The functionality covered in this page is available in the licensed version. You can get a license here ⭐️.
Advanced security
✨since v18.2.0
There are 2 security-related features available:
Custom nonce
Nonce (number used once) is a security measure used to mitigate replay attacks and to associate a Client session with an ID Token.
The authorization APIs in Universal Google Sign-In for Apple, Android and web allow you to specify a nonce.
Example usage:
const response = await GoogleOneTapSignIn.createAccount({
nonce: getUrlSafeNonce(),
});
getUrlSafeNonce() generates a URL-safe nonce. It can be implemented using expo-crypto or react-native-get-random-values:
- expo-crypto
- react-native-get-random-values
import * as Crypto from 'expo-crypto';
export function getUrlSafeNonce(byteLength = 32) {
if (byteLength < 1) {
throw new Error('Byte length must be positive');
}
const randomBytes = Crypto.getRandomValues(new Uint8Array(byteLength));
return btoa(String.fromCharCode(...randomBytes))
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/[=]/g, '');
}
import 'react-native-get-random-values';
export function getUrlSafeNonce(byteLength = 32) {
if (byteLength < 1) {
throw new Error('Byte length must be positive');
}
const randomBytes = crypto.getRandomValues(new Uint8Array(byteLength));
return btoa(String.fromCharCode(...randomBytes))
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/[=]/g, '');
}
Usage with Supabase
Auth providers such as Supabase require passing SHA-256 hash (digest) of the nonce (source). This can be done as follows:
import { digestStringAsync, CryptoDigestAlgorithm } from 'expo-crypto';
export const getNonce = async () => {
// `rawNonce` goes to Supabase's signInWithIdToken().
// Supabase makes a hash of `rawNonce` and compares it with the `nonceDigest`
// which is included in the ID token from RN-google-signin.
const rawNonce = getUrlSafeNonce();
// `nonceDigest` goes to the `nonce` parameter in RN-google-signin APIs
const nonceDigest = await digestStringAsync(
CryptoDigestAlgorithm.SHA256,
rawNonce,
);
return { rawNonce, nonceDigest };
};
App Check for iOS (advanced)
App Check helps protect your apps from abuse by preventing unauthorized clients from authenticating using Google Sign-in: only the apps you've authorized can acquire access tokens and ID tokens from Google's OAuth 2.0 and OpenID Connect endpoint.
Read more about App Check to understand it.
Setup
To set up App Check:
-
Set up Google API Console / Firebase console by following "1. Set up your project". Do not follow step 2.
-
Add App Attest capability to your app (as in here). If you're using Expo, the capability can be added according to the iOS capabilities documentation.
-
(skip if you use Expo): Ensure that
GIDClientID(the iOS client ID) is set in yourInfo.plist. Expo config plugin does this for you.
Usage
Call GoogleOneTapSignIn.enableAppCheck() as shown below. Do this early, before invoking any authentication apis. The call either resolves when it succeeds or rejects with an error. On platforms other than iOS, the method is a no-op and resolves.
- Production environment
- Debug provider (recommended)
- Debug provider (alternative)
await GoogleOneTapSignIn.enableAppCheck();
Use APP_CHECK_API_KEY env variable in Xcode to configure the debug provider with the API key. Then call:
await GoogleOneTapSignIn.enableAppCheck();
API keys and debug tokens are sensitive data. Keep them private.
Configure the debug provider with the API key:
await GoogleOneTapSignIn.enableAppCheck({
debugProviderAPIKey: config.apiKey,
});
API keys and debug tokens are sensitive data. Keep them private.
Enable App Check enforcement
Read the official documentation to understand how to enforce App Check.