{"version":3,"sources":["../../../src/oauth2/provider/apple.ts"],"sourcesContent":["import { invariant } from '@shware/utils';\nimport { OAuth2Error } from '../error';\nimport type { LoginOAuth2NativeParams, NativeCredential, OAuth2Token, Provider } from '../types';\nimport { createAuthorizationUri, exchangeAuthorizationCode, verifyIdToken } from './common';\n\n// ref: https://account.apple.com/.well-known/openid-configuration\nexport function createAppleProvider(): Provider {\n  return {\n    // important notice: response_mode=form_post is required for apple\n    authorizationUri: 'https://appleid.apple.com/auth/authorize?response_mode=form_post',\n    tokenUri: 'https://appleid.apple.com/auth/token',\n    jwkSetUri: 'https://appleid.apple.com/auth/keys',\n    userNameAttribute: 'sub',\n    defaultScope: ['openid', 'name', 'email'],\n    createAuthorizationUri({ pkce: _, ...params }) {\n      return createAuthorizationUri({\n        ...params,\n        scope: params.scope ?? this.defaultScope,\n        authorizationUri: this.authorizationUri,\n      });\n    },\n    async exchangeAuthorizationCode({ pkce: _, ...params }) {\n      const response = await exchangeAuthorizationCode({ ...params, tokenUri: this.tokenUri });\n      if (!response.ok) {\n        const { error } = (await response.json()) as AppleErrorResponse;\n        throw new OAuth2Error(response.status, error);\n      }\n      return (await response.json()) as AppleToken;\n    },\n    async getUserInfo({ id_token }) {\n      invariant(id_token, 'id_token is required');\n      invariant(this.jwkSetUri, 'jwkSetUri is required');\n      const data = await verifyIdToken<AppleUserInfo>(id_token, this.jwkSetUri);\n      return {\n        data,\n        claims: {\n          sub: data.sub,\n          name: data.name,\n          email: data.email,\n          email_verified: true,\n          picture: data.picture,\n          given_name: data.user?.name.firstName,\n          family_name: data.user?.name.lastName,\n        },\n      };\n    },\n    async loginOAuth2Native({ pkce: _, credentials, ...params }: LoginOAuth2NativeParams) {\n      invariant(credentials.code, 'code is required');\n      const { tokenUri } = this;\n      const { code } = credentials;\n      const response = await exchangeAuthorizationCode({ code, tokenUri, ...params });\n      if (!response.ok) {\n        const { error } = (await response.json()) as AppleErrorResponse;\n        throw new OAuth2Error(response.status, error);\n      }\n      const token = (await response.json()) as AppleToken;\n      const userInfo = await this.getUserInfo(token);\n      return { token, userInfo };\n    },\n  };\n}\n\nexport const apple = createAppleProvider();\n\n// https://developer.apple.com/documentation/sign_in_with_apple/authenticating-users-with-sign-in-with-apple\nexport interface AppleUserInfo {\n  sub: string;\n  email: string;\n  email_verified: true | 'true';\n  is_private_email: boolean;\n  real_user_status: number;\n  name: string;\n  picture: string;\n  user?: {\n    name: { firstName: string; lastName: string };\n    email: string;\n  };\n  nonce?: string;\n  nonce_supported?: boolean;\n}\n\n// https://developer.apple.com/documentation/devicemanagement/implementing-the-oauth2-authentication-user-enrollment-flow\n// https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens\nexport interface AppleToken extends OAuth2Token {\n  access_token: string;\n  token_type: string;\n  expires_in: number;\n  refresh_token: string;\n  id_token: string;\n}\n\nexport interface AppleNativeCredential extends NativeCredential {\n  state: string;\n  code: string;\n  id_token: string;\n  // no standard fields\n  user: string;\n  email?: string;\n}\n\n// https://developer.apple.com/documentation/sign_in_with_apple/errorresponse\nexport interface AppleErrorResponse {\n  error:\n    | 'invalid_request'\n    | 'invalid_client'\n    | 'invalid_grant'\n    | 'unauthorized_client'\n    | 'unsupported_grant_type'\n    | 'invalid_scope';\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAA0B;AAC1B,mBAA4B;AAE5B,oBAAiF;AAG1E,SAAS,sBAAgC;AAC9C,SAAO;AAAA;AAAA,IAEL,kBAAkB;AAAA,IAClB,UAAU;AAAA,IACV,WAAW;AAAA,IACX,mBAAmB;AAAA,IACnB,cAAc,CAAC,UAAU,QAAQ,OAAO;AAAA,IACxC,uBAAuB,EAAE,MAAM,GAAG,GAAG,OAAO,GAAG;AAC7C,iBAAO,sCAAuB;AAAA,QAC5B,GAAG;AAAA,QACH,OAAO,OAAO,SAAS,KAAK;AAAA,QAC5B,kBAAkB,KAAK;AAAA,MACzB,CAAC;AAAA,IACH;AAAA,IACA,MAAM,0BAA0B,EAAE,MAAM,GAAG,GAAG,OAAO,GAAG;AACtD,YAAM,WAAW,UAAM,yCAA0B,EAAE,GAAG,QAAQ,UAAU,KAAK,SAAS,CAAC;AACvF,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,EAAE,MAAM,IAAK,MAAM,SAAS,KAAK;AACvC,cAAM,IAAI,yBAAY,SAAS,QAAQ,KAAK;AAAA,MAC9C;AACA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B;AAAA,IACA,MAAM,YAAY,EAAE,SAAS,GAAG;AAC9B,kCAAU,UAAU,sBAAsB;AAC1C,kCAAU,KAAK,WAAW,uBAAuB;AACjD,YAAM,OAAO,UAAM,6BAA6B,UAAU,KAAK,SAAS;AACxE,aAAO;AAAA,QACL;AAAA,QACA,QAAQ;AAAA,UACN,KAAK,KAAK;AAAA,UACV,MAAM,KAAK;AAAA,UACX,OAAO,KAAK;AAAA,UACZ,gBAAgB;AAAA,UAChB,SAAS,KAAK;AAAA,UACd,YAAY,KAAK,MAAM,KAAK;AAAA,UAC5B,aAAa,KAAK,MAAM,KAAK;AAAA,QAC/B;AAAA,MACF;AAAA,IACF;AAAA,IACA,MAAM,kBAAkB,EAAE,MAAM,GAAG,aAAa,GAAG,OAAO,GAA4B;AACpF,kCAAU,YAAY,MAAM,kBAAkB;AAC9C,YAAM,EAAE,SAAS,IAAI;AACrB,YAAM,EAAE,KAAK,IAAI;AACjB,YAAM,WAAW,UAAM,yCAA0B,EAAE,MAAM,UAAU,GAAG,OAAO,CAAC;AAC9E,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,EAAE,MAAM,IAAK,MAAM,SAAS,KAAK;AACvC,cAAM,IAAI,yBAAY,SAAS,QAAQ,KAAK;AAAA,MAC9C;AACA,YAAM,QAAS,MAAM,SAAS,KAAK;AACnC,YAAM,WAAW,MAAM,KAAK,YAAY,KAAK;AAC7C,aAAO,EAAE,OAAO,SAAS;AAAA,IAC3B;AAAA,EACF;AACF;AAEO,IAAM,QAAQ,oBAAoB;","names":[]}