From 8ac40c76bfa880f68fa3ce350a86ce2151b9cf95 Mon Sep 17 00:00:00 2001
From: Phillip Thelen <phillip@habitica.com>
Date: Thu, 27 Feb 2020 14:52:39 +0100
Subject: [PATCH] always verify token

---
 website/server/libs/auth/social.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/website/server/libs/auth/social.js b/website/server/libs/auth/social.js
index 71a247d19a..695262d9f0 100644
--- a/website/server/libs/auth/social.js
+++ b/website/server/libs/auth/social.js
@@ -41,10 +41,11 @@ async function _appleProfile (req) {
   const passedToken = req.body.id_token ? req.body.id_token : req.query.id_token;
   if (code) {
     const response = await auth.accessToken(code);
-    idToken = jwt.decode(response.id_token);
-  } else if (passedToken) {
-    idToken = await jwt.verify(passedToken, applePublicKey, { algorithms: ['RS256'] });
+    passedToken = response.id_token
+    idToken = jwt.verify(response.id_token, applePublicKey, { algorithms: ['RS256'] });
   }
+  idToken = await jwt.verify(passedToken, applePublicKey, { algorithms: ['RS256'] });
+  
   return {
     id: idToken.sub,
     emails: [idToken.email],