Save app id when signing up (#22)

Co-authored-by: Daniel Sincere <[email protected]>
DanielSincere · Oct 23, 2024 · 8a52408 · 8a52408
1 parent fb4e1d4
commit 8a52408
Show file tree

Hide file tree

Showing 28 changed files with 143 additions and 49 deletions.
diff --git a/.env.development.sample b/.env.development.sample
@@ -7,3 +7,5 @@ APPLE_TEAM_ID=FQDV1234
 APPLE_APP_ID=com.fullqueuedeveloper.FQAuth
 AUTH_PRIVATE_KEY=LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJdz09Ci0tLS0tRU5EIEVDIFBBUkFNRVRFUlMtLS0tLQotLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KTUlIY0FnRUJCRUlCV1Q2RVFQZkRNelNwME1tNjFlbFRaaXljQSs5Sy9QRzN6TFFka0hsMnFlWnlCWEs4VlRrRQpTbGovemxXRkhUWG1RTTB0d3V5YnAyTEFMaHVwd2ZJR3l5eWdCd1lGSzRFRUFDT2hnWWtEZ1lZQUJBRXh5QS9wCitEM05CTmdjMm1XUjdBOVRUa0tkdWMrWVlaeFN2ZWdPMWpMeC9QbG1TUHdHcGF3c2NiYWxHYTgwbkRTNTU2SXUKR1l0S2ZnbkJGSXBFcU1FQkdBQ2MrUys2cTNBNU10emM4bHhzamRlYVlSWDdIbnJNejlVdzRROGNUUmkzUXVJNwpKdi93OEJnZFhRNnVMdGdSMTZLTzJQcVg2azRSSDdmY3BSL20vUEU1OEE9PQotLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCg==
 APPLE_SERVICES_KEY=LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJdz09Ci0tLS0tRU5EIEVDIFBBUkFNRVRFUlMtLS0tLQotLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KTUlIY0FnRUJCRUlCdXRBYnNFUjY1bVFnby9iKzJYcTVsaDZQTDhuRTJSRjZ0WjFDdWNmdW5UaWtyNDFwL3JhZwpYaXd6MTJVOWxoY211Y2wrWDh5MkVacUowQ0FXS0VhTHluYWdCd1lGSzRFRUFDT2hnWWtEZ1lZQUJBQm92SWc2CkNRREdkcjMxNlR6bEJXRG56SHIvWDVoSnVzbnpSY0E2WUpUS1RVMll2bXdCaHVGUFBiNit1MUttaUdkTnQ2N1EKTU16RjMxYjY0L0gwS3prQ1BnRVZicklMVkthNDlUbTdNQU1WT3dsUUxaVHBIck8xMVk2bVd5eERydEFCSXNDTApqNnBRMFhGNlZiNWNOT3RWL1BpMC9lcTIxY3UwV3h5aDNHODY2TlQ0T1E9PQotLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCg==
+WEBSITE_APPLE_APP_ID=com.fullqueuedeveloper.Website
+WEBSITE_URL=account.fullqueuedeveloper.com
diff --git a/.env.sample b/.env.sample
@@ -8,4 +8,5 @@ APPLE_SERVICES_KEY=LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJdz09Ci0tL
 APPLE_SERVICES_KEY_ID=com.fullqueuedeveloper.FQAuthServer.AppleServicesKeyID
 APPLE_TEAM_ID=FQDV1234
 APPLE_APP_ID=com.fullqueuedeveloper.FQAuth
-
+WEBSITE_APPLE_APP_ID=com.fullqueuedeveloper.Website
+WEBSITE_URL=account.fullqueuedeveloper.com
diff --git a/.env.testing.sample b/.env.testing.sample
@@ -7,3 +7,5 @@ APPLE_TEAM_ID=FQDV1234
 APPLE_APP_ID=com.fullqueuedeveloper.FQAuth
 AUTH_PRIVATE_KEY=LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJdz09Ci0tLS0tRU5EIEVDIFBBUkFNRVRFUlMtLS0tLQotLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KTUlIY0FnRUJCRUlCV1Q2RVFQZkRNelNwME1tNjFlbFRaaXljQSs5Sy9QRzN6TFFka0hsMnFlWnlCWEs4VlRrRQpTbGovemxXRkhUWG1RTTB0d3V5YnAyTEFMaHVwd2ZJR3l5eWdCd1lGSzRFRUFDT2hnWWtEZ1lZQUJBRXh5QS9wCitEM05CTmdjMm1XUjdBOVRUa0tkdWMrWVlaeFN2ZWdPMWpMeC9QbG1TUHdHcGF3c2NiYWxHYTgwbkRTNTU2SXUKR1l0S2ZnbkJGSXBFcU1FQkdBQ2MrUys2cTNBNU10emM4bHhzamRlYVlSWDdIbnJNejlVdzRROGNUUmkzUXVJNwpKdi93OEJnZFhRNnVMdGdSMTZLTzJQcVg2azRSSDdmY3BSL20vUEU1OEE9PQotLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCg==
 APPLE_SERVICES_KEY=LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJdz09Ci0tLS0tRU5EIEVDIFBBUkFNRVRFUlMtLS0tLQotLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KTUlIY0FnRUJCRUlCdXRBYnNFUjY1bVFnby9iKzJYcTVsaDZQTDhuRTJSRjZ0WjFDdWNmdW5UaWtyNDFwL3JhZwpYaXd6MTJVOWxoY211Y2wrWDh5MkVacUowQ0FXS0VhTHluYWdCd1lGSzRFRUFDT2hnWWtEZ1lZQUJBQm92SWc2CkNRREdkcjMxNlR6bEJXRG56SHIvWDVoSnVzbnpSY0E2WUpUS1RVMll2bXdCaHVGUFBiNit1MUttaUdkTnQ2N1EKTU16RjMxYjY0L0gwS3prQ1BnRVZicklMVkthNDlUbTdNQU1WT3dsUUxaVHBIck8xMVk2bVd5eERydEFCSXNDTApqNnBRMFhGNlZiNWNOT3RWL1BpMC9lcTIxY3UwV3h5aDNHODY2TlQ0T1E9PQotLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCg==
+WEBSITE_APPLE_APP_ID=com.fullqueuedeveloper.Website
+WEBSITE_URL=account.fullqueuedeveloper.com
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -149,6 +149,8 @@ jobs:
       APPLE_TEAM_ID: "FQDV1234"
       APPLE_APP_ID: "com.fullqueuedeveloper.FQAuth"
       AUTH_PRIVATE_KEY: "LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJdz09Ci0tLS0tRU5EIEVDIFBBUkFNRVRFUlMtLS0tLQotLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KTUlIY0FnRUJCRUlCV1Q2RVFQZkRNelNwME1tNjFlbFRaaXljQSs5Sy9QRzN6TFFka0hsMnFlWnlCWEs4VlRrRQpTbGovemxXRkhUWG1RTTB0d3V5YnAyTEFMaHVwd2ZJR3l5eWdCd1lGSzRFRUFDT2hnWWtEZ1lZQUJBRXh5QS9wCitEM05CTmdjMm1XUjdBOVRUa0tkdWMrWVlaeFN2ZWdPMWpMeC9QbG1TUHdHcGF3c2NiYWxHYTgwbkRTNTU2SXUKR1l0S2ZnbkJGSXBFcU1FQkdBQ2MrUys2cTNBNU10emM4bHhzamRlYVlSWDdIbnJNejlVdzRROGNUUmkzUXVJNwpKdi93OEJnZFhRNnVMdGdSMTZLTzJQcVg2azRSSDdmY3BSL20vUEU1OEE9PQotLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCg=="
+      WEBSITE_URL: localhost
+      WEBSITE_APPLE_APP_ID: com.fullqueuedeveloper.Web
     steps:
       - uses: swift-actions/setup-swift@v1
         with:

diff --git a/Deploy/Fly.io/README.md b/Deploy/Fly.io/README.md
@@ -24,6 +24,8 @@
 - `RUN_QUEUES_IN_MAIN_PROCESS` - When limited in number of process, you may run the queues in-process by setting this
   variable to `YES`. If you can only run one extra process, prioritize the regular queues variable (this one).
 - `RUN_AUTO_MIGRATE` - When limited in number of process, you may run the database in-process by setting this variable to `YES`. This is only safe when you are only running 1 replica of the main app process.
+- `WEBSITE_APPLE_APP_ID` - Apple Services ID for the web login portal. e.g. com.fullqueuedeveloper.Website
+- `WEBSITE_URL` - URL for the web portal. Used to configure Sign in with Apple redirects. e.g. account.fullqueuedeveloper.com
 
 3. `fly deploy`
 4. After you login the first time, you may manually add the admin role to your user in the database, as that's not supported yet in the UI.

diff --git a/Deploy/Heroku/README.md b/Deploy/Heroku/README.md
@@ -24,6 +24,8 @@ Install heroku cli tool from Homebrew
 - `RUN_SCHEDULED_QUEUES_IN_MAIN_PROCESS` - When limited in number of process, you may run the scheduled queues in-process by setting this variable to `YES`. If you can only run one extra process, prioritize the regular queues variable (the other one).
 - `RUN_QUEUES_IN_MAIN_PROCESS` - When limited in number of process, you may run the queues in-process by setting this variable to `YES`. If you can only run one extra process, prioritize the regular queues variable (this one).
 - `RUN_AUTO_MIGRATE` - When limited in number of process, you may run the database in-process by setting this variable to `YES`. This is only safe when you are only running 1 replica of the main app process.
+- `WEBSITE_APPLE_APP_ID` - Apple Services ID for the web login portal. e.g. com.fullqueuedeveloper.Website
+- `WEBSITE_URL` - URL for the web portal. Used to configure Sign in with Apple redirects. e.g. account.fullqueuedeveloper.com
 
 5. Clone the SincereAuth repo to your local computer
 6. Choose container stack `heroku stack:set -a sincereauth-server-{name} container` (app name is from step 2)

diff --git a/Deploy/Kubernetes/1-sincereauth-secrets.sample.yml b/Deploy/Kubernetes/1-sincereauth-secrets.sample.yml
@@ -28,3 +28,6 @@ stringData:
   APPLE_APP_ID: com.fullqueuedeveloper.FQAuthSampleiOSApp
 
   ADDITIONAL_APPLE_APP_IDS: com.fullqueuedeveloper.FQAuthSampleMacOSApp com.fullqueuedeveloper.FQAuthSampleTvOSApp
+
+  WEBSITE_APPLE_APP_ID: com.fullqueuedeveloper.Website
+  WEBSITE_URL: account.fullqueuedeveloper.com
diff --git a/Deploy/Kubernetes/3-sincereauth-release.yml b/Deploy/Kubernetes/3-sincereauth-release.yml
@@ -63,3 +63,13 @@ spec:
                 secretKeyRef:
                   name: sincereauth.secrets
                   key: DB_SYMMETRIC_KEY
+            - name: WEBSITE_APPLE_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_APPLE_APP_ID
+            - name: WEBSITE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_URL
diff --git a/Deploy/Kubernetes/4-sincereauth-scheduled-queues.yml b/Deploy/Kubernetes/4-sincereauth-scheduled-queues.yml
@@ -69,3 +69,13 @@ spec:
                 secretKeyRef:
                   name: sincereauth.secrets
                   key: DB_SYMMETRIC_KEY
+            - name: WEBSITE_APPLE_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_APPLE_APP_ID
+            - name: WEBSITE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_URL
diff --git a/Deploy/Kubernetes/5-sincereauth-queues.yml b/Deploy/Kubernetes/5-sincereauth-queues.yml
@@ -69,3 +69,13 @@ spec:
                 secretKeyRef:
                   name: sincereauth.secrets
                   key: DB_SYMMETRIC_KEY
+            - name: WEBSITE_APPLE_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_APPLE_APP_ID
+            - name: WEBSITE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_URL
diff --git a/Deploy/Kubernetes/6-sincereauth-app.yml b/Deploy/Kubernetes/6-sincereauth-app.yml
@@ -75,3 +75,13 @@ spec:
                 secretKeyRef:
                   name: sincereauth.secrets
                   key: DB_SYMMETRIC_KEY
+            - name: WEBSITE_APPLE_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_APPLE_APP_ID
+            - name: WEBSITE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: sincereauth.secrets
+                  key: WEBSITE_URL
diff --git a/Deploy/Kubernetes/README.md b/Deploy/Kubernetes/README.md
@@ -11,27 +11,29 @@ Deployment guide for SincereAuth on Digital Ocean Kubernetes
 
 1. Create a user in the database for SincereAuth. Ensure this user has access to the `public` schema. If your user doesn't have access, login to your sincereauth database as your root user and grant access. For example,
 
-    GRANT ALL ON SCHEMA public TO sincereauth;
+   GRANT ALL ON SCHEMA public TO sincereauth;
 
 2. Gather the other environment variables as discussed in `Sources/SincereAuthServer/EnvVars.swift`, and store them in the secrets file. Rename 1-sincereauth-secrets.sample.yml to 1-sincereauth-secrets.yml.
 
-  1. APPLE_APP_ID
-  2. ADDITIONAL_APPLE_APP_IDS
-  3. APPLE_SERVICES_KEY
-  4. APPLE_SERVICES_KEY_ID
-  5. APPLE_TEAM_ID
-  6. AUTH_PRIVATE_KEY
-  7. DB_SYMMETRIC_KEY
-  8. DATABASE_URL
-  9. REDIS_URL
- 10. SELF_ISSUER_ID
+- APPLE_APP_ID
+- ADDITIONAL_APPLE_APP_IDS
+- APPLE_SERVICES_KEY
+- APPLE_SERVICES_KEY_ID
+- APPLE_TEAM_ID
+- AUTH_PRIVATE_KEY
+- DB_SYMMETRIC_KEY
+- DATABASE_URL
+- REDIS_URL
+- SELF_ISSUER_ID
+- WEBSITE_APPLE_APP_ID
+- WEBSITE_URL
 
 3. Deploy the App
 
-    kubectl apply -Rf Deploy/Kubernetes/
+   kubectl apply -Rf Deploy/Kubernetes/
 
 4. Set up ingress resources in your cluster and load balancer
 
 5. After you login the first time, you may manually add the admin role to your user in the database, as that's not supported yet in the UI.
 
-    UPDATE `USER` SET roles = '{"admin"}'::text[]
+   UPDATE `USER` SET roles = '{"admin"}'::text[]
diff --git a/Sources/SincereAuthServer/Apple/SignInWithApple/SIWAController.authorize.swift b/Sources/SincereAuthServer/Apple/SignInWithApple/SIWAController.authorize.swift
@@ -33,7 +33,7 @@ extension SIWAController {
                                bundleId: authorizeBody.bundleId)
         .flatMap { (appleIdentityToken: AppleIdentityToken) in
           return request.services.siwaClient
-            .generateRefreshToken(code: authorizeBody.authorizationCode)
+            .generateRefreshToken(code: authorizeBody.authorizationCode, appId: authorizeBody.bundleId)
             .flatMap { appleTokenResponse in
               return UserModel.findByAppleUserId(appleIdentityToken.subject.value, db: request.db)
                 .flatMap { maybeUser in
@@ -113,7 +113,8 @@ extension SIWAController {
                         roles: [],
                         method: .siwa(
                           appleUserId: appleIdentityToken.subject.value,
-                          appleRefreshToken: appleTokenResponse.refresh_token)
+                          appleRefreshToken: appleTokenResponse.refresh_token,
+                          appId: authorizeBody.bundleId)
                        ))
           .flatMap { userId in
             AuthHelper(request: request)

diff --git a/Sources/SincereAuthServer/Apple/SignInWithApple/SIWAModel.swift b/Sources/SincereAuthServer/Apple/SignInWithApple/SIWAModel.swift
@@ -17,6 +17,9 @@ final class SIWAModel: Model {
 
   @Field(key: "apple_user_id")
   var appleUserId: String
+
+  @Field(key: "app_id")
+  var appId: String
 
   @Field(key: "encrypted_apple_refresh_token")
   var encryptedAppleRefreshToken: String?

diff --git a/Sources/SincereAuthServer/Apple/SignInWithApple/client/SIWAClient.swift b/Sources/SincereAuthServer/Apple/SignInWithApple/client/SIWAClient.swift
@@ -3,8 +3,8 @@ import JWTKit
 
 public protocol SIWAClient {
   func `for`(_ request: Request) -> SIWAClient
-  func validateRefreshToken(token: String) -> EventLoopFuture<AppleResponse<AppleTokenRefreshResponse>>
-  func generateRefreshToken(code: String) -> EventLoopFuture<AppleTokenResponse>
+  func validateRefreshToken(token: String, appId: String) -> EventLoopFuture<AppleResponse<AppleTokenRefreshResponse>>
+  func generateRefreshToken(code: String, appId: String) -> EventLoopFuture<AppleTokenResponse>
 }
 
 public struct LiveSIWAClient: SIWAClient {
@@ -40,13 +40,9 @@ public struct LiveSIWAClient: SIWAClient {
     client.eventLoop
   }
 
-  var clientId: String {
-    EnvVars.appleAppId.loadOrFatal()
-  }
-
-  var clientSecret: EventLoopFuture<String> {
+  func clientSecret(appId: String) -> EventLoopFuture<String> {
     do {
-      let payload = SIWAClientSecret(clientId: try EnvVars.appleAppId.load(),
+      let payload = SIWAClientSecret(clientId: appId,
                                      teamId: try EnvVars.appleTeamId.load())
       let string = try signers.sign(payload, kid: .appleServicesKey)
       return eventLoop.makeSucceededFuture(string)
@@ -56,10 +52,10 @@ public struct LiveSIWAClient: SIWAClient {
     }
   }
 
-  public func validateRefreshToken(token: String) -> EventLoopFuture<AppleResponse<AppleTokenRefreshResponse>> {
-    self.clientSecret
+  public func validateRefreshToken(token: String, appId: String) -> EventLoopFuture<AppleResponse<AppleTokenRefreshResponse>> {
+    self.clientSecret(appId: appId)
       .flatMap { clientSecret in
-        let body = AppleAuthTokenBody(client_id: self.clientId,
+        let body = AppleAuthTokenBody(client_id: appId,
                                       client_secret: clientSecret,
                                       code: nil,
                                       grant_type: "refresh_token",
@@ -70,10 +66,10 @@ public struct LiveSIWAClient: SIWAClient {
       }
   }
 
-  public func generateRefreshToken(code: String) -> EventLoopFuture<AppleTokenResponse> {
-    self.clientSecret
+  public func generateRefreshToken(code: String, appId: String) -> EventLoopFuture<AppleTokenResponse> {
+    self.clientSecret(appId: appId)
       .flatMap { clientSecret in
-        let body = AppleAuthTokenBody(client_id: self.clientId,
+        let body = AppleAuthTokenBody(client_id: appId,
                                       client_secret: clientSecret,
                                       code: code,
                                       grant_type: "authorization_code",

diff --git a/Sources/SincereAuthServer/Apple/SignInWithApple/client/SIWAClientSecret.swift b/Sources/SincereAuthServer/Apple/SignInWithApple/client/SIWAClientSecret.swift
@@ -31,10 +31,6 @@ struct SIWAClientSecret: JWTPayload {
     guard try EnvVars.appleTeamId.load() == self.iss.value else {
       throw Errors.issuerMismatch(actual: self.iss.value)
     }
-
-    guard try EnvVars.appleAppId.load() == self.sub.value else {
-      throw Errors.subjectMismatch(actual: self.sub.value)
-    }
   }
 
   enum Errors: Error, LocalizedError {

diff --git a/Sources/SincereAuthServer/Apple/SignInWithApple/jobs/RefreshTokenJob.swift b/Sources/SincereAuthServer/Apple/SignInWithApple/jobs/RefreshTokenJob.swift
@@ -37,7 +37,7 @@ struct RefreshTokenJob: AsyncJob {
     siwa.attemptedRefreshAt = now
     try await siwa.save(on: db)
 
-    let tokenResult = try await client.validateRefreshToken(token: refreshToken).get()
+    let tokenResult = try await client.validateRefreshToken(token: refreshToken, appId: siwa.appId).get()
 
     switch tokenResult {
     case .decoded(let success):

diff --git a/Sources/SincereAuthServer/Apple/SignInWithApple/repo/SIWASignUpRepo.swift b/Sources/SincereAuthServer/Apple/SignInWithApple/repo/SIWASignUpRepo.swift
@@ -14,7 +14,7 @@ struct SIWASignUpRepo {
   }
 
   enum Method {
-    case siwa(appleUserId: String, appleRefreshToken: String)
+    case siwa(appleUserId: String, appleRefreshToken: String, appId: String)
 
     var id: UserModel.RegistrationMethod {
       switch self {
@@ -49,16 +49,21 @@ struct SIWASignUpRepo {
   func signUp(_ params: Params) -> EventLoopFuture<UserModel.IDValue> {
 
     switch params.method {
-    case .siwa(appleUserId: let appleUserId, appleRefreshToken: let appleRefreshToken):
+    case .siwa(appleUserId: let appleUserId, appleRefreshToken: let appleRefreshToken, let appId):
 
       let sqlTemplate = """
         WITH new_user as (
           INSERT INTO "user" (first_name, last_name, registration_method, roles)
           VALUES ($1, $2, $3::user_registration_method, $4::text[])
           RETURNING id AS user_id
         )
-        INSERT INTO "siwa" (email, apple_user_id, encrypted_apple_refresh_token, user_id)
-        VALUES ($5,$6,$7,(SELECT user_id FROM new_user))
+        INSERT INTO "siwa" (
+          email, 
+          apple_user_id, 
+          app_id, 
+          encrypted_apple_refresh_token, 
+          user_id)
+        VALUES ($5,$6,$7,$8,(SELECT user_id FROM new_user))
         RETURNING user_id AS user_id;
         """
 
@@ -69,6 +74,7 @@ struct SIWASignUpRepo {
         params.roles,
         params.email,
         appleUserId,
+        appId,
         DBSeal().seal(string: appleRefreshToken)
       ]
 

diff --git a/Sources/SincereAuthServer/EnvVars.swift b/Sources/SincereAuthServer/EnvVars.swift
@@ -19,6 +19,12 @@ enum EnvVars: String, CaseIterable {
   case appleAppId = "APPLE_APP_ID"
   /// App Store Connect App Bundle IDs for secondary apps in your app group, delimited by spaces
   case additionalAppleAppIds = "ADDITIONAL_APPLE_APP_IDS"
+
+  /// App Store Connect App ID for the web portal
+  case websiteAppleAppId = "WEBSITE_APPLE_APP_ID"
+
+  /// web portal URL. Perhaps "account.example.com"
+  case websiteURL = "WEBSITE_URL"
 
   /// generate with `spx generate-db-key`
   case dbSymmetricKey = "DB_SYMMETRIC_KEY"

diff --git a/Sources/SincereAuthServer/configure/configureMigrations.swift b/Sources/SincereAuthServer/configure/configureMigrations.swift
@@ -10,6 +10,7 @@ extension Application {
                           CreateSiwaMigration(),
                           CreateRefreshTokenMigration(),
                           AddRolesToUserMigration(),
+                          AddAppIdToSiwaMigration(),
                           to: .psql)
 
     if Environment.get("RUN_AUTO_MIGRATE") == "YES" {

diff --git a/Sources/SincereAuthServer/configure/migrations/AddAppIdToSiwaMigration.swift b/Sources/SincereAuthServer/configure/migrations/AddAppIdToSiwaMigration.swift
@@ -0,0 +1,11 @@
+import FluentPostgresDriver
+
+final class AddAppIdToSiwaMigration: PostgresScriptMigration {
+  let up = [
+    #"ALTER TABLE "siwa" ADD COLUMN app_id TEXT NOT NULL"#
+  ]
+
+  let down = [
+    #"ALTER TABLE "siwa" DROP COLUMN app_id"#
+  ]
+}
diff --git a/Sources/SincereAuthServer/web/Admin/AdminWebController.swift b/Sources/SincereAuthServer/web/Admin/AdminWebController.swift
@@ -5,7 +5,7 @@ final class AdminWebController: RouteCollection {
 
   func boot(routes: RoutesBuilder) throws {
     routes
-      .grouped(SincereAuthMiddleware())
+      .grouped(SincereAuthMiddleware(requiredRole: "admin"))
       .group("admin") { admin in
         admin.get("list-users", use: self.listUsers(req:))
       }

diff --git a/Sources/SincereAuthServer/web/LoginController.swift b/Sources/SincereAuthServer/web/LoginController.swift
@@ -3,10 +3,16 @@ import Vapor
 final class LoginController {
 
   func login(req: Request) async throws -> View {
-    let login = LoginView(appleidSigninClientId: try EnvVars.appleTeamId.load(),
+    guard let redirect = URL(string: "login/redirect", relativeTo: URL(string: EnvVars.websiteURL.loadOrFatal())) else {
+      struct WebsiteURLNotConfigured: LocalizedError {
+        var errorDescription: String? = "Website URL not configured in env var WEBSITE_URL"
+      }
+      throw WebsiteURLNotConfigured()
+    }
+    let login = LoginView(appleidSigninClientId: try EnvVars.websiteAppleAppId.load(),
                           appleidSigninScope: "code id_token name email",
-                          appleidSigninRedirectUri: "https://redirectUri",
-                          appleidSigninState: "stat",
+                          appleidSigninRedirectUri: redirect.absoluteString,
+                          appleidSigninState: "state",
                           appleidSigninNonce: "nonce")
     return try await req.view.render("Login/login", login)
   }
@@ -18,11 +24,20 @@ final class LoginController {
     let appleidSigninState: String
     let appleidSigninNonce: String
   }
+
+  func siwaRedirect(req: Request) async throws -> String {
+    return "redirect"
+  }
 }
 
 extension LoginController: RouteCollection {
 
   func boot(routes: RoutesBuilder) throws {
     routes.get("login", use: self.login(req:))
+
+    // /redirect/siwa
+    routes.group("redirect") { redirect in
+      redirect.post("siwa", use: self.siwaRedirect)
+    }
   }
 }
diff --git a/Tests/SincereAuthServerTests/Apple/SIWAClientTests.swift b/Tests/SincereAuthServerTests/Apple/SIWAClientTests.swift
@@ -34,7 +34,7 @@ final class SIWAClientTests: XCTestCase {
                                     client: httpClient,
                                     logger: app.logger)
 
-    let _ = try siwaClient.generateRefreshToken(code: "code123").wait()
+    let _ = try siwaClient.generateRefreshToken(code: "code123", appId: try EnvVars.appleAppId.load()).wait()
 
     let request: ClientRequest = try XCTUnwrap(httpClient.receivedRequest)
     XCTAssertEqual(request.url.string, "https://appleid.apple.com/auth/token")

diff --git a/Tests/SincereAuthServerTests/Apple/SIWASignInRequestTests.swift b/Tests/SincereAuthServerTests/Apple/SIWASignInRequestTests.swift
@@ -24,7 +24,8 @@ final class SIWASignInRequestTests: XCTestCase {
                                              deviceName: "iPhone",
                                              roles: [],
                                              method: .siwa(appleUserId: existingAppleID,
-                                                           appleRefreshToken: "AppleRefreshToken"))
+                                                           appleRefreshToken: "AppleRefreshToken",
+                                                           appId: "com.fullqueuedeveloper.FQAuth"))
 
     self.existingUserID = try SIWASignUpRepo(application: app).signUp(signUpParams)
       .wait()