
   FIRAuthResultCallback result;
   NSPersonNameComponents *nameComponents = appleIDCredential.fullName;
   if (nameComponents != nil) {