fix: use appId as clientid in upgrade

annahassel · annahassel · commit bd3415b53b55 · 2022-06-17T11:20:19.000+03:00
diff --git a/schemas/config.json b/schemas/config.json
@@ -464,6 +464,10 @@
               "retryOnMissingPermissions": {
                 "type": "boolean"
               },
+              "appId": {
+                "type": "string",
+                "minLength": 1
+              },
               "clientId": {
                 "type": "string",
                 "minLength": 1
diff --git a/src/auth/oauth/hapi.js b/src/auth/oauth/hapi.js
@@ -1,6 +1,6 @@
 const is = require('is');
 const { strict: assert } = require('assert');
-const defaults = require('lodash/defaults');
+const { defaults, omit } = require('lodash');
 const { providers: Providers } = require('@hapi/bell');
 const strategies = require('./providers');
 
@@ -83,7 +83,7 @@ module.exports = function OauthHandler(server, config) {
     const settings = name === 'apple' ? defaultOptions(options, server) : { provider, ...rest };
 
     // init strategy
-    server.auth.strategy(name, 'bell', settings);
+    server.auth.strategy(name, 'bell', omit(settings, 'appId'));
 
     // https://github.com/hapijs/bell/blob/master/lib/index.js#L125-L135
     // repeats the code from here to get another settings object and reuse it
diff --git a/src/auth/oauth/strategies/apple.js b/src/auth/oauth/strategies/apple.js
@@ -92,12 +92,12 @@ async function getProfile(providerSettings, tokenResponse, query) {
 }
 
 async function validateGrantCode(providerSettings, code, redirectUrl) {
-  const { provider, clientId, clientSecret } = providerSettings;
+  const { provider, appId, clientSecret } = providerSettings;
   const response = await httpRequest.post(provider.token, {
     form: {
       code,
-      client_id: clientId,
-      client_secret: clientSecret(),
+      client_id: appId,
+      client_secret: clientSecret(appId),
       grant_type: 'authorization_code',
       redirect_uri: redirectUrl,
     },
@@ -109,6 +109,7 @@ async function validateGrantCode(providerSettings, code, redirectUrl) {
 
 function getProvider(options, server) {
   const {
+    appId,
     clientId,
     teamId,
     keyId,
@@ -122,11 +123,12 @@ function getProvider(options, server) {
   server.ext('onRequest', fixAppleCallbackForBell);
 
   return {
+    appId,
     password,
     clientId,
     isSameSite,
     cookie,
-    clientSecret: () => getSecretKey(teamId, clientId, keyId, privateKey),
+    clientSecret: (cid) => getSecretKey(teamId, cid || clientId, keyId, privateKey),
     forceHttps: true,
     providerParams: {
       response_mode: 'form_post',
diff --git a/src/configs/oauth.js b/src/configs/oauth.js
@@ -46,6 +46,9 @@ exports.oauth = {
     },
     apple: {
       enabled: false,
+      // used in /oauth/upgrade action as client ID
+      // for upgrade auth code from iOS app
+      appId: 'com.test.app',
       clientId: 'com.test.service', // service id from apple
       clientSecret: 'just-for-validation', // not used
       teamId: 'TEAM_ID',
diff --git a/test/suites/actions/oauth/upgrade.apple.js b/test/suites/actions/oauth/upgrade.apple.js
@@ -3,7 +3,7 @@ const request = require('request-promise');
 const Users = require('../../../../src');
 
 // @TODO stub
-describe.skip('oauth.upgrade action', function suite() {
+describe('oauth.upgrade action', function suite() {
   const service = new Users({ oauth: { providers: { apple: { enabled: true } } } });
 
   before(() => service.connect());
