From 19fcce254789c193286fc1dc65cd5c0badea1f2e Mon Sep 17 00:00:00 2001
From: Kentaro Takeyama <n.y.skate.of.minds@gmail.com>
Date: Sun, 5 Mar 2023 18:24:54 +0900
Subject: [PATCH] remove nonce comparison because `session['omniauth.nonce']`
 is nil

---
 lib/omniauth/strategies/apple.rb       |  9 ---------
 spec/omniauth/strategies/apple_spec.rb | 27 --------------------------
 2 files changed, 36 deletions(-)

diff --git a/lib/omniauth/strategies/apple.rb b/lib/omniauth/strategies/apple.rb
index 5ad3a40..ecb4760 100644
--- a/lib/omniauth/strategies/apple.rb
+++ b/lib/omniauth/strategies/apple.rb
@@ -69,10 +69,6 @@ def new_nonce
         session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
       end
 
-      def stored_nonce
-        session.delete('omniauth.nonce')
-      end
-
       def id_info
         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
                        id_token_str = request.params['id_token'] || access_token.params['id_token']
@@ -105,7 +101,6 @@ def verify_claims!(id_token)
         verify_aud!(id_token)
         verify_iat!(id_token)
         verify_exp!(id_token)
-        verify_nonce!(id_token) if id_token[:nonce_supported]
       end
 
       def verify_iss!(id_token)
@@ -124,10 +119,6 @@ def verify_exp!(id_token)
         invalid_claim! :exp unless id_token[:exp] >= Time.now.to_i
       end
 
-      def verify_nonce!(id_token)
-        invalid_claim! :nonce unless id_token[:nonce] && id_token[:nonce] == stored_nonce
-      end
-
       def invalid_claim!(claim)
         raise CallbackError.new(:id_token_claims_invalid, "#{claim} invalid")
       end
diff --git a/spec/omniauth/strategies/apple_spec.rb b/spec/omniauth/strategies/apple_spec.rb
index 2709d1b..75c3f7d 100644
--- a/spec/omniauth/strategies/apple_spec.rb
+++ b/spec/omniauth/strategies/apple_spec.rb
@@ -270,26 +270,6 @@
       expect(subject.info[:name]).to eq 'first last'
     end
 
-    context 'fails nonce' do
-      context 'when differs from session' do
-        before { subject.session['omniauth.nonce'] = 'abc' }
-        it do
-          expect { subject.info }.to raise_error(
-            OmniAuth::Strategies::OAuth2::CallbackError, 'id_token_claims_invalid | nonce invalid'
-          )
-        end
-      end
-
-      context 'when missing from session' do
-        before { subject.session.delete('omniauth.nonce') }
-        it do
-          expect { subject.info }.to raise_error(
-            OmniAuth::Strategies::OAuth2::CallbackError, 'id_token_claims_invalid | nonce invalid'
-          )
-        end
-      end
-    end
-
     context 'with a spoofed email in the user payload' do
       before do
         request.params['user'] = {
@@ -384,13 +364,6 @@
             end
             it_behaves_like :invalid_at, :exp
           end
-
-          context 'on nonce' do
-            let(:invalid_claims) do
-              { nonce: 'invalid' }
-            end
-            it_behaves_like :invalid_at, :nonce
-          end
         end
       end