Merge pull request #43 from daneden/fix-oauth-token-refresh

Fix OAuth token refreshing

Author: daneden

Demo App/Twift_SwiftUI.xcodeproj/project.pbxproj

@@ -46,6 +46,7 @@
 		714749F22799CED800CB128B /* Helpers.swift in Sources */ = {isa = PBXBuildFile; fileRef = 714749F12799CED800CB128B /* Helpers.swift */; };
 		714749F42799DA2C00CB128B /* PhotoPicker.swift in Sources */ = {isa = PBXBuildFile; fileRef = 714749F32799DA2C00CB128B /* PhotoPicker.swift */; };
 		714749F62799DA5100CB128B /* UploadMedia.swift in Sources */ = {isa = PBXBuildFile; fileRef = 714749F52799DA5100CB128B /* UploadMedia.swift */; };
+		714D44A428A39D98005105B7 /* KeychainItem.swift in Sources */ = {isa = PBXBuildFile; fileRef = 714D44A328A39D98005105B7 /* KeychainItem.swift */; };
 		7157CD1527F303D900324A43 /* PaginatedTweetsMethodView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7157CD1427F303D900324A43 /* PaginatedTweetsMethodView.swift */; };
 		7157CD1727F3127C00324A43 /* PaginatedUsersMethodView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7157CD1627F3127C00324A43 /* PaginatedUsersMethodView.swift */; };
 		716FADEC27F0B82A002C1BA1 /* README.md in Resources */ = {isa = PBXBuildFile; fileRef = 716FADEB27F0B82A002C1BA1 /* README.md */; };
@@ -99,6 +100,7 @@
 		714749F12799CED800CB128B /* Helpers.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Helpers.swift; sourceTree = "<group>"; };
 		714749F32799DA2C00CB128B /* PhotoPicker.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PhotoPicker.swift; sourceTree = "<group>"; };
 		714749F52799DA5100CB128B /* UploadMedia.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UploadMedia.swift; sourceTree = "<group>"; };
+		714D44A328A39D98005105B7 /* KeychainItem.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = KeychainItem.swift; sourceTree = "<group>"; };
 		7157CD1427F303D900324A43 /* PaginatedTweetsMethodView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PaginatedTweetsMethodView.swift; sourceTree = "<group>"; };
 		7157CD1627F3127C00324A43 /* PaginatedUsersMethodView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = PaginatedUsersMethodView.swift; sourceTree = "<group>"; };
 		716FADEB27F0B82A002C1BA1 /* README.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = net.daringfireball.markdown; path = README.md; sourceTree = "<group>"; };
@@ -208,9 +210,9 @@
 		712BF227278F1C02006CB2F2 /* Twift_SwiftUI */ = {
 			isa = PBXGroup;
 			children = (
+				714D44A228A39D8B005105B7 /* Helpers */,
 				71242AAC278F21FE000372DE /* Twift-SwiftUI-Info.plist */,
 				712BF22A278F1C02006CB2F2 /* ContentView.swift */,
-				714749F12799CED800CB128B /* Helpers.swift */,
 				71242ACD279202BA000372DE /* Secrets.swift */,
 				712BF228278F1C02006CB2F2 /* Twift_SwiftUIApp.swift */,
 				712BF22C278F1C03006CB2F2 /* Assets.xcassets */,
@@ -242,6 +244,15 @@
 			path = Tweets;
 			sourceTree = "<group>";
 		};
+		714D44A228A39D8B005105B7 /* Helpers */ = {
+			isa = PBXGroup;
+			children = (
+				714749F12799CED800CB128B /* Helpers.swift */,
+				714D44A328A39D98005105B7 /* KeychainItem.swift */,
+			);
+			path = Helpers;
+			sourceTree = "<group>";
+		};
 /* End PBXGroup section */
 
 /* Begin PBXNativeTarget section */
@@ -367,6 +378,7 @@
 				71242ABC2791D140000372DE /* UserRow.swift in Sources */,
 				714749E62794A8E000CB128B /* UserTimeline.swift in Sources */,
 				71242AB627918C63000372DE /* StackedLabel.swift in Sources */,
+				714D44A428A39D98005105B7 /* KeychainItem.swift in Sources */,
 				71242AC42791F628000372DE /* GetFollowing.swift in Sources */,
 				714749EC2796079400CB128B /* UserMentions.swift in Sources */,
 				71D1487927F99767001E3F7A /* GetLists.swift in Sources */,

Demo App/Twift_SwiftUI/ContentView.swift

@@ -14,38 +14,14 @@ let dteUserId: User.ID = "23082430"
 let jackUserId: User.ID = "12"
 
 struct ContentView: View {
+  @EnvironmentObject var clientContainer: ClientContainer
   @EnvironmentObject var twitterClient: Twift
 
-  var userId: String? {
-    if case .userAccessTokens(_, let userCredentials) = twitterClient.authenticationType {
-      return userCredentials.userId
-    } else {
-      return nil
-    }
-  }
-  
   var body: some View {
     NavigationView {
       Form {
-        Section {
+        Section { } footer: {
           Text("This simple SwiftUI app showcases the various capabilities of the Twift library. Navigate into each category to explore the library methods.")
-            .padding(.vertical, 8)
-  
-          if let userId = userId {
-            HStack {
-              StackedLabel("Current User ID") {
-                Text(userId).font(.body.monospaced())
-              }
-              
-              Spacer()
-              
-              Button {
-                UIPasteboard.general.string = userId
-              } label: {
-                Label("Copy", systemImage: "doc.on.doc")
-              }
-            }
-          }
         }
 
         Section("Examples") {
@@ -58,6 +34,29 @@ struct ContentView: View {
         Section {
           NavigationLink(destination: HelpfulIDs()) { Label("Helpful IDs", systemImage: "lifepreserver") }
         }
+        
+        Section {
+          if let user = clientContainer.client?.oauthUser {
+            Text("OAuth token expiration: \(user.expiresAt.formatted(date: .omitted, time: .shortened)) (\(user.expiresAt.formatted(.relative(presentation: .numeric, unitsStyle: .wide))))")
+          }
+          
+          Button {
+            Task {
+              try await twitterClient.refreshOAuth2AccessToken(onlyIfExpired: false)
+            }
+          } label: {
+            Text("Refresh access token")
+          }
+          
+          Button(role: .destructive) {
+            clientContainer.twiftAccount = nil
+            clientContainer.client = nil
+          } label: {
+            Text("Sign out")
+          }
+        } footer: {
+          Text("Calling Twift's methods will automatically refresh the token if necessary, or you can manually refresh using the button above")
+        }
       }
       .navigationTitle("Twift Example App")
     }

Demo App/Twift_SwiftUI/Helpers.swift Demo App/Twift_SwiftUI/Helpers/Helpers.swift

@@ -0,0 +1,108 @@
+//
+//  KeychainItem.swift
+//  Twift_SwiftUI
+//
+//  Created by Daniel Eden on 10/08/2022.
+//
+
+import Foundation
+import Security
+
+private func throwIfNotZero(_ status: OSStatus) throws {
+  guard status != 0 else { return }
+  throw KeychainError.keychainError(status: status)
+}
+
+public enum KeychainError: Error {
+  case invalidData
+  case keychainError(status: OSStatus)
+}
+
+extension Dictionary {
+  func adding(key: Key, value: Value) -> Dictionary {
+    var copy = self
+    copy[key] = value
+    return copy
+  }
+}
+
+@propertyWrapper
+/// This class is for demonstrative purposes only to illustrate how an encoded OAuth2User can be encoded and stored to the user's keychain.
+final public class KeychainItem {
+  private let account: String
+  private let accessGroup: String?
+  
+  public init(account: String) {
+    self.account = account
+    self.accessGroup = nil
+  }
+  
+  public init(account: String, accessGroup: String) {
+    self.account = account
+    self.accessGroup = accessGroup
+  }
+  
+  private var baseDictionary: [String:AnyObject] {
+    let base = [
+      kSecClass as String: kSecClassGenericPassword,
+      kSecAttrAccount as String: account as AnyObject,
+      kSecAttrSynchronizable as String: kCFBooleanTrue!
+    ]
+    
+    return accessGroup == nil
+    ? base
+    : base.adding(key: kSecAttrAccessGroup as String, value: accessGroup as AnyObject)
+  }
+  
+  private var query: [String:AnyObject] {
+    return baseDictionary.adding(key: kSecMatchLimit as String, value: kSecMatchLimitOne)
+  }
+  
+  public var wrappedValue: String? {
+    get {
+      try? read()
+    }
+    set {
+      if let v = newValue {
+        if let _ = try? read() {
+          try! update(v)
+        } else {
+          try! add(v)
+        }
+      } else {
+        try? delete()
+      }
+    }
+  }
+  
+  private func delete() throws {
+    // SecItemDelete seems to fail with errSecItemNotFound if the item does not exist in the keychain. Is this expected behavior?
+    let status = SecItemDelete(baseDictionary as CFDictionary)
+    guard status != errSecItemNotFound else { return }
+    try throwIfNotZero(status)
+  }
+  
+  private func read() throws -> String? {
+    let query = self.query.adding(key: kSecReturnData as String, value: true as AnyObject)
+    var result: AnyObject? = nil
+    let status = SecItemCopyMatching(query as CFDictionary, &result)
+    guard status != errSecItemNotFound else { return nil }
+    try throwIfNotZero(status)
+    guard let data = result as? Data, let string = String(data: data, encoding: .utf8) else {
+      throw KeychainError.invalidData
+    }
+    return string
+  }
+  
+  private func update(_ secret: String) throws {
+    let dictionary: [String:AnyObject] = [
+      kSecValueData as String: secret.data(using: String.Encoding.utf8)! as AnyObject
+    ]
+    try throwIfNotZero(SecItemUpdate(baseDictionary as CFDictionary, dictionary as CFDictionary))
+  }
+  
+  private func add(_ secret: String) throws {
+    let dictionary = baseDictionary.adding(key: kSecValueData as String, value: secret.data(using: .utf8)! as AnyObject)
+    try throwIfNotZero(SecItemAdd(dictionary as CFDictionary, nil))
+  }
+}

Demo App/Twift_SwiftUI/Helpers/KeychainItem.swift

@@ -25,6 +25,7 @@ let clientCredentials = OAuthCredentials(
 
 class ClientContainer: ObservableObject {
   @Published var client: Twift?
+  @KeychainItem(account: "twiftAccount") var twiftAccount
 }
 
 @main
@@ -37,6 +38,7 @@ struct Twift_SwiftUIApp: App {
       if let twitterClient = container.client {
         ContentView()
           .environmentObject(twitterClient)
+          .environmentObject(container)
       } else {
         NavigationView {
           Form {
@@ -50,11 +52,9 @@ struct Twift_SwiftUIApp: App {
                                                                               scope: Set(OAuth2Scope.allCases))
 
                 if let user = user {
-                  container.client = Twift(oauth2User: user) { refreshedToken in
-                    print(refreshedToken)
+                  container.client = Twift(oauth2User: user) { token in
+                    onTokenRefresh(token)
                   }
-                  
-                  try? await container.client?.refreshOAuth2AccessToken()
                 }
               } label: {
                 Text("Sign In With Twitter")
@@ -73,9 +73,22 @@ struct Twift_SwiftUIApp: App {
               }.disabled(bearerToken.isEmpty)
 
             }
-          }.navigationTitle("Choose Auth Type")
+          }
+          .navigationTitle("Choose Auth Type")
+          .onAppear {
+            if let keychainItem = container.twiftAccount?.data(using: .utf8),
+               let decoded = try? JSONDecoder().decode(OAuth2User.self, from: keychainItem) {
+              container.client = Twift(oauth2User: decoded, onTokenRefresh: onTokenRefresh)
+            }
+          }
         }
       }
     }
   }
+  
+  func onTokenRefresh(_ token: OAuth2User) {
+    print(token)
+    guard let encoded = try? JSONEncoder().encode(token) else { return }
+    container.twiftAccount = String(data: encoded, encoding: .utf8)
+  }
 }

Demo App/Twift_SwiftUI/Twift_SwiftUIApp.swift

@@ -317,7 +317,7 @@ public struct OAuth2User: Codable {
     var container = encoder.container(keyedBy: CodingKeys.self)
     try container.encode(accessToken, forKey: .accessToken)
     try container.encodeIfPresent(refreshToken, forKey: .refreshToken)
-    try container.encode(Date.now.distance(to: expiresAt), forKey: .expiresAt)
+    try container.encode(expiresAt, forKey: .expiresAt)
     try container.encodeIfPresent(clientId, forKey: .clientId)
 
     let scopes = scope.map(\.rawValue).joined(separator: " ")

Sources/Twift+Authentication.swift

@@ -4,7 +4,7 @@ import Combine
 @MainActor
 public class Twift: NSObject, ObservableObject {
   /// The type of authentication access for this Twift instance
-  public private(set) var authenticationType: AuthenticationType
+  @Published public private(set) var authenticationType: AuthenticationType
   public var oauthUser: OAuth2User? {
     switch authenticationType {
       case .oauth2UserAuth(let user, _):
@@ -131,9 +131,7 @@ public class Twift: NSObject, ObservableObject {
     var refreshedOAuthUser = try JSONDecoder().decode(OAuth2User.self, from: data)
     refreshedOAuthUser.clientId = clientId
 
-    if let refreshCompletion = refreshCompletion {
-      refreshCompletion(refreshedOAuthUser)
-    }
+    refreshCompletion?(refreshedOAuthUser)
 
     self.authenticationType = .oauth2UserAuth(refreshedOAuthUser, onRefresh: refreshCompletion)
   }