From 104416b1924298c83d197a21305a5b00593edd40 Mon Sep 17 00:00:00 2001
From: Raymond Penners <raymond.penners@intenct.nl>
Date: Wed, 25 Oct 2023 17:43:23 +0200
Subject: [PATCH] refactor(socialaccount): Move certificate_key into settings

---
 allauth/socialaccount/adapter.py                | 6 +++++-
 allauth/socialaccount/models.py                 | 7 -------
 allauth/socialaccount/providers/apple/client.py | 5 +++--
 allauth/socialaccount/providers/apple/tests.py  | 4 +++-
 docs/socialaccount/providers/apple.rst          | 6 ++++--
 5 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/allauth/socialaccount/adapter.py b/allauth/socialaccount/adapter.py
index 989dcf120e..34c6cca2de 100644
--- a/allauth/socialaccount/adapter.py
+++ b/allauth/socialaccount/adapter.py
@@ -1,5 +1,7 @@
 from __future__ import absolute_import
 
+import warnings
+
 from django.core.exceptions import (
     ImproperlyConfigured,
     MultipleObjectsReturned,
@@ -255,11 +257,13 @@ def list_apps(self, request, provider=None, client_id=None):
                     "client_id",
                     "secret",
                     "key",
-                    "certificate_key",
                     "settings",
                 ]:
                     if field in config:
                         setattr(app, field, config[field])
+                if "certificate_key" in config:
+                    warnings.warn("'certificate_key' should be moved into app.settings")
+                    app.settings["certificate_key"] = config["certificate_key"]
                 if client_id and app.client_id != client_id:
                     continue
                 if (
diff --git a/allauth/socialaccount/models.py b/allauth/socialaccount/models.py
index c9bde0696b..b66ec0e32f 100644
--- a/allauth/socialaccount/models.py
+++ b/allauth/socialaccount/models.py
@@ -73,13 +73,6 @@ class SocialApp(models.Model):
         # blank=True allows for disabling apps without removing them
         sites = models.ManyToManyField("sites.Site", blank=True)
 
-    # We want to move away from storing secrets in the database. So, we're
-    # putting a halt towards adding more fields for additional secrets, such as
-    # the certificate some providers need. Therefore, the certificate is not a
-    # DB backed field and can only be set using the ``APP`` configuration key
-    # in the provider settings.
-    certificate_key = None
-
     class Meta:
         verbose_name = _("social application")
         verbose_name_plural = _("social applications")
diff --git a/allauth/socialaccount/providers/apple/client.py b/allauth/socialaccount/providers/apple/client.py
index 77a990429c..5a045c05ac 100644
--- a/allauth/socialaccount/providers/apple/client.py
+++ b/allauth/socialaccount/providers/apple/client.py
@@ -39,7 +39,8 @@ def generate_client_secret(self):
         app = get_adapter(self.request).get_app(self.request, "apple")
         if not app.key:
             raise ImproperlyConfigured("Apple 'key' missing")
-        if not app.certificate_key:
+        certificate_key = app.settings.get("certificate_key")
+        if not certificate_key:
             raise ImproperlyConfigured("Apple 'certificate_key' missing")
         claims = {
             "iss": app.key,
@@ -50,7 +51,7 @@ def generate_client_secret(self):
         }
         headers = {"kid": self.consumer_secret, "alg": "ES256"}
         client_secret = jwt_encode(
-            payload=claims, key=app.certificate_key, algorithm="ES256", headers=headers
+            payload=claims, key=certificate_key, algorithm="ES256", headers=headers
         )
         return client_secret
 
diff --git a/allauth/socialaccount/providers/apple/tests.py b/allauth/socialaccount/providers/apple/tests.py
index ce8b108251..f899cc970a 100644
--- a/allauth/socialaccount/providers/apple/tests.py
+++ b/allauth/socialaccount/providers/apple/tests.py
@@ -107,12 +107,14 @@ def sign_id_token(payload):
                 "client_id": "app123id",
                 "key": "apple",
                 "secret": "dummy",
-                "certificate_key": """-----BEGIN PRIVATE KEY-----
+                "settings": {
+                    "certificate_key": """-----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2+Eybl8ojH4wB30C
 3/iDkpsrxuPfs3DZ+3nHNghBOpmhRANCAAQSpo1eQ+EpNgQQyQVs/F27dkq3gvAI
 28m95JEk26v64YAea5NTH56mru30RDqTKPgRVi5qRu3XGyqy3mdb8gMy
 -----END PRIVATE KEY-----
 """,
+                },
             }
         }
     },
diff --git a/docs/socialaccount/providers/apple.rst b/docs/socialaccount/providers/apple.rst
index f9ad861315..3cc36f7fe0 100644
--- a/docs/socialaccount/providers/apple.rst
+++ b/docs/socialaccount/providers/apple.rst
@@ -28,13 +28,15 @@ Add the following configuration to your settings:
                  # Prefix in your App ID.
                 "key": "MEMAPPIDPREFIX",
 
-                # The certificate you downloaded when generating the key.
-                "certificate_key": """-----BEGIN PRIVATE KEY-----
+                "settings": {
+                    # The certificate you downloaded when generating the key.
+                    "certificate_key": """-----BEGIN PRIVATE KEY-----
     s3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr
     3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3
     c3ts3cr3t
     -----END PRIVATE KEY-----
     """
+                }
             }
         }
     }