Implement Slack authentication on iOS

2024-03-30 16:47:59 -07:00 · 2024-03-30 16:47:59 -07:00 · df549d48e6
commit df549d48e6
parent ec8cc533ab
10 changed files with 419 additions and 81 deletions
--- a/Apple/App/OAuth2.swift
+++ b/Apple/App/OAuth2.swift
@ -0,0 +1,280 @@
+import AuthenticationServices
+import SwiftUI
+import Foundation
+
+enum OAuth2 {
+    enum Error: Swift.Error {
+        case unknown
+        case invalidAuthorizationURL
+        case invalidCallbackURL
+        case invalidRedirectURI
+    }
+
+    struct Credential {
+        var accessToken: String
+        var refreshToken: String?
+        var expirationDate: Date?
+    }
+
+    struct Session {
+        var authorizationEndpoint: URL
+        var tokenEndpoint: URL
+        var redirectURI: URL
+        var responseType = OAuth2.ResponseType.code
+        var scopes: Set<String>
+        var clientID: String
+        var clientSecret: String
+
+        fileprivate static var queue: [Int: CheckedContinuation<URL, Swift.Error>] = [:]
+
+        fileprivate static func handle(url: URL) {
+            let continuations = queue
+            queue.removeAll()
+            for (_, continuation) in continuations {
+                continuation.resume(returning: url)
+            }
+        }
+
+        public init(
+            authorizationEndpoint: URL,
+            tokenEndpoint: URL,
+            redirectURI: URL,
+            scopes: Set<String>,
+            clientID: String,
+            clientSecret: String
+        ) {
+            self.authorizationEndpoint = authorizationEndpoint
+            self.tokenEndpoint = tokenEndpoint
+            self.redirectURI = redirectURI
+            self.scopes = scopes
+            self.clientID = clientID
+            self.clientSecret = clientSecret
+        }
+
+        private var authorizationURL: URL {
+            get throws {
+                var queryItems: [URLQueryItem] = [
+                    .init(name: "client_id", value: clientID),
+                    .init(name: "response_type", value: responseType.rawValue),
+                    .init(name: "redirect_uri", value: redirectURI.absoluteString),
+                ]
+                if !scopes.isEmpty {
+                    queryItems.append(.init(name: "scope", value: scopes.joined(separator: ",")))
+                }
+                guard var components = URLComponents(url: authorizationEndpoint, resolvingAgainstBaseURL: false) else {
+                    throw OAuth2.Error.invalidAuthorizationURL
+                }
+                components.queryItems = queryItems
+                guard let authorizationURL = components.url else { throw OAuth2.Error.invalidAuthorizationURL }
+                return authorizationURL
+            }
+        }
+
+        private func handle(callbackURL: URL) async throws -> OAuth2.AccessTokenResponse {
+            switch responseType {
+            case .code:
+                guard let components = URLComponents(url: callbackURL, resolvingAgainstBaseURL: false) else {
+                    throw OAuth2.Error.invalidCallbackURL
+                }
+                return try await handle(response: try components.decode(OAuth2.CodeResponse.self))
+            default:
+                throw OAuth2.Error.invalidCallbackURL
+            }
+        }
+
+        private func handle(response: OAuth2.CodeResponse) async throws -> OAuth2.AccessTokenResponse {
+            var components = URLComponents()
+            components.queryItems = [
+                .init(name: "client_id", value: clientID),
+                .init(name: "client_secret", value: clientSecret),
+                .init(name: "grant_type", value: GrantType.authorizationCode.rawValue),
+                .init(name: "code", value: response.code),
+                .init(name: "redirect_uri", value: redirectURI.absoluteString)
+            ]
+            let httpBody = Data(components.percentEncodedQuery!.utf8)
+
+            var request = URLRequest(url: tokenEndpoint)
+            request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type")
+            request.httpMethod = "POST"
+            request.httpBody = httpBody
+
+            let session = URLSession(configuration: .ephemeral)
+            let (data, _) = try await session.data(for: request)
+            return try OAuth2.decoder.decode(OAuth2.AccessTokenResponse.self, from: data)
+        }
+
+        func authorize(_ session: WebAuthenticationSession) async throws -> Credential {
+            let authorizationURL = try authorizationURL
+            let callbackURL = try await session.start(
+                url: authorizationURL,
+                redirectURI: redirectURI
+            )
+            return try await handle(callbackURL: callbackURL).credential
+        }
+    }
+
+    private struct CodeResponse: Codable {
+        var code: String
+        var state: String?
+    }
+
+    private struct AccessTokenResponse: Codable {
+        var accessToken: String
+        var tokenType: TokenType
+        var expiresIn: Double?
+        var refreshToken: String?
+
+        var credential: Credential {
+            .init(accessToken: accessToken, refreshToken: refreshToken, expirationDate: expiresIn.map { Date.init(timeIntervalSinceNow: $0) })
+        }
+    }
+
+    enum TokenType: Codable, RawRepresentable {
+        case bearer
+        case unknown(String)
+
+        init(rawValue: String) {
+            self = switch rawValue.lowercased() {
+            case "bearer": .bearer
+            default: .unknown(rawValue)
+            }
+        }
+
+        var rawValue: String {
+            switch self {
+            case .bearer: "bearer"
+            case .unknown(let type): type
+            }
+        }
+    }
+
+    enum GrantType: Codable, RawRepresentable {
+        case authorizationCode
+        case unknown(String)
+
+        init(rawValue: String) {
+            self = switch rawValue.lowercased() {
+            case "authorization_code": .authorizationCode
+            default: .unknown(rawValue)
+            }
+        }
+
+        var rawValue: String {
+            switch self {
+            case .authorizationCode: "authorization_code"
+            case .unknown(let type): type
+            }
+        }
+    }
+
+    enum ResponseType: Codable, RawRepresentable {
+        case code
+        case idToken
+        case unknown(String)
+
+        init(rawValue: String) {
+            self = switch rawValue.lowercased() {
+            case "code": .code
+            case "id_token": .idToken
+            default: .unknown(rawValue)
+            }
+        }
+
+        var rawValue: String {
+            switch self {
+            case .code: "code"
+            case .idToken: "id_token"
+            case .unknown(let type): type
+            }
+        }
+    }
+
+    fileprivate static var decoder: JSONDecoder {
+        let decoder = JSONDecoder()
+        decoder.keyDecodingStrategy = .convertFromSnakeCase
+        return decoder
+    }
+
+    fileprivate static var encoder: JSONEncoder {
+        let encoder = JSONEncoder()
+        encoder.keyEncodingStrategy = .convertToSnakeCase
+        return encoder
+    }
+}
+
+extension WebAuthenticationSession {
+    func start(url: URL, redirectURI: URL) async throws -> URL {
+        #if canImport(BrowserEngineKit)
+        if #available(iOS 17.4, macOS 14.4, tvOS 17.4, watchOS 10.4, *) {
+            return try await authenticate(
+                using: url,
+                callback: try Self.callback(for: redirectURI),
+                additionalHeaderFields: [:]
+            )
+        }
+        #endif
+
+        return try await withThrowingTaskGroup(of: URL.self) { group in
+            group.addTask {
+                return try await authenticate(using: url, callbackURLScheme: redirectURI.scheme ?? "")
+            }
+
+            let id = Int.random(in: 0..<Int.max)
+            group.addTask {
+                return try await withCheckedThrowingContinuation { continuation in
+                    OAuth2.Session.queue[id] = continuation
+                }
+            }
+            guard let url = try await group.next() else { throw OAuth2.Error.invalidCallbackURL }
+            group.cancelAll()
+            OAuth2.Session.queue[id] = nil
+            return url
+        }
+    }
+
+    #if canImport(BrowserEngineKit)
+    @available(iOS 17.4, macOS 14.4, tvOS 17.4, watchOS 10.4, *)
+    fileprivate static func callback(for redirectURI: URL) throws -> ASWebAuthenticationSession.Callback {
+        switch redirectURI.scheme {
+        case "https":
+            guard let host = redirectURI.host else { throw OAuth2.Error.invalidRedirectURI }
+            return .https(host: host, path: redirectURI.path)
+        case "http":
+            throw OAuth2.Error.invalidRedirectURI
+        case .some(let scheme):
+            return .customScheme(scheme)
+        case .none:
+            throw OAuth2.Error.invalidRedirectURI
+        }
+    }
+    #endif
+}
+
+extension View {
+    func handleOAuth2Callback() -> some View {
+        onOpenURL { url in OAuth2.Session.handle(url: url) }
+    }
+}
+
+extension URLComponents {
+    fileprivate func decode<T: Decodable>(_ type: T.Type) throws -> T {
+        guard let queryItems else {
+            throw DecodingError.valueNotFound(
+                T.self,
+                .init(codingPath: [], debugDescription: "Missing query items")
+            )
+        }
+        let data = try OAuth2.encoder.encode(try queryItems.values)
+        return try OAuth2.decoder.decode(T.self, from: data)
+    }
+}
+
+extension Sequence where Element == URLQueryItem {
+    fileprivate var values: [String: String?] {
+        get throws {
+            try Dictionary(map { ($0.name, $0.value) }) { _, _ in
+                throw DecodingError.dataCorrupted(.init(codingPath: [], debugDescription: "Duplicate query items"))
+            }
+        }
+    }
+}