fix: properly using nonce for SIWA

Author: maksutovic

Sources/CompilerSwiftAI/Auth/CompilerCient+AppleAuth.swift

@@ -3,7 +3,7 @@
 import AuthenticationServices
 
 extension CompilerClient {
-    public func handleSignInWithApple(_ result: Result<ASAuthorization, Error>) async throws -> Bool {
+    public func handleSignInWithApple(_ result: Result<ASAuthorization, Error>, nonce: String?) async throws -> Bool {
         switch result {
         case .success(let auth):
             guard let appleIDCredential = auth.credential as? ASAuthorizationAppleIDCredential,
@@ -12,11 +12,15 @@ extension CompilerClient {
                 throw AuthError.invalidToken
             }
 
-            // Store Apple ID token - this acts as our "refresh token"
-            // Apple ID tokens can be reused for a while (usually days to weeks)
+            // Store Apple ID token
             await keychain.save(idToken, service: "apple-id-token", account: "user")
 
-            let accessToken = try await authenticateWithServer(idToken: idToken)
+            // Store the nonce for verification
+            if let nonce = nonce {
+                await keychain.save(nonce, service: "apple-nonce", account: "user")
+            }
+            
+            let accessToken = try await authenticateWithServer(idToken: idToken, nonce: nonce)
             await keychain.save(accessToken, service: "access-token", account: "user")
 
             return true

Sources/CompilerSwiftAI/Auth/CompilerClient+Auth.swift

@@ -28,21 +28,23 @@ extension CompilerClient {
         throw AuthError.invalidToken
     }
 
-    func authenticateWithServer(idToken: String) async throws -> String {
+    func authenticateWithServer(idToken: String, nonce: String? = nil) async throws -> String {
         let lowercasedAppID = appID.uuidString.lowercased()
         let endpoint = "\(baseURL)/v1/apps/\(lowercasedAppID)/end-users/apple"
         guard let url = URL(string: endpoint) else {
             authLogger.error("Invalid URL: \(self.baseURL)")
             throw AuthError.invalidResponse
         }
 
+        var body: [String: String] = ["id_token": idToken]
+        if let nonce {
+            body["nonce"] = nonce
+        }
         authLogger.debug("Making auth request to: \(endpoint)")
 
         var request = URLRequest(url: url)
         request.httpMethod = "POST"
         request.setValue("application/json", forHTTPHeaderField: "Content-Type")
-        
-        let body = ["id_token": idToken]
         request.httpBody = try JSONEncoder().encode(body)
 
         authLogger.debug("Request body: \(body)")

Sources/CompilerSwiftAI/Auth/CompilerClient+Nonce.swift

@@ -0,0 +1,47 @@
+import CryptoKit
+import AuthenticationServices
+
+extension CompilerClient {
+    // Generate a random nonce for authentication
+    public static func randomNonceString(length: Int = 32) -> String {
+        precondition(length > 0)
+        let charset: [Character] = Array("0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz-._")
+        var result = ""
+        var remainingLength = length
+        
+        while remainingLength > 0 {
+            let randoms: [UInt8] = (0 ..< 16).map { _ in
+                var random: UInt8 = 0
+                let errorCode = SecRandomCopyBytes(kSecRandomDefault, 1, &random)
+                if errorCode != errSecSuccess {
+                    fatalError("Unable to generate nonce. SecRandomCopyBytes failed with OSStatus \(errorCode)")
+                }
+                return random
+            }
+            
+            randoms.forEach { random in
+                if remainingLength == 0 {
+                    return
+                }
+                
+                if random < charset.count {
+                    result.append(charset[Int(random)])
+                    remainingLength -= 1
+                }
+            }
+        }
+        
+        return result
+    }
+    
+    // Compute the SHA256 hash of a string
+    public static func sha256(_ input: String) -> String {
+        let inputData = Data(input.utf8)
+        let hashedData = SHA256.hash(data: inputData)
+        let hashString = hashedData.compactMap {
+            String(format: "%02x", $0)
+        }.joined()
+        
+        return hashString
+    }
+}

Sources/CompilerSwiftAI/CompilerClient.swift

@@ -28,8 +28,8 @@ public final actor CompilerClient {
 
     private(set) var configuration: Configuration
 
-    internal let baseURL: String = "https://backend.compiler.inc"
-//    internal let baseURL: String = "http://localhost:3000"
+//    internal let baseURL: String = "https://backend.compiler.inc"
+    internal let baseURL: String = "http://localhost:3000"
     internal let keychain: KeychainHelper = KeychainHelper.standard
     internal let functionLogger: DebugLogger
     internal let modelLogger: DebugLogger

Sources/CompilerSwiftAI/Model Calling/CompilerClient+Streaming.swift

@@ -7,7 +7,7 @@ struct ChatResponseDataTransferObject: Decodable {
 }
 
 extension CompilerClient {
-    var streamingProviders: [ModelProvider] { [.openai, .anthropic, .gemini] }
+    var streamingProviders: [ModelProvider] { [.openai, .anthropic, .google] }
 
     // Specialized String streaming version
     func makeStreamingModelCall(