From 19fee75c475fc377219b90581b68e95c6bf120c1 Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Mon, 18 May 2026 16:32:09 +0200
Subject: [PATCH] feat(auth): Cross-App-SSO via shared Keychain-Group
 ev.mana.session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Migriert die App auf die kanonische shared Keychain-Group
`ManaSharedKeychainGroup` aus mana-swift-core. Alle nativen
mana-e.V.-Apps (memoro, wordeck, nutriphi, herbatrium, zitare,
seepuls, viadocu, manameme, werdrobe, pageta, comicello, moodlit)
teilen damit ihren Auth-Token auf demselben Device — ein Login in
einer App, alle anderen starten direkt im .signedIn-Status.

Wichtig: für echtes Cross-App-Sharing müssen sowohl `keychainService`
als auch `keychainAccessGroup` identisch sein (Keychain-Lookup-Tupel
`(service, account, accessGroup)`) — beide jetzt auf
`ManaSharedKeychainGroup`. Bestehender App-eigener Bucket
(`ev.mana.<app>`) wird beim ersten Login mit dem neuen Token
überschrieben; User in TestFlight-Apps brauchen einen Re-Login.

Voraussetzung Apple-Dev-Portal (Tills manueller Schritt):
- Capability "Keychain Sharing" für die App ID aktivieren
- Group `ev.mana.session` hinzufügen
- Provisioning-Profile neu downloaden (Xcode auto)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 ShareExtension/Resources/WordeckShareExtension.entitlements | 4 ++++
 Sources/Core/Auth/AppConfig.swift                           | 4 ++--
 Sources/Resources/WordeckNative.entitlements                | 2 +-
 .../Resources/WordeckWidgetExtension.entitlements           | 4 ++++
 project.yml                                                 | 6 +++++-
 5 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ShareExtension/Resources/WordeckShareExtension.entitlements b/ShareExtension/Resources/WordeckShareExtension.entitlements
index 0723c65..95d714b 100644
--- a/ShareExtension/Resources/WordeckShareExtension.entitlements
+++ b/ShareExtension/Resources/WordeckShareExtension.entitlements
@@ -6,5 +6,9 @@
 	<array>
 		<string>group.ev.mana.wordeck</string>
 	</array>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>$(AppIdentifierPrefix)ev.mana.session</string>
+	</array>
 </dict>
 </plist>
diff --git a/Sources/Core/Auth/AppConfig.swift b/Sources/Core/Auth/AppConfig.swift
index e52977e..00de32f 100644
--- a/Sources/Core/Auth/AppConfig.swift
+++ b/Sources/Core/Auth/AppConfig.swift
@@ -7,10 +7,10 @@ import ManaCore
 enum AppConfig {
     static let manaAppConfig: ManaAppConfig = DefaultManaAppConfig(
         authBaseURL: URL(string: "https://auth.mana.how")!,
-        keychainService: "ev.mana.wordeck",
+        keychainService: ManaSharedKeychainGroup,
         // Explizit auf TeamID.BundleID, statt nil. Vermeidet Logout
         // bei TestFlight-Cert-Drift (siehe mana-swift-core v1.5.1).
-        keychainAccessGroup: "QP3GLU8PH3.ev.mana.wordeck",
+        keychainAccessGroup: ManaSharedKeychainGroup,
         // Single-Source fuer den App-Group-String (App-Hülle + Widget
         // + ShareExt-Entitlement spiegeln das hardcoded).
         appGroup: "group.ev.mana.wordeck"
diff --git a/Sources/Resources/WordeckNative.entitlements b/Sources/Resources/WordeckNative.entitlements
index c1ded93..2d1339c 100644
--- a/Sources/Resources/WordeckNative.entitlements
+++ b/Sources/Resources/WordeckNative.entitlements
@@ -18,7 +18,7 @@
 	<true/>
 	<key>keychain-access-groups</key>
 	<array>
-		<string>$(AppIdentifierPrefix)ev.mana.wordeck</string>
+		<string>$(AppIdentifierPrefix)ev.mana.session</string>
 	</array>
 </dict>
 </plist>
diff --git a/Widgets/WordeckWidget/Resources/WordeckWidgetExtension.entitlements b/Widgets/WordeckWidget/Resources/WordeckWidgetExtension.entitlements
index 0723c65..95d714b 100644
--- a/Widgets/WordeckWidget/Resources/WordeckWidgetExtension.entitlements
+++ b/Widgets/WordeckWidget/Resources/WordeckWidgetExtension.entitlements
@@ -6,5 +6,9 @@
 	<array>
 		<string>group.ev.mana.wordeck</string>
 	</array>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>$(AppIdentifierPrefix)ev.mana.session</string>
+	</array>
 </dict>
 </plist>
diff --git a/project.yml b/project.yml
index 9c6123a..c37aad7 100644
--- a/project.yml
+++ b/project.yml
@@ -88,7 +88,7 @@ targets:
         com.apple.security.network.client: true
         com.apple.security.files.user-selected.read-write: true
         keychain-access-groups:
-          - $(AppIdentifierPrefix)ev.mana.wordeck
+          - $(AppIdentifierPrefix)ev.mana.session
         com.apple.developer.associated-domains:
           - applinks:wordeck.com
         com.apple.security.application-groups:
@@ -126,6 +126,8 @@ targets:
     entitlements:
       path: ShareExtension/Resources/WordeckShareExtension.entitlements
       properties:
+        keychain-access-groups:
+          - $(AppIdentifierPrefix)ev.mana.session
         com.apple.security.application-groups:
           - group.ev.mana.wordeck
     settings:
@@ -154,6 +156,8 @@ targets:
     entitlements:
       path: Widgets/WordeckWidget/Resources/WordeckWidgetExtension.entitlements
       properties:
+        keychain-access-groups:
+          - $(AppIdentifierPrefix)ev.mana.session
         com.apple.security.application-groups:
           - group.ev.mana.wordeck
     dependencies: