app-store-server-library 0.0.1 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 68c6886cd483c131d26e25b15df4a451e99a37e516411f707ccb93a99b29ab1e
-  data.tar.gz: 8395d65f9f774a231796b1dd244436e929085cdb77ddc0fa3e46abffdaf382a0
+  metadata.gz: c393a6e8b61ce0a2639b8d70cd63f7157d6d3493bb5ca1aacf84bd40e562116e
+  data.tar.gz: ac9b3992dfff499a76e604804e66e9516c320f02706124c47a75e0c256098182
 SHA512:
-  metadata.gz: 4f96b3130f5c882be04265e4314725c8d2074594c8bfd3d46ad42ff37b96f9c10211019f94eed55ae1ff556353440ae17000cfd216ce6ccaec4fc4942e2d9ad5
-  data.tar.gz: e27151ab5ca970b3e4ab4d0125d6bc1c403fd65a960aae1176b10c4e189fe6f3cdf790025313c7c0954b6f46183c0045aeb348149df3c0ae7214d8779b74fee3
+  metadata.gz: b1b59770239a30efe2c889e3ae6478be50262b21b5d5099e44b379b3dffbfbecd8058288a106d5d287ca247e55d3585781d926b1c76bfe3a3878677808012c09
+  data.tar.gz: 8bc948d2348b30e00bfb965eb41fead0056cc8b3317c8516bd081ed9c20e5fa28c4dbcfd13cc5541f7bdc1dddf8c9b1adc5db82ebb9749b429626677335081b3

data/README.md

@@ -0,0 +1,6 @@
+# Apple App Store Server Ruby Library
+The Ruby server library for the [App Store Server API](https://developer.apple.com/documentation/appstoreserverapi) and [App Store Server Notifications](https://developer.apple.com/documentation/appstoreservernotifications). 
+
+Inspired by [Apple App Store Server Node.js Library](https://github.com/apple/app-store-server-library-node)
+
+## TODO: readme

data/lib/app_store/signed_data_verifier.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'json'
+require 'base64'
+require 'jwt'
+
+module AppStore
+  class SignedDataVerifier
+    ENVIRONMENTS = {
+      sandbox: 'Sandbox',
+      production: 'Production',
+      xcode: 'Xcode',
+      local_testing: 'LocalTesting'
+    }.freeze
+    MAX_SKEW = 60_000
+
+    attr_reader :root_certificates, :bundle_id, :environment, :app_apple_id
+
+    def initialize(root_certificates, environment, bundle_id, app_apple_id = nil)
+      @root_certificates = root_certificates.map { |cert| OpenSSL::X509::Certificate.new(cert) }
+      @bundle_id = bundle_id
+      @environment = environment
+      @app_apple_id = app_apple_id
+      return unless environment == ENVIRONMENTS[:production] && app_apple_id.nil?
+
+      raise 'app_apple_id is required when the environment is Production'
+    end
+
+    def verify_and_decode_transaction(signed_transaction_info)
+      decoded_jwt = verify_jwt(signed_transaction_info)
+      raise VerificationException, :invalid_app_identifier if decoded_jwt['bundleId'] != bundle_id
+      raise VerificationException, :invalid_environment if decoded_jwt['environment'] != environment
+
+      decoded_jwt
+    end
+
+    def verify_and_decode_renewal_info(signed_renewal_info)
+      decoded_renewal_info = verify_jwt(signed_renewal_info)
+      raise VerificationException, :invalid_environment if decoded_renewal_info['environment'] != @environment
+
+      decoded_renewal_info
+    end
+
+    def verify_and_decode_notification(signed_payload)
+      decoded_jwt = verify_jwt(signed_payload)
+      payload = decoded_jwt['data'] || decoded_jwt['summary'] || decoded_jwt['externalPurchaseToken']
+      app_apple_id = payload['appAppleId']
+      bundle_id = payload['bundleId']
+      environment = payload['environment']
+      if payload['externalPurchaseId']
+        environment = payload['externalPurchaseId']&.start_with?('SANDBOX') ? ENVIRONMENTS[:sandbox] : ENVIRONMENTS[:production]
+      end
+      verify_notification(bundle_id, app_apple_id, environment)
+      decoded_jwt
+    end
+
+    def verify_and_decode_app_transaction(signed_app_transaction)
+      decoded_app_transaction = verify_jwt(signed_app_transaction) do |t|
+        t['receiptCreationDate'].nil? ? Time.now : Time.parse(t['receiptCreationDate'])
+      end
+      environment = decoded_app_transaction['receiptType']
+      if @bundle_id != decoded_app_transaction['bundleId'] || (@environment == :production && @app_apple_id != decoded_app_transaction['appAppleId'])
+        raise VerificationException, :invalid_app_identifier
+      end
+      raise VerificationException, :invalid_environment if @environment != environment
+
+      decoded_app_transaction
+    end
+
+    private
+
+    def verify_jwt(jws)
+      decoded_jwt = JWT.decode(jws, nil, false)
+      payload = decoded_jwt[0]
+      chain = decoded_jwt[1]['x5c'] || []
+      raise VerificationException, :invalid_chain_length if chain.size != 3
+
+      certificate_chain = chain[0..1].map { |cert| OpenSSL::X509::Certificate.new(Base64.decode64(cert)) }
+      effective_date = payload['signedDate'] ? Time.at(payload['signedDate'] / 1000) : Time.current
+      public_key = verify_certificate_chain(root_certificates, certificate_chain[0], certificate_chain[1], effective_date)
+      JWT.decode(jws, public_key, true, algorithm: 'ES256')
+
+      payload
+    rescue JWT::DecodeError, JWT::VerificationError => e
+      raise VerificationException, :verification_failure
+    end
+
+    def verify_certificate_chain(trusted_roots, leaf, intermediate, effective_date)
+      root_cert = trusted_roots.find do |root|
+        intermediate.verify(root.public_key) && intermediate.issuer == root.subject
+      rescue OpenSSL::X509::CertificateError => _e
+        next
+      end
+
+      validity = !root_cert.nil?
+      validity &&= leaf.verify(intermediate.public_key) && leaf.issuer == intermediate.subject
+      validity &&= intermediate.extensions.any? { |ext| ext.oid == 'basicConstraints' && ext.value.start_with?('CA:TRUE') }
+      validity &&= leaf.extensions.any? { |ext| ext.oid == '1.2.840.113635.100.6.11.1' }
+      validity &&= intermediate.extensions.any? { |ext| ext.oid == '1.2.840.113635.100.6.2.1' }
+
+      raise VerificationException, :verification_failure unless validity
+
+      check_dates(leaf, effective_date)
+      check_dates(intermediate, effective_date)
+      check_dates(root_cert, effective_date)
+
+      leaf.public_key
+    end
+
+    def check_dates(cert, effective_date)
+      valid_from = cert.not_before
+      valid_to = cert.not_after
+      return unless valid_from > effective_date + MAX_SKEW || valid_to < effective_date - MAX_SKEW
+
+      raise VerificationException, :invalid_certificate
+    end
+
+    def verify_notification(bundle_id, app_apple_id, environment)
+      if @bundle_id != bundle_id || (environment == ENVIRONMENTS[:production] && @app_apple_id != app_apple_id)
+        raise VerificationException, :invalid_app_identifier
+      end
+      raise VerificationException, :invalid_environment if @environment != environment
+    end
+  end
+end

data/lib/app_store/verification_exception.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module AppStore
+  class VerificationException < StandardError; end
+end

data/lib/app_store/verification_status.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module AppStore
+  module VerificationStatus
+    OK = :ok
+    VERIFICATION_FAILURE = :verification_failure
+    INVALID_APP_IDENTIFIER = :invalid_app_identifier
+    INVALID_ENVIRONMENT = :invalid_environment
+    INVALID_CHAIN_LENGTH = :invalid_chain_length
+    INVALID_CERTIFICATE = :invalid_certificate
+    FAILURE = :failure
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: app-store-server-library
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.3
 platform: ruby
 authors:
 - Illia Kasianenko
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-15 00:00:00.000000000 Z
+date: 2024-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -30,7 +30,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/app_store_server_library.rb
+- README.md
+- lib/app-store-server-library.rb
+- lib/app_store/signed_data_verifier.rb
+- lib/app_store/verification_exception.rb
+- lib/app_store/verification_status.rb
 homepage: https://github.com/got2be/app-store-server-library
 licenses: []
 metadata: