Fix AppleProvider issues #587 #529 (#606)

Provider.php

@@ -4,14 +4,17 @@
 
 use Firebase\JWT\JWK;
 use GuzzleHttp\Client;
-use Illuminate\Http\Response;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Str;
 use Laravel\Socialite\Two\InvalidStateException;
-use Lcobucci\JWT\Parser;
-use Lcobucci\JWT\Signer\Key;
+use Lcobucci\Clock\SystemClock;
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Signer\Key\InMemory;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Validation\Constraint\IssuedBy;
+use Lcobucci\JWT\Validation\Constraint\SignedWith;
+use Lcobucci\JWT\Validation\Constraint\ValidAt;
 use SocialiteProviders\Manager\OAuth2\AbstractProvider;
 use SocialiteProviders\Manager\OAuth2\User;
 
@@ -74,7 +77,7 @@ protected function getCodeFields($state = null)
         ];
 
         if ($this->usesState()) {
-            $fields['state'] = md5($state);
+            $fields['state'] = $state;
             $fields['nonce'] = Str::uuid().'.'.$state;
         }
 
@@ -126,16 +129,8 @@ protected function getUserByToken($token)
      */
     public static function verify($jwt)
     {
-        $signer = new Sha256();
-
-        $token = (new Parser())->parse((string) $jwt);
-
-        if ($token->getClaim('iss') !== self::URL) {
-            throw new InvalidStateException('Invalid Issuer', Response::HTTP_UNAUTHORIZED);
-        }
-        if ($token->isExpired(new \DateTime())) {
-            throw new InvalidStateException('Token Expired', Response::HTTP_UNAUTHORIZED);
-        }
+        $jwtContainer = Configuration::forUnsecuredSigner();
+        $token = $jwtContainer->parser()->parse($jwt);
 
         $data = Cache::remember('socialite:Apple-JWKSet', 5 * 60, function () {
             $res = (new Client())->get(self::URL.'/auth/keys');
@@ -144,13 +139,17 @@ public static function verify($jwt)
         });
 
         $publicKeys = JWK::parseKeySet($data);
-
-        $kid = $token->getHeader('kid');
+        $kid = $token->headers()->get('kid');
 
         if (isset($publicKeys[$kid])) {
             $publicKey = openssl_pkey_get_details($publicKeys[$kid]);
+            $constraints = [
+                new SignedWith(new Sha256(), InMemory::plainText($publicKey['key'])),
+                new IssuedBy(self::URL),
+                new ValidAt(SystemClock::fromUTC()),
+            ];
 
-            if ($token->verify($signer, new Key($publicKey['key']))) {
+            if ($jwtContainer->validator()->validate($token, ...$constraints)) {
                 return true;
             }
         }

composer.json

@@ -16,11 +16,11 @@
         }
     ],
     "require": {
-        "php": "^7.2 || ^8.0",
+        "php": "^7.4 || ^8.0",
         "ext-json": "*",
         "ext-openssl": "*",
         "firebase/php-jwt": "^5.2",
-        "lcobucci/jwt": "^3.4",
+        "lcobucci/jwt": "^4.0",
         "socialiteproviders/manager": "~4.0"
     },
     "autoload": {