From 9ea058347f7fef4687c9bf36228c16d278ef4dfe Mon Sep 17 00:00:00 2001
From: Trey t <treytartt@fastmail.com>
Date: Fri, 24 Apr 2026 23:58:44 -0500
Subject: [PATCH] Fix Apple Sign In: update bundle IDs from old
 com.tt.honeyDue.* to com.myhoneydue.*
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The iOS app was renamed (MyCrib → Casera → honeyDue) and the bundle ID
was updated to com.myhoneydue.honeyDue (release) / .dev (debug), but
APPLE_CLIENT_ID and APNS_TOPIC across env templates and k3s configs
still pointed at the old com.tt.honeyDue.honeyDueDev value. This made
verifyAudience reject every Apple identity token (aud claim mismatch).

Updated:
- deploy/prod.env.example: bundle ID + comment that empty client_id
  rejects all tokens with DEBUG=false
- .env.example: add Sign in with Apple block (was missing entirely)
- deploy-k3s{,-dev}/config.yaml.example: apple_auth.client_id default
- deploy-k3s-dev/scripts/00-init.sh: same
- docker-compose.dev.yml: APNS_TOPIC fallback
- docs/deployment/10-secrets-config.md: doc reference

The live deploy/prod.env and local .env are .gitignored — they were
edited in place and need to ship via deploy_prod.sh to take effect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .env.example                         | 12 +++++++++++-
 deploy-k3s-dev/config.yaml.example   |  5 +++--
 deploy-k3s-dev/scripts/00-init.sh    |  4 ++--
 deploy-k3s/config.yaml.example       |  6 ++++--
 deploy/prod.env.example              |  8 ++++++--
 docker-compose.dev.yml               |  4 ++--
 docs/deployment/10-secrets-config.md |  2 +-
 7 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/.env.example b/.env.example
index 28ab78e..866eb86 100644
--- a/.env.example
+++ b/.env.example
@@ -28,12 +28,22 @@ EMAIL_HOST_USER=your-email@gmail.com
 EMAIL_HOST_PASSWORD=your-app-password
 DEFAULT_FROM_EMAIL=honeyDue <noreply@honeyDue.treytartt.com>
 
+# Sign in with Apple
+# APPLE_CLIENT_ID must equal the iOS bundle ID of the build hitting this
+# backend. The Apple identity-token `aud` claim is checked against it
+# (see internal/services/apple_auth.go::verifyAudience). With DEBUG=false
+# an empty value rejects every Apple token.
+#   Release builds: com.myhoneydue.honeyDue
+#   Debug builds:   com.myhoneydue.honeyDue.dev
+APPLE_CLIENT_ID=com.myhoneydue.honeyDue.dev
+APPLE_TEAM_ID=V3PF3M6B6U
+
 # APNs Settings (iOS Push Notifications)
 # Direct APNs integration - no external push server needed
 APNS_AUTH_KEY_PATH=/path/to/AuthKey_XXXXXX.p8
 APNS_AUTH_KEY_ID=XXXXXXXXXX
 APNS_TEAM_ID=XXXXXXXXXX
-APNS_TOPIC=com.tt.honeyDue
+APNS_TOPIC=com.myhoneydue.honeyDue.dev
 APNS_PRODUCTION=false  # Set to true for production APNs, false for sandbox
 
 # FCM Settings (Android Push Notifications)
diff --git a/deploy-k3s-dev/config.yaml.example b/deploy-k3s-dev/config.yaml.example
index 50fdf6b..fc16be3 100644
--- a/deploy-k3s-dev/config.yaml.example
+++ b/deploy-k3s-dev/config.yaml.example
@@ -42,7 +42,7 @@ email:
 push:
   apns_key_id: ""
   apns_team_id: ""
-  apns_topic: com.tt.honeyDue
+  apns_topic: com.myhoneydue.honeyDue.dev
   apns_production: false
   apns_use_sandbox: true                # Sandbox for dev
 
@@ -85,8 +85,9 @@ tls:
   # If mode=cloudflare, create secrets/cloudflare-origin.crt and .key
 
 # --- Apple Auth / IAP (optional) ---
+# client_id MUST equal the iOS Debug bundle ID for the dev backend.
 apple_auth:
-  client_id: ""
+  client_id: "com.myhoneydue.honeyDue.dev"
   team_id: ""
   iap_key_id: ""
   iap_issuer_id: ""
diff --git a/deploy-k3s-dev/scripts/00-init.sh b/deploy-k3s-dev/scripts/00-init.sh
index 0689c07..122ddaf 100755
--- a/deploy-k3s-dev/scripts/00-init.sh
+++ b/deploy-k3s-dev/scripts/00-init.sh
@@ -147,7 +147,7 @@ email:
 push:
   apns_key_id: "${APNS_KEY_ID}"
   apns_team_id: "${APNS_TEAM_ID}"
-  apns_topic: com.tt.honeyDue
+  apns_topic: com.myhoneydue.honeyDue.dev
   apns_production: false
   apns_use_sandbox: true
 
@@ -189,7 +189,7 @@ tls:
 
 # --- Apple Auth / IAP ---
 apple_auth:
-  client_id: "com.tt.honeyDue"
+  client_id: "com.myhoneydue.honeyDue.dev"
   team_id: "${APNS_TEAM_ID}"
   iap_key_id: ""
   iap_issuer_id: ""
diff --git a/deploy-k3s/config.yaml.example b/deploy-k3s/config.yaml.example
index 97d9314..3c2c709 100644
--- a/deploy-k3s/config.yaml.example
+++ b/deploy-k3s/config.yaml.example
@@ -62,7 +62,7 @@ email:
 push:
   apns_key_id: ""
   apns_team_id: ""
-  apns_topic: com.tt.honeyDue
+  apns_topic: com.myhoneydue.honeyDue
   apns_production: true
   apns_use_sandbox: false
 
@@ -100,8 +100,10 @@ admin:
   basic_auth_password: ""                   # HTTP basic auth password for admin panel
 
 # --- Apple Auth / IAP (optional, leave empty if unused) ---
+# client_id MUST equal the iOS Release bundle ID — Apple identity tokens
+# are rejected if the `aud` claim doesn't match.
 apple_auth:
-  client_id: ""
+  client_id: "com.myhoneydue.honeyDue"
   team_id: ""
   iap_key_id: ""
   iap_issuer_id: ""
diff --git a/deploy/prod.env.example b/deploy/prod.env.example
index 937aedb..042dc10 100644
--- a/deploy/prod.env.example
+++ b/deploy/prod.env.example
@@ -35,7 +35,7 @@ DEFAULT_FROM_EMAIL=honeyDue <noreply@honeyDue.treytartt.com>
 # APNS private key goes in deploy/secrets/apns_auth_key.p8
 APNS_AUTH_KEY_ID=CHANGEME_APNS_KEY_ID
 APNS_TEAM_ID=CHANGEME_APNS_TEAM_ID
-APNS_TOPIC=com.tt.honeyDue
+APNS_TOPIC=com.myhoneydue.honeyDue
 APNS_USE_SANDBOX=false
 APNS_PRODUCTION=true
 
@@ -80,7 +80,11 @@ FEATURE_PDF_REPORTS_ENABLED=true
 FEATURE_WORKER_ENABLED=true
 
 # Optional auth/iap values
-APPLE_CLIENT_ID=
+# APPLE_CLIENT_ID must equal the iOS Release bundle ID. The Apple
+# identity-token `aud` claim is verified against this value
+# (internal/services/apple_auth.go::verifyAudience). Leaving it empty
+# with DEBUG=false rejects every Apple token as invalid audience.
+APPLE_CLIENT_ID=com.myhoneydue.honeyDue
 APPLE_TEAM_ID=
 GOOGLE_CLIENT_ID=
 GOOGLE_ANDROID_CLIENT_ID=
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 35e8c78..b106bb6 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -85,7 +85,7 @@ services:
       APNS_AUTH_KEY_PATH: ${APNS_AUTH_KEY_PATH}
       APNS_AUTH_KEY_ID: ${APNS_AUTH_KEY_ID}
       APNS_TEAM_ID: ${APNS_TEAM_ID}
-      APNS_TOPIC: ${APNS_TOPIC:-com.tt.honeyDue}
+      APNS_TOPIC: ${APNS_TOPIC:-com.myhoneydue.honeyDue.dev}
       APNS_USE_SANDBOX: "true"
       FCM_SERVER_KEY: ${FCM_SERVER_KEY}
 
@@ -158,7 +158,7 @@ services:
       APNS_AUTH_KEY_PATH: "/certs/apns_key.p8"
       APNS_AUTH_KEY_ID: ${APNS_AUTH_KEY_ID}
       APNS_TEAM_ID: ${APNS_TEAM_ID}
-      APNS_TOPIC: ${APNS_TOPIC:-com.tt.honeyDue}
+      APNS_TOPIC: ${APNS_TOPIC:-com.myhoneydue.honeyDue.dev}
       APNS_USE_SANDBOX: "true"
       FCM_SERVER_KEY: ${FCM_SERVER_KEY}
 
diff --git a/docs/deployment/10-secrets-config.md b/docs/deployment/10-secrets-config.md
index a11d798..95b9c6d 100644
--- a/docs/deployment/10-secrets-config.md
+++ b/docs/deployment/10-secrets-config.md
@@ -55,7 +55,7 @@ APNS_AUTH_KEY_ID=DISABLED01
 APNS_AUTH_KEY_PATH=/secrets/apns/apns_auth_key.p8
 APNS_PRODUCTION=false
 APNS_TEAM_ID=DISABLED01
-APNS_TOPIC=com.tt.honeyDue
+APNS_TOPIC=com.myhoneydue.honeyDue
 APNS_USE_SANDBOX=false
 BASE_URL=https://myhoneydue.com
 B2_BUCKET_NAME=honeyDueProd