fix(auth): H0-01 Apple登录—nonce验证+启动检查+fullName补写修复

2026-05-27 20:22:42 +08:00 · 2026-05-27 20:22:42 +08:00 · 5fcfc87f84
commit 5fcfc87f84
parent 6a13edc7fb
2 changed files with 91 additions and 15 deletions
--- a/src/modules/auth/apple-auth.service.ts
+++ b/src/modules/auth/apple-auth.service.ts
@ -1,13 +1,16 @@
 import * as crypto from 'crypto';
-import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { Injectable, UnauthorizedException, Logger, OnModuleInit } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
@Injectable()
-export class AppleAuthService {
+export class AppleAuthService implements OnModuleInit {
  private readonly logger = new Logger(AppleAuthService.name);
  private readonly appleIssuer: string;
  private readonly appleBundleId: string;
  private readonly jwks: ReturnType<typeof createRemoteJWKSet>;
  /** 上次已验证通过的 nonce set，用于防重放（生产环境） */
  private readonly usedNonces = new Set<string>();
  constructor(private readonly configService: ConfigService) {
    this.appleIssuer = this.configService.get<string>(
@ -20,36 +23,69 @@ export class AppleAuthService {
    );
  }
-  async verifyIdentityToken(identityToken: string): Promise<{
+  onModuleInit() {
    const nodeEnv = process.env.NODE_ENV;
    if (nodeEnv === 'production') {
      if (!this.appleBundleId) {
        throw new Error(
          '生产环境必须设置 APPLE_BUNDLE_ID 环境变量。\n' +
          '请在 .env 中添加: APPLE_BUNDLE_ID=com.your.bundle.id',
        );
      }
      this.logger.log('Apple 登录已配置，使用真实验签');
    } else {
      if (this.appleBundleId) {
        this.logger.log('Apple 登录使用真实验签模式（已配置 bundleId）');
      } else {
        this.logger.warn(
          'Apple 登录使用 mock 模式（未配置 APPLE_BUNDLE_ID），仅限开发环境使用',
        );
      }
    }
  }
  async verifyIdentityToken(
    identityToken: string,
    rawNonce?: string,
  ): Promise<{
    appleUserId: string;
    email?: string;
    emailVerified?: boolean;
  }> {
    if (!this.appleBundleId) {
      if (process.env.NODE_ENV === 'production') {
        throw new UnauthorizedException('Apple 登录未配置，请联系管理员');
      }
      return this.verifyMock(identityToken);
    }
-    return this.verifyReal(identityToken);
+    return this.verifyReal(identityToken, rawNonce);
  }
  private verifyMock(identityToken: string): {
    appleUserId: string;
    email?: string;
    emailVerified?: boolean;
  } {
    if (!identityToken || identityToken.trim().length < 4) {
      throw new UnauthorizedException('identityToken 无效');
    }
-    return {
+
-      appleUserId: crypto
+    const mockUserId = crypto
      .createHash('sha256')
      .update(`apple-mock:${identityToken}`)
      .digest('hex')
-        .slice(0, 64),
+      .slice(0, 64);
    const mockEmail = `${mockUserId.slice(0, 12)}@mock.apple.user`;
    return {
      appleUserId: mockUserId,
      email: mockEmail,
      emailVerified: true,
    };
  }
-  private async verifyReal(identityToken: string): Promise<{
+  private async verifyReal(
    identityToken: string,
    rawNonce?: string,
  ): Promise<{
    appleUserId: string;
    email?: string;
    emailVerified?: boolean;
@ -58,13 +94,17 @@ export class AppleAuthService {
      const { payload } = await jwtVerify(identityToken, this.jwks, {
        issuer: this.appleIssuer,
        audience: this.appleBundleId,
        // nonce 校验：如果提供了 nonce，jose 会自动校验 JWT 中的 nonce claim
        ...(rawNonce ? { nonce: this.sha256Hex(rawNonce) } : {}),
      });
      return {
        appleUserId: payload.sub!,
        email:
          typeof payload.email === 'string' ? payload.email : undefined,
-        emailVerified: payload.email_verified === true || payload.email_verified === 'true',
+        emailVerified:
          payload.email_verified === true ||
          payload.email_verified === 'true',
      };
    } catch (err: any) {
      const msg: string = err?.message ?? '';
@ -76,7 +116,17 @@ export class AppleAuthService {
      if (msg.includes('issuer')) {
        throw new UnauthorizedException('identityToken issuer 无效');
      }
      if (msg.includes('nonce')) {
        throw new UnauthorizedException('identityToken nonce 验证失败');
      }
      throw new UnauthorizedException('identityToken 验证失败');
    }
  }
  /**
   * 计算 nonce 的 SHA256 哈希（与 iOS 端 SHA256(nonce) 一致）
   */
  private sha256Hex(input: string): string {
    return crypto.createHash('sha256').update(input).digest('hex');
  }
 }
--- a/src/modules/auth/auth.service.ts
+++ b/src/modules/auth/auth.service.ts
@ -57,7 +57,10 @@ export class AuthService {
  async appleLogin(dto: AppleLoginDto) {
    const { appleUserId, email: appleEmail } =
-      await this.appleAuthService.verifyIdentityToken(dto.identityToken);
+      await this.appleAuthService.verifyIdentityToken(
        dto.identityToken,
        dto.nonce,
      );
    let account = await this.prisma.authAccount.findUnique({
      where: {
@ -90,6 +93,29 @@ export class AuthService {
        },
        include: { user: true },
      });
    } else {
      // 已有账户：如果首次登录时 nickname 未成功写入（网络中断等），
      // 后续 Apple 返回 fullName 时补写
      if (!account.user.nickname && dto.fullName?.givenName) {
        const displayName = `${dto.fullName.familyName || ''}${dto.fullName.givenName}`;
        await this.prisma.user.update({
          where: { id: account.userId },
          data: { nickname: displayName },
        });
      }
      // 补写首次可能缺失的 email
      if (!account.user.email && appleEmail) {
        await this.prisma.user.update({
          where: { id: account.userId },
          data: { email: appleEmail },
        });
      }
      if (!account.email && appleEmail) {
        await this.prisma.authAccount.update({
          where: { id: account.id },
          data: { email: appleEmail },
        });
      }
    }
    return this.buildLoginResponse(account.user);