Merge pull request #64 from aboutyou/feature/add-nonce-support

Add nonce support

packages/sign_in_with_apple/CHANGELOG.md

@@ -1,6 +1,7 @@
 ## 2.1.0
 
 - Expose `identityToken` to enable Firebase integration (https://github.com/aboutyou/dart_packages/issues/62)
+- Add support for passing a `nonce` to the authentication request
 
 ## 2.0.0+5
 

packages/sign_in_with_apple/darwin/Classes/SignInWithAppleAvailablePlugin.swift

@@ -133,6 +133,10 @@ class SignInWithAppleAuthorizationController: NSObject, ASAuthorizationControlle
                 let appleIDProvider = ASAuthorizationAppleIDProvider()
                 let appleIDRequest = appleIDProvider.createRequest()
 
+                if let nonce = requestMap["nonce"] as? String {
+                    appleIDRequest.nonce = nonce;
+                }
+
                 if let scopes = requestMap["scopes"] as? [String] {
                     appleIDRequest.requestedScopes = []
 

packages/sign_in_with_apple/lib/src/authorization_request.dart

@@ -44,6 +44,7 @@ enum AppleIDAuthorizationScopes {
 class AppleIDAuthorizationRequest implements AuthorizationRequest {
   const AppleIDAuthorizationRequest({
     this.scopes = const [],
+    this.nonce,
   }) : assert(scopes != null);
 
   /// A list of scopes that can be requested from the user.
@@ -54,13 +55,20 @@ class AppleIDAuthorizationRequest implements AuthorizationRequest {
   /// For more information see: https://forums.developer.apple.com/thread/121496
   final List<AppleIDAuthorizationScopes> scopes;
 
+  /// The nonce value which was provided when initiating the sign-in.
+  ///
+  /// Can be `null` if no value was given on the request.
+  final String nonce;
+
   @override
   String toString() => 'AppleIDAuthorizationRequest(scopes: $scopes)';
 
   @override
   Map<String, dynamic> toJson() {
     return <String, dynamic>{
       'type': 'appleid',
+      if (nonce != null)
+        'nonce': nonce,
       'scopes': [
         for (final scope in scopes)
           if (scope == AppleIDAuthorizationScopes.email)

packages/sign_in_with_apple/lib/src/sign_in_with_apple.dart

@@ -82,6 +82,13 @@ class SignInWithApple {
     ///
     /// This parameter is required on Android.
     WebAuthenticationOptions webAuthenticationOptions,
+
+    ///  Optional string which, if set, will be be embedded in the resulting `identityToken` field on the [AuthorizationCredentialAppleID].
+    ///     
+    /// This can be used to mitigate replay attacks by using a unique argument per sign-in attempt.
+    ///
+    /// Can be `null`, in which case no nonce will be passed to the request.
+    String nonce,
   }) async {
     assert(scopes != null);
 
@@ -95,6 +102,7 @@ class SignInWithApple {
       return _signInWithAppleAndroid(
         scopes: scopes,
         webAuthenticationOptions: webAuthenticationOptions,
+        nonce: nonce,
       );
     }
 
@@ -111,8 +119,11 @@ class SignInWithApple {
         await channel.invokeMethod<Map<dynamic, dynamic>>(
           'performAuthorizationRequest',
           [
-            AppleIDAuthorizationRequest(scopes: scopes),
-          ].map((request) => request.toJson()).toList(),
+            AppleIDAuthorizationRequest(
+              scopes: scopes,
+              nonce: nonce,
+            ).toJson(),
+          ],
         ),
       );
     } on PlatformException catch (exception) {
@@ -172,6 +183,7 @@ class SignInWithApple {
   static Future<AuthorizationCredentialAppleID> _signInWithAppleAndroid({
     @required List<AppleIDAuthorizationScopes> scopes,
     @required WebAuthenticationOptions webAuthenticationOptions,
+    @required String nonce,
   }) async {
     assert(Platform.isAndroid);
 
@@ -199,6 +211,9 @@ class SignInWithApple {
         // So the same handling can be used for Apple and 3rd party platforms
         'response_type': 'code id_token',
         'response_mode': 'form_post',
+
+        if (nonce != null)
+          'nonce': nonce,
       },
     ).toString();