import Foundation import Capacitor import OAuthSwift import CommonCrypto import AuthenticationServices typealias JSObject = [String:Any] @objc(OAuth2ClientPlugin) public class OAuth2ClientPlugin: CAPPlugin { var savedPluginCall: CAPPluginCall? let JSON_KEY_ACCESS_TOKEN = "access_token" let JSON_KEY_AUTHORIZATION_RESPONSE = "authorization_response" let JSON_KEY_ACCESS_TOKEN_RESPONSE = "access_token_response" let PARAM_REFRESH_TOKEN = "refreshToken" // required let PARAM_APP_ID = "appId" let PARAM_AUTHORIZATION_BASE_URL = "authorizationBaseUrl" let PARAM_RESPONSE_TYPE = "responseType" let PARAM_REDIRECT_URL = "redirectUrl" // controlling let PARAM_ACCESS_TOKEN_ENDPOINT = "accessTokenEndpoint" let PARAM_RESOURCE_URL = "resourceUrl" let PARAM_ADDITIONAL_RESOURCE_HEADERS = "additionalResourceHeaders" let PARAM_ADDITIONAL_PARAMETERS = "additionalParameters" let PARAM_CUSTOM_HANDLER_CLASS = "ios.customHandlerClass" let PARAM_SCOPE = "scope" let PARAM_STATE = "state" let PARAM_PKCE_ENABLED = "pkceEnabled" let PARAM_IOS_USE_SCOPE = "ios.siwaUseScope" let PARAM_LOGOUT_URL = "logoutUrl" let PARAM_LOGS_ENABLED = "logsEnabled" let ERR_GENERAL = "ERR_GENERAL" // authenticate param validation let ERR_PARAM_NO_APP_ID = "ERR_PARAM_NO_APP_ID" let ERR_PARAM_NO_AUTHORIZATION_BASE_URL = "ERR_PARAM_NO_AUTHORIZATION_BASE_URL" let ERR_PARAM_NO_RESPONSE_TYPE = "ERR_PARAM_NO_RESPONSE_TYPE" let ERR_PARAM_NO_REDIRECT_URL = "ERR_PARAM_NO_REDIRECT_URL" // refreshToken param validation let ERR_PARAM_NO_REFRESH_TOKEN = "ERR_PARAM_NO_REFRESH_TOKEN" let ERR_PARAM_NO_ACCESS_TOKEN_ENDPOINT = "ERR_PARAM_NO_ACCESS_TOKEN_ENDPOINT" let ERR_CUSTOM_HANDLER_LOGIN = "ERR_CUSTOM_HANDLER_LOGIN" let ERR_CUSTOM_HANDLER_LOGOUT = "ERR_CUSTOM_HANDLER_LOGOUT" let ERR_STATES_NOT_MATCH = "ERR_STATES_NOT_MATCH" let ERR_NO_AUTHORIZATION_CODE = "ERR_NO_AUTHORIZATION_CODE" let ERR_AUTHORIZATION_FAILED = "ERR_AUTHORIZATION_FAILED" struct SharedConstants { static let ERR_USER_CANCELLED = "USER_CANCELLED" } var oauthSwift: OAuth2Swift? var oauth2SafariDelegate: OAuth2SafariDelegate? var handlerClasses = [String: OAuth2CustomHandler.Type]() var handlerInstances = [String: OAuth2CustomHandler]() func registerHandlers() { let classCount = objc_getClassList(nil, 0) let classes = UnsafeMutablePointer.allocate(capacity: Int(classCount)) let releasingClasses = AutoreleasingUnsafeMutablePointer(classes) let numClasses: Int32 = objc_getClassList(releasingClasses, classCount) for i in 0.., _ call: CAPPluginCall, _ responseType: String, _ requestState: String, _ logsEnabled: Bool, _ resourceUrl: String?) { switch result { case .success(let (credential, response, parameters)): if logsEnabled, let accessTokenResponse = response { logDataObj("Authorization or Access token response:", accessTokenResponse.data) } // state is aready checked by the lib if resourceUrl != nil && !resourceUrl!.isEmpty { if logsEnabled { log("Resource url: \(resourceUrl!)") log("Access token:\n\(credential.oauthToken)") } // resource url request headers let callParameter: [String: Any] = getOverwritable(call, PARAM_ADDITIONAL_RESOURCE_HEADERS) as? [String: Any] ?? [:] let additionalHeadersDict = buildStringDict(callParameter); self.oauthSwift!.client.get(resourceUrl!, headers: additionalHeadersDict) { result in switch result { case .success(let resourceResponse): do { if logsEnabled { self.logDataObj("Resource response:", resourceResponse.data) } var jsonObj = try JSONSerialization.jsonObject(with: resourceResponse.data, options: []) as! JSObject // send the access token to the caller so e.g. it can be stored on a backend // #154 if let accessTokenResponse = response { let accessTokenJsObject = try? JSONSerialization.jsonObject(with: accessTokenResponse.data, options: []) as? JSObject jsonObj.updateValue(accessTokenJsObject!, forKey: self.JSON_KEY_ACCESS_TOKEN_RESPONSE) } jsonObj.updateValue(credential.oauthToken, forKey: self.JSON_KEY_ACCESS_TOKEN) if logsEnabled { self.log("Returned to JS:\n\(jsonObj)") } call.resolve(jsonObj) } catch { self.log("Invalid json in resource response:\n \(error.localizedDescription)") call.reject(self.ERR_GENERAL) } case .failure(let error): self.log("Resource url request failed:\n\(error.description)"); call.reject(self.ERR_GENERAL) } } // no resource url } else if let responseData = response?.data { do { var jsonObj = JSObject() let accessTokenJsObject = try? JSONSerialization.jsonObject(with: responseData, options: []) as? JSObject jsonObj.updateValue(accessTokenJsObject!, forKey: self.JSON_KEY_ACCESS_TOKEN_RESPONSE) if logsEnabled { self.log("Returned to JS:\n\(jsonObj)") } call.resolve(jsonObj) } catch { self.log("Invalid json in response \(error.localizedDescription)") call.reject(self.ERR_GENERAL) } } else { // `parameters` will be response parameters var result = parameters result.updateValue(credential.oauthToken, forKey: self.JSON_KEY_ACCESS_TOKEN) call.resolve(parameters) } case .failure(let error): switch error { case .cancelled, .accessDenied(_, _): call.reject(SharedConstants.ERR_USER_CANCELLED) case .stateNotEqual(_, _): self.log("The given state does not match the one in the respond!") call.reject(self.ERR_STATES_NOT_MATCH) default: self.log("Authorization failed with \(error.localizedDescription)"); call.reject(self.ERR_NO_AUTHORIZATION_CODE) } } } private func getConfigObjectDeepest(_ options: [AnyHashable: Any?]!, key: String) -> [AnyHashable:Any?]? { let parts = key.split(separator: ".") var o = options for (_, k) in parts[0.. String { let parts = key.split(separator: ".") if parts.last != nil { return String(parts.last!) } return "" } private func getOverwritableString(_ call: CAPPluginCall, _ key: String) -> String? { var base = getString(call, key) let ios = getString(call, "ios." + key) if ios != nil { base = ios } return base; } private func getOverwritable(_ call: CAPPluginCall, _ key: String) -> Any? { var base = getValue(call, key) let ios = getValue(call, "ios." + key) if ios != nil { base = ios } return base; } private func getValue(_ call: CAPPluginCall, _ key: String) -> Any? { let k = getConfigKey(key) let o = getConfigObjectDeepest(call.options, key: key) return o?[k] ?? nil } private func getString(_ call: CAPPluginCall, _ key: String) -> String? { let value = getValue(call, key) if value == nil { return nil } return value as? String } private func getOrLoadHandlerInstance(className: String) -> OAuth2CustomHandler? { guard let instance = self.getHandlerInstance(className: className) ?? self.loadHandlerInstance(className: className) else { return nil } return instance } private func getHandlerInstance(className: String) -> OAuth2CustomHandler? { return self.handlerInstances[className] } private func log(_ msg: String) { print("I/Capacitor/OAuth2ClientPlugin: \(msg)") } private func logDataObj(_ msg: String, _ data: Data) { let json = try? JSONSerialization.jsonObject(with: data, options: []) log("\(msg)\n\(json ?? "")") } private func buildStringDict(_ callParameter: [String: Any]) -> [String: String] { var dict: [String: String] = [:] for (key, value) in callParameter { // only non empty string values are allowed if !key.isEmpty && value is String { let str = value as! String; if !str.isEmpty { dict[key] = str } } } return dict; } private func loadHandlerInstance(className: String) -> OAuth2CustomHandler? { guard let handlerClazz: OAuth2CustomHandler.Type = self.handlerClasses[className] else { log("Unable to load custom handler \(className). No such class found.") return nil } let instance: OAuth2CustomHandler = handlerClazz.init() self.handlerInstances[className] = instance return instance } private func generateRandom(withLength len: Int) -> String { let letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" let length = UInt32(letters.count) var randomString = "" for _ in 0.. Data { let data = self.data(using: .utf8)! var buffer = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH)) data.withUnsafeBytes { _ = CC_SHA256($0.baseAddress, CC_LONG(data.count), &buffer) } return Data(buffer) } } extension Data { func base64() -> String { return self.base64EncodedString() .replacingOccurrences(of: "+", with: "-") .replacingOccurrences(of: "/", with: "_") .replacingOccurrences(of: "=", with: "") .trimmingCharacters(in: .whitespaces) } } @available(iOS 13.0, *) extension OAuth2ClientPlugin: ASAuthorizationControllerDelegate { func handleSignInWithApple(_ call: CAPPluginCall) { self.savedPluginCall = call let appleIDProvider = ASAuthorizationAppleIDProvider() let request = appleIDProvider.createRequest() if let _: Bool = getValue(call, PARAM_IOS_USE_SCOPE) as? Bool { if let scopeStr = getOverwritableString(call, PARAM_SCOPE), !scopeStr.isEmpty { var scopeArr: Array = [] if scopeStr.localizedCaseInsensitiveContains("fullName") || scopeStr.localizedCaseInsensitiveContains("name") { scopeArr.append(.fullName) } if scopeStr.localizedCaseInsensitiveContains("email") { scopeArr.append(.email) } request.requestedScopes = scopeArr } } else { request.requestedScopes = [.fullName, .email] } let authorizationController = ASAuthorizationController(authorizationRequests: [request]) authorizationController.delegate = self authorizationController.performRequests() } public func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) { switch authorization.credential { case let appleIDCredential as ASAuthorizationAppleIDCredential: var realUserStatus: String switch appleIDCredential.realUserStatus { case .likelyReal: realUserStatus = "likelyReal" case .unknown: realUserStatus = "unknown" case .unsupported: realUserStatus = "unsupported" @unknown default: realUserStatus = "" } let result = [ "id": appleIDCredential.user, "given_name": appleIDCredential.fullName?.givenName as Any, "family_name": appleIDCredential.fullName?.familyName as Any, "email": appleIDCredential.email as Any, "real_user_status": realUserStatus, "state": appleIDCredential.state as Any, "id_token": String(data: appleIDCredential.identityToken!, encoding: .utf8) as Any, "code": String(data: appleIDCredential.authorizationCode!, encoding: .utf8) as Any ] as [String : Any] self.savedPluginCall?.resolve(result as PluginCallResultData) default: self.log("SIWA: Authorization failed!") self.savedPluginCall?.reject(self.ERR_AUTHORIZATION_FAILED) } } public func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { // Handle error. guard let error = error as? ASAuthorizationError else { return } switch error.code { case .canceled: self.savedPluginCall?.reject(SharedConstants.ERR_USER_CANCELLED) case .unknown: self.log("SIWA: Error.unknown.") self.savedPluginCall?.reject(SharedConstants.ERR_USER_CANCELLED) case .invalidResponse: self.log("SIWA: Error.invalidResponse") self.savedPluginCall?.reject(self.ERR_AUTHORIZATION_FAILED) case .notHandled: self.log("SIWA: Error.notHandled") self.savedPluginCall?.reject(self.ERR_AUTHORIZATION_FAILED) case .failed: self.log("SIWA: Error.failed") self.savedPluginCall?.reject(self.ERR_AUTHORIZATION_FAILED) @unknown default: self.log("SIWA: Error.default") self.savedPluginCall?.reject(self.ERR_GENERAL) } } }