firebase-ios-sdk/FirebaseAuth/Sources/Swift/AuthProvider/OAuthProvider.swift

// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

import Foundation
import CommonCrypto

/**
 @brief Utility class for constructing OAuth Sign In credentials.
 */
@available(iOS 13, tvOS 13, macOS 10.15, macCatalyst 13, watchOS 7, *)
@objc(FIROAuthProvider) open class OAuthProvider: NSObject, FederatedAuthProvider {
  @objc public static let id = "OAuth"

  /** @property scopes
      @brief Array used to configure the OAuth scopes.
   */
  @objc public var scopes: [String]

  /** @property customParameters
      @brief Dictionary used to configure the OAuth custom parameters.
   */
  @objc public var customParameters: [String: String]

  /** @property providerID
      @brief The provider ID indicating the specific OAuth provider this OAuthProvider instance
            represents.
   */
  @objc public let providerID: String

  /**
      @param providerID The provider ID of the IDP for which this auth provider instance will be
          configured.
      @return An instance of `OAuthProvider` corresponding to the specified provider ID.
   */
  @objc(providerWithProviderID:) public class func provider(providerID: String) -> OAuthProvider {
    return OAuthProvider(providerID: providerID, auth: Auth.auth())
  }

  /**
      @param providerID The provider ID of the IDP for which this auth provider instance will be
          configured.
      @param auth The auth instance to be associated with the `OAuthProvider` instance.
      @return An instance of `OAuthProvider` corresponding to the specified provider ID.
   */
  @objc(providerWithProviderID:auth:) public class func provider(providerID: String,
                                                                 auth: Auth) -> OAuthProvider {
    return OAuthProvider(providerID: providerID, auth: auth)
  }

  /**
      @param providerID The provider ID of the IDP for which this auth provider instance will be
          configured.
      @return An instance of `OAuthProvider` corresponding to the specified provider ID.
   */
  @objc(providerWithProviderID:) public convenience init(providerID: String) {
    self.init(providerID: providerID, auth: Auth.auth())
  }

  /**
      @param providerID The provider ID of the IDP for which this auth provider instance will be
          configured.
      @param auth The auth instance to be associated with the `OAuthProvider` instance.
      @return An instance of `OAuthProvider` corresponding to the specified provider ID.
   */
  @objc(providerWithProviderID:auth:) public init(providerID: String, auth: Auth) {
    if auth.requestConfiguration.emulatorHostAndPort == nil {
      if providerID == FacebookAuthProvider.id {
        fatalError("Sign in with Facebook is not supported via generic IDP; the Facebook TOS " +
          "dictate that you must use the Facebook iOS SDK for Facebook login.")
      }
      if providerID == AuthProviderString.apple.rawValue {
        fatalError("Sign in with Apple is not supported via generic IDP; You must use the Apple SDK" +
          " for Sign in with Apple.")
      }
    }
    self.auth = auth
    self.providerID = providerID
    scopes = [""]
    customParameters = [:]

    if let clientID = auth.app?.options.clientID {
      let reverseClientIDScheme = clientID.components(separatedBy: ".").reversed()
        .joined(separator: ".")
      if let urlTypes = auth.mainBundleUrlTypes,
         AuthWebUtils.isCallbackSchemeRegistered(forCustomURLScheme: reverseClientIDScheme,
                                                 urlTypes: urlTypes) {
        callbackScheme = reverseClientIDScheme
        usingClientIDScheme = true
        return
      }
    }
    usingClientIDScheme = false
    if let appID = auth.app?.options.googleAppID {
      callbackScheme = "app-\(appID.replacingOccurrences(of: ":", with: "-"))"
    } else {
      fatalError("Missing googleAppID for constructing callbackScheme")
    }
  }

  /**
      @brief Creates an `AuthCredential` for the OAuth 2 provider identified by provider ID, ID
          token, and access token.

      @param providerID The provider ID associated with the Auth credential being created.
      @param idToken The IDToken associated with the Auth credential being created.
      @param accessToken The access token associated with the Auth credential be created, if
          available.
      @return A `AuthCredential` for the specified provider ID, ID token and access token.
   */
  @objc(credentialWithProviderID:IDToken:accessToken:)
  public static func credential(withProviderID providerID: String,
                                idToken: String,
                                accessToken: String?) -> OAuthCredential {
    return OAuthCredential(withProviderID: providerID, idToken: idToken, accessToken: accessToken)
  }

  /**
      @brief Creates an `AuthCredential` for the OAuth 2 provider identified by provider ID using
        an ID token.

      @param providerID The provider ID associated with the Auth credential being created.
      @param accessToken The access token associated with the Auth credential be created
      @return An `AuthCredential`.
   */
  @objc(credentialWithProviderID:accessToken:)
  public static func credential(withProviderID providerID: String,
                                accessToken: String) -> OAuthCredential {
    return OAuthCredential(withProviderID: providerID, accessToken: accessToken)
  }

  /**
      @brief Creates an `AuthCredential` for that OAuth 2 provider identified by provider ID, ID
          token, raw nonce, and access token.

      @param providerID The provider ID associated with the Auth credential being created.
      @param idToken The IDToken associated with the Auth credential being created.
      @param rawNonce The raw nonce associated with the Auth credential being created.
      @param accessToken The access token associated with the Auth credential be created, if
          available.
      @return A `AuthCredential` for the specified provider ID, ID token and access token.
   */
  @objc(credentialWithProviderID:IDToken:rawNonce:accessToken:)
  public static func credential(withProviderID providerID: String, idToken: String,
                                rawNonce: String,
                                accessToken: String) -> OAuthCredential {
    return OAuthCredential(
      withProviderID: providerID,
      idToken: idToken,
      rawNonce: rawNonce,
      accessToken: accessToken
    )
  }

  /**
      @brief Creates an `AuthCredential` for that OAuth 2 provider identified by providerID using
        an ID token and raw nonce.

      @param providerID The provider ID associated with the Auth credential being created.
      @param idToken The IDToken associated with the Auth credential being created.
      @param rawNonce The raw nonce associated with the Auth credential being created.
      @return A `AuthCredential`.
   */
  @objc(credentialWithProviderID:IDToken:rawNonce:)
  public static func credential(withProviderID providerID: String, idToken: String,
                                rawNonce: String) -> OAuthCredential {
    return OAuthCredential(withProviderID: providerID, idToken: idToken, rawNonce: rawNonce)
  }

  #if os(iOS)
    /** @fn getCredentialWithUIDelegate:completion:
        @brief Used to obtain an auth credential via a mobile web flow.
            This method is available on iOS only.
        @param UIDelegate An optional UI delegate used to present the mobile web flow.
        @param completion Optionally; a block which is invoked asynchronously on the main thread when
            the mobile web flow is completed.
     */
    @objc(getCredentialWithUIDelegate:completion:)
    public func getCredentialWith(_ UIDelegate: AuthUIDelegate?,
                                  completion: ((AuthCredential?, Error?) -> Void)? = nil) {
      guard let urlTypes = auth.mainBundleUrlTypes,
            AuthWebUtils.isCallbackSchemeRegistered(forCustomURLScheme: callbackScheme,
                                                    urlTypes: urlTypes) else {
        fatalError(
          "Please register custom URL scheme \(callbackScheme) in the app's Info.plist file."
        )
      }
      kAuthGlobalWorkQueue.async { [weak self] in
        guard let self = self else { return }
        let eventID = AuthWebUtils.randomString(withLength: 10)
        let sessionID = AuthWebUtils.randomString(withLength: 10)

        let callbackOnMainThread: ((AuthCredential?, Error?) -> Void) = { credential, error in
          if let completion {
            DispatchQueue.main.async {
              completion(credential, error)
            }
          }
        }
        self.getHeadfulLiteUrl(eventID: eventID, sessionID: sessionID) { headfulLiteURL, error in
          if let error {
            callbackOnMainThread(nil, error)
            return
          }
          guard let headfulLiteURL else {
            fatalError("FirebaseAuth Internal Error: Both error and headfulLiteURL return are nil")
          }
          let callbackMatcher: (URL?) -> Bool = { callbackURL in
            AuthWebUtils.isExpectedCallbackURL(callbackURL,
                                               eventID: eventID,
                                               authType: "signInWithRedirect",
                                               callbackScheme: self.callbackScheme)
          }
          self.auth.authURLPresenter.present(headfulLiteURL,
                                             uiDelegate: UIDelegate,
                                             callbackMatcher: callbackMatcher) { callbackURL, error in
            if let error {
              callbackOnMainThread(nil, error)
              return
            }
            guard let callbackURL else {
              fatalError("FirebaseAuth Internal Error: Both error and callbackURL return are nil")
            }
            let (oAuthResponseURLString, error) = self.oAuthResponseForURL(url: callbackURL)
            if let error {
              callbackOnMainThread(nil, error)
              return
            }
            guard let oAuthResponseURLString else {
              fatalError(
                "FirebaseAuth Internal Error: Both error and oAuthResponseURLString return are nil"
              )
            }
            let credential = OAuthCredential(withProviderID: self.providerID,
                                             sessionID: sessionID,
                                             OAuthResponseURLString: oAuthResponseURLString)
            callbackOnMainThread(credential, nil)
          }
        }
      }
    }

    /** @fn getCredentialWithUIDelegate:completion:
        @brief Used to obtain an auth credential via a mobile web flow.
            This method is available on iOS only.
        @param UIDelegate An optional UI delegate used to present the mobile web flow.
        @return An `AuthCredential`.
     */
    @available(iOS 13, tvOS 13, macOS 10.15, watchOS 8, *)
    public func credential(with UIDelegate: AuthUIDelegate?) async throws -> AuthCredential {
      return try await withCheckedThrowingContinuation { continuation in
        getCredentialWith(UIDelegate) { credential, error in
          if let credential = credential {
            continuation.resume(returning: credential)
          } else {
            continuation.resume(throwing: error!) // TODO: Change to ?? and generate unknown error
          }
        }
      }
    }
  #endif

  /** @fn appleCredentialWithIDToken:rawNonce:fullName:
   *  @brief Creates an `AuthCredential` for the Sign in with Apple OAuth 2 provider identified by ID
   * token, raw nonce, and full name. This method is specific to the Sign in with Apple OAuth 2
   * provider as this provider requires the full name to be passed explicitly.
   *
   *  @param idToken The IDToken associated with the Sign in with Apple Auth credential being created.
   *  @param rawNonce The raw nonce associated with the Sign in with Apple Auth credential being
   * created.
   *  @param fullName The full name associated with the Sign in with Apple Auth credential being
   * created.
   *  @return An `AuthCredential`.
   */
  @objc(appleCredentialWithIDToken:rawNonce:fullName:)
  public static func appleCredential(withIDToken idToken: String,
                                     rawNonce: String?,
                                     fullName: PersonNameComponents?) -> OAuthCredential {
    return OAuthCredential(withProviderID: AuthProviderString.apple.rawValue,
                           idToken: idToken,
                           rawNonce: rawNonce,
                           fullName: fullName)
  }

  // MARK: - Private Methods

  /** @fn OAuthResponseForURL:error:
      @brief Parses the redirected URL and returns a string representation of the OAuth response URL.
      @param URL The url to be parsed for an OAuth response URL.
      @param error The error that occurred if any.
      @return The OAuth response if successful.
   */
  private func oAuthResponseForURL(url: URL) -> (String?, Error?) {
    var urlQueryItems = AuthWebUtils.dictionary(withHttpArgumentsString: url.query)
    if let item = urlQueryItems["deep_link_id"],
       let deepLinkURL = URL(string: item) {
      urlQueryItems = AuthWebUtils.dictionary(withHttpArgumentsString: deepLinkURL.query)
      if let queryItemLink = urlQueryItems["link"] {
        return (queryItemLink, nil)
      }
    }
    if let errorData = urlQueryItems["firebaseError"]?.data(using: .utf8) {
      do {
        let error = try JSONSerialization.jsonObject(with: errorData) as? [String: Any]
        let code = (error?["code"] as? String) ?? "missing code"
        let message = (error?["message"] as? String) ?? "missing message"
        return (nil, AuthErrorUtils.urlResponseError(code: code, message: message))
      } catch {
        return (nil, AuthErrorUtils.JSONSerializationError(underlyingError: error))
      }
    }
    return (nil, AuthErrorUtils.webSignInUserInteractionFailure(
      reason: "SignIn failed with unparseable firebaseError"
    ))
  }

  /** @fn getHeadfulLiteURLWithEventID
      @brief Constructs a URL used for opening a headful-lite flow using a given event
          ID and session ID.
      @param eventID The event ID used for this purpose.
      @param sessionID The session ID used when completing the headful lite flow.
      @param completion The callback invoked after the URL has been constructed or an error
          has been encountered.
   */
  private func getHeadfulLiteUrl(eventID: String,
                                 sessionID: String,
                                 completion: @escaping ((URL?, Error?) -> Void)) {
    weak var weakSelf = self
    AuthWebUtils
      .fetchAuthDomain(withRequestConfiguration: auth.requestConfiguration) { authDomain, error in
        if let error = error {
          completion(nil, error)
          return
        }
        let strongSelf = weakSelf
        let bundleID = Bundle.main.bundleIdentifier
        let clientID = strongSelf?.auth.app?.options.clientID
        let appID = strongSelf?.auth.app?.options.googleAppID
        let apiKey = strongSelf?.auth.requestConfiguration.apiKey
        let tenantID = strongSelf?.auth.tenantID
        let appCheck = strongSelf?.auth.requestConfiguration.appCheck

        // TODO: Should we fail if these strings are empty? Only ibi was explicit in ObjC.
        var urlArguments = ["apiKey": apiKey ?? "",
                            "authType": "signInWithRedirect",
                            "ibi": bundleID ?? "",
                            "sessionId": strongSelf?.hash(forString: sessionID) ?? "",
                            "v": AuthBackend.authUserAgent(),
                            "eventId": eventID,
                            "providerId": strongSelf?.providerID ?? ""]

        if let usingClientIDScheme = strongSelf?.usingClientIDScheme, usingClientIDScheme {
          urlArguments["clientId"] = clientID
        } else {
          urlArguments["appId"] = appID
        }
        if let tenantID {
          urlArguments["tid"] = tenantID
        }
        if let scopes = strongSelf?.scopes, scopes.count > 0 {
          urlArguments["scopes"] = scopes.joined(separator: ",")
        }
        if let customParameters = strongSelf?.customParameters, customParameters.count > 0 {
          do {
            let customParametersJSONData = try JSONSerialization
              .data(withJSONObject: customParameters)
            let rawJson = String(decoding: customParametersJSONData, as: UTF8.self)
            urlArguments["customParameters"] = rawJson
          } catch {
            completion(nil, AuthErrorUtils.JSONSerializationError(underlyingError: error))
          }
        }
        if let languageCode = strongSelf?.auth.requestConfiguration.languageCode {
          urlArguments["hl"] = languageCode
        }
        let argumentsString = strongSelf?
          .httpArgumentsString(forArgsDictionary: urlArguments) ?? ""
        var urlString: String
        if (strongSelf?.auth.requestConfiguration.emulatorHostAndPort) != nil {
          urlString = "http://\(authDomain ?? "")/emulator/auth/handler?\(argumentsString)"
        } else {
          urlString = "https://\(authDomain ?? "")/__/auth/handler?\(argumentsString)"
        }
        guard let percentEncoded = urlString.addingPercentEncoding(
          withAllowedCharacters: CharacterSet.urlFragmentAllowed
        ) else {
          fatalError("Internal Auth Error: failed to percent encode a string")
        }
        var components = URLComponents(string: percentEncoded)
        if let appCheck {
          appCheck.getToken(forcingRefresh: false) { tokenResult in
            if let error = tokenResult.error {
              AuthLog.logWarning(code: "I-AUT000018",
                                 message: "Error getting App Check token; using placeholder " +
                                   "token instead. Error: \(error)")
            }
            let appCheckTokenFragment = "fac=\(tokenResult.token)"
            components?.fragment = appCheckTokenFragment
            completion(components?.url, nil)
          }
        } else {
          completion(components?.url, nil)
        }
      }
  }

  /** @fn hashforString:
      @brief Returns the SHA256 hash representation of a given string object.
      @param string The string for which a SHA256 hash is desired.
      @return An hexadecimal string representation of the SHA256 hash.
   */
  private func hash(forString string: String) -> String {
    guard let sessionIdData = string.data(using: .utf8) as? NSData else {
      fatalError("FirebaseAuth Internal error: Failed to create hash for sessionID")
    }
    let digestLength = Int(CC_SHA256_DIGEST_LENGTH)
    var hash = [UInt8](repeating: 0, count: digestLength)
    CC_SHA256(sessionIdData.bytes, UInt32(sessionIdData.length), &hash)
    let dataHash = NSData(bytes: hash, length: digestLength)
    var bytes = [UInt8](repeating: 0, count: digestLength)
    dataHash.getBytes(&bytes, length: digestLength)

    var hexString = ""
    for byte in bytes {
      hexString += String(format: "%02x", UInt8(byte))
    }
    return hexString
  }

  private func httpArgumentsString(forArgsDictionary argsDictionary: [String: String]) -> String {
    var argsString: [String] = []
    for (key, value) in argsDictionary {
      let keyString = AuthWebUtils.string(byUnescapingFromURLArgument: key)
      let valueString = AuthWebUtils.string(byUnescapingFromURLArgument: value.description)
      argsString.append("\(keyString)=\(valueString)")
    }
    return argsString.joined(separator: "&")
  }

  private let auth: Auth
  private let callbackScheme: String
  private let usingClientIDScheme: Bool
}