feat: response_mode is an environment variable (removes specializatio…

…n for Sign in with Apple)
activescott · Feb 1, 2021 · 3480994 · 3480994
1 parent 791e65d
commit 3480994
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -90,10 +90,11 @@ Some super helpful references to keep handy:
       - [x] redirect handler should lookup by `sub` claim not `email` claim.
       - [x] fix: session cookie is signed
     - [x] Ensures User's ID is preserved with multiple providers (multiple tokens for a single user)
-  - [ ] Make response_mode a environment variable (this removes more apple/SIWA dependency)
-  - [ ] feat: logout endpoint (clears the session)
-  - [ ] feat: extract lambda/middleware into new package (@web-app-stack/lambda-auth)
+  - [x] feat: response_mode is an environment variable (removes specialization for Sign in with Apple)
 
+- [ ] feat: profile menu w/ login/logout (see alertgenie)
+  - [ ] feat: logout endpoint (clears the session)
+- [ ] feat: extract lambda/middleware into new package (@web-app-stack/lambda-auth)
 - [ ] chore: github ci tests and protected main branch
 - [ ] feat: CSRF token middleware in all state-changing APIs:
 

diff --git a/server/src/shared/lambda/oauth/OAuth Notes.md b/server/src/shared/lambda/oauth/OAuth Notes.md
@@ -53,8 +53,9 @@ arc env staging OAUTH_GOOGLE_SCOPE 'openid https://www.googleapis.com/auth/useri
 9. **ONLY FOR Sign in with Apple**: Sign in with Apple requires generating a client secret for the OAuth/Open ID Connect Token request. In order to do so you must provide the following additional values:
 
 - `OAUTH_<PROVIDER_NAME>_APPLE_TEAM_ID`: The 10-character Team ID associated with your Apple developer account.
-- `OAUTH_<PROVIDER_NAME>_APPLE_KEY_ID` They Key ID for your Apple private key. Get it from the Apple Developer console at https://developer.apple.com/account/resources/authkeys/list selecting your key and then find the 10-digit identifier under "Key ID".
-- `OAUTH_<PROVIDER_NAME>_APPLE_PRIVATE_KEY` The private key contents you received from Apple (note this is the value inside of the file you downloaded from Apple, _not_ the file name).
+- `OAUTH_<PROVIDER_NAME>_APPLE_KEY_ID`: They Key ID for your Apple private key. Get it from the Apple Developer console at https://developer.apple.com/account/resources/authkeys/list selecting your key and then find the 10-digit identifier under "Key ID".
+- `OAUTH_<PROVIDER_NAME>_APPLE_PRIVATE_KEY`: The private key contents you received from Apple (note this is the value inside of the file you downloaded from Apple, _not_ the file name).
+- `OAUTH_<PROVIDER_NAME>_RESPONSE_MODE`: For Sign in with Apple should be set to `form_post`. If any scopes are requested then Sign in with Apple wants response_mode=form_post. See https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms and https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html .
 
 ## Known OAuth 2 Provider Endpoints
 

diff --git a/server/src/shared/lambda/oauth/OAuthProviderConfig.ts b/server/src/shared/lambda/oauth/OAuthProviderConfig.ts
@@ -61,8 +61,9 @@ export class OAuthProviderConfig {
         Config.AppleTeamID,
         Config.AppleKeyID,
         Config.ApplePrivateKey,
+        Config.ResponseMode,
       ])
-      // SIWA has a funky algorithm to generate ClientSecret, so its not longer required:
+      // SIWA has a funky algorithm to generate ClientSecret, so its not required:
       requiredConfigs.splice(requiredConfigs.indexOf(Config.ClientSecret), 1)
     }
     const missing: Array<string> = []
@@ -88,6 +89,7 @@ export enum Config {
   AppleTeamID = "OAUTH_{{PROVIDER}}_APPLE_TEAM_ID",
   AppleKeyID = "OAUTH_{{PROVIDER}}_APPLE_KEY_ID",
   ApplePrivateKey = "OAUTH_{{PROVIDER}}_APPLE_PRIVATE_KEY",
+  ResponseMode = "OAUTH_{{PROVIDER}}_RESPONSE_MODE",
 }
 
 const PROVIDER_PLACEHOLDER = "{{PROVIDER}}"
diff --git a/server/src/shared/lambda/oauth/handlers/login.ts b/server/src/shared/lambda/oauth/handlers/login.ts
@@ -63,12 +63,14 @@ export default function loginHandlerFactory(
       conf.value(Config.RedirectEndpoint)
     )
 
-    // TODO: make response_mode a environment variable
     // NOTE: If any scopes are requested then Sign in with Apple wants response_mode=form_post
-    //       https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms
-    //       https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
-    if (conf.isSignInWithApple()) {
-      authUrl.searchParams.append("response_mode", "form_post")
+    //   https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms
+    //   https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
+    if (conf.value(Config.ResponseMode)) {
+      authUrl.searchParams.append(
+        "response_mode",
+        conf.value(Config.ResponseMode)
+      )
     }
 
     let session: UserSession | null = readSessionID(req)