feat: implement native Sign in with Apple for Mac App Store #4794
Conversation
Add native Sign in with Apple support for MAS builds using macOS AuthenticationServices framework. This replaces the web-based Apple login flow with a system-native dialog that meets MAS requirements. Changes: - Create Swift Helper tool for native ASAuthorizationController - Add IPC service to execute helper and return identity token - Enhance renderer auth handler to use native login on MAS builds - Add Sign in with Apple entitlements for MAS builds - Configure forge to include helper in MAS package The implementation uses better-auth's idToken flow for server-side verification, ensuring seamless integration with existing authentication system. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Extend native Apple authentication to work on both DMG and MAS builds, not just MAS. This provides a better user experience on all macOS versions. Changes: - Add Sign in with Apple entitlement to entitlements.mac.plist - Include Apple Auth Helper in all macOS builds (darwin and mas) - Update IPC service to check isMacOS instead of isMAS - Update renderer to detect darwin platform for native auth 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Replace DispatchGroup.wait() with RunLoop-based waiting to avoid blocking the main thread while ASAuthorizationController delivers delegate callbacks. The previous implementation caused a deadlock: 1. performSignIn() called dispatchGroup.wait() on main thread 2. ASAuthorizationController callbacks need main thread to execute 3. Main thread blocked → callbacks never fire → timeout Now using RunLoop.current.run() which allows the main thread to continue processing events (including delegate callbacks) while waiting for completion. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
When the helper exits with non-zero status (e.g., user canceled), execFileAsync rejects but error.stdout still contains the JSON result. Parse it to properly detect cancellation and return the correct error. Previously, error.message would be "Command failed with exit code 1" which doesn't indicate cancellation, causing unnecessary fallback to web-based login after the user already canceled. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Fix the relative path from services directory to resources: - From: apps/desktop/layer/main/src/ipc/services/ - To: apps/desktop/resources/apple-auth-helper/ The path needed 5 levels up (../../../../../) not 4 (../../../../). This was preventing native Sign in with Apple from working in dev mode. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
The AppleAuthHelper binary is embedded in Resources via extraResource and gets signed with entitlements.mas.child.plist in MAS builds. Without the applesignin entitlement, ASAuthorizationAppleIDProvider calls from the helper would be denied by the system. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
apps/desktop/forge.config.cts
Outdated
| // For macOS builds (darwin and mas), include the Apple Auth Helper | ||
| const isMacOS = platform === "darwin" || platform === "mas" |
There was a problem hiding this comment.
Here isMacOS depends only on the --platform CLI arg, but electron-forge make is invoked without --platform in scripts like build:electron/build:electron-forge (apps/desktop/package.json), so on macOS the arg is undefined and isMacOS becomes false. That means the AppleAuthHelper resource is not packaged in those builds, so native Sign in with Apple will fail at runtime and fall back to web despite being on macOS. Consider defaulting to process.platform when the CLI arg is missing so mac builds always include the helper.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
apps/desktop/forge.config.cts
Outdated
| // For macOS builds (darwin and mas), include the Apple Auth Helper | ||
| const isMacOS = platform === "darwin" || platform === "mas" | ||
|
|
There was a problem hiding this comment.
Here isMacOS is derived only from the --platform CLI flag. When electron-forge make is invoked without --platform (the default invocation and the build:electron script), platform is undefined and isMacOS becomes false, so the apple-auth-helper directory is not added to extraResource. That produces mac builds without the helper binary, and signInWithApple will fail at runtime because the helper can’t be executed. Consider falling back to process.platform/process.mas when the flag is absent so mac builds always include the helper.
Useful? React with 👍 / 👎.
| func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor { | ||
| // Return the key window or create a new window if needed | ||
| if let window = NSApplication.shared.keyWindow { | ||
| return window |
There was a problem hiding this comment.
This helper uses AppKit types (NSApplication, NSWindow), but the file only imports AuthenticationServices and Foundation. Rebuilding the helper (build.sh uses swiftc) will fail with “cannot find 'NSApplication' in scope,” so the binary can’t be recompiled when needed. Add import AppKit (or import Cocoa) to ensure the helper compiles.
Useful? React with 👍 / 👎.
Native Sign in with Apple via AuthenticationServices framework is only supported on Mac App Store builds. DMG builds will use web-based login. - Remove applesignin entitlement from entitlements.mac.plist - Only include AppleAuthHelper in MAS builds - Update auth service to check isMAS instead of isMacOS 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Native Sign in with Apple is now MAS-only, so the darwin build doesn't need the provisioning profile. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Include detailed error information in all ASAuthorizationError cases to help diagnose authentication failures. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use .regular activation policy to allow system UI display - Activate app to bring it to front for system dialogs - Create properly sized and styled presentation window - Keep strong reference to window to prevent deallocation - Add stderr debug logs in Swift helper - Add console.info logs in renderer for debugging auth flow 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The helper now has a proper Bundle ID (is.follow.AppleAuthHelper) which is required for ASAuthorizationController to work. Standalone executables without Bundle ID cannot use Sign in with Apple. - Create Info.plist with bundle configuration - Update build.sh to create .app bundle structure - Update helperPath to point to the bundle executable 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move Info.plist generation into build.sh to create it directly inside the .app bundle. This prevents Apple from treating the apple-auth-helper directory as a nested bundle. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch from while+RunLoop to standard NSApp.run() event loop - Use .accessory activation policy (no Dock icon) - Create minimal 1x1 transparent window as presentation anchor - Keep strong reference to ASAuthorizationController 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Apple requires the Bundle ID to be registered for Sign in with Apple. Using the main app's Bundle ID ensures compatibility with existing config. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Summary
Implements native Sign in with Apple for Mac App Store builds using macOS AuthenticationServices framework. This replaces the web-based login flow with a system-native dialog as required by Apple for MAS submission.
Changes
apps/desktop/resources/apple-auth-helper/): Command-line utility that usesASAuthorizationAppleIDProviderto perform native authentication and returns JSON with identity token and user credentialsauth.ts): Added two methods -signInWithApple()to execute the helper andisNativeAppleAuthAvailable()to check MAS availabilityrenderer/src/lib/auth.ts): Enhanced login handler that detects MAS builds and routes Apple auth through native flow, using better-auth's idToken modeentitlements.mas.plist): Addedcom.apple.developer.applesignincapabilityforge.config.cts): Configured to include Swift helper in MAS builds onlyTechnical Details
The implementation flows as:
Graceful fallback to web-based Apple login if native flow fails or unavailable.