candy_check 0.0.1

data/candy_check.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'candy_check/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'candy_check'
+  spec.version       = CandyCheck::VERSION
+  spec.authors       = ['Jonas Thiel']
+  spec.email         = ['jonas@thiel.io']
+  spec.summary       = 'Check and verify in-app receipts'
+  spec.homepage      = 'https://github.com/jnbt/candy_check'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(/^bin\//) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(/^(test|spec|features)\//)
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'multi_json',        '~> 1.10'
+  spec.add_dependency 'google-api-client', '~> 0.8'
+
+  spec.add_development_dependency 'rubocop',         '~> 0.28'
+  spec.add_development_dependency 'inch',            '~> 0.5'
+  spec.add_development_dependency 'bundler',         '~> 1.7'
+  spec.add_development_dependency 'rake',            '~> 10.0'
+  spec.add_development_dependency 'coveralls',       '~> 0.7'
+  spec.add_development_dependency 'minitest',        '~> 5.5'
+  spec.add_development_dependency 'minitest-around', '~> 0.3'
+  spec.add_development_dependency 'webmock',         '~> 1.20'
+end

data/lib/candy_check/app_store/client.rb

@@ -0,0 +1,57 @@
+require 'multi_json'
+
+module CandyCheck
+  module AppStore
+    # Simple HTTP client to load the receipt's data from Apple's verification
+    # servers (either sandbox or production).
+    class Client
+      # Mimetype for JSON objects
+      JSON_MIME_TYPE = 'application/json'
+
+      # Initialize a new client bound to an endpoint
+      # @param endpoint_url [String]
+      def initialize(endpoint_url)
+        @uri = URI(endpoint_url)
+      end
+
+      # Contacts the configured endpoint and requests the receipt's data
+      # @param receipt_data [String] base64 encoded data string from the app
+      # @param secret [String] the password for auto-renewable subscriptions
+      # @return [Hash]
+      def verify(receipt_data, secret = nil)
+        request  = build_request(build_request_parameters(receipt_data, secret))
+        response = perform_request(request)
+        MultiJson.load(response.body)
+      end
+
+      private
+
+      def perform_request(request)
+        build_http_connector.request(request)
+      end
+
+      def build_http_connector
+        Net::HTTP.new(@uri.host, @uri.port).tap do |net|
+          net.use_ssl      = true
+          net.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+      end
+
+      def build_request(parameters)
+        Net::HTTP::Post.new(@uri.request_uri).tap do |post|
+          post['Accept']       = JSON_MIME_TYPE
+          post['Content-Type'] = JSON_MIME_TYPE
+          post.body            = MultiJson.dump(parameters)
+        end
+      end
+
+      def build_request_parameters(receipt_data, secret)
+        {
+          'receipt-data' => receipt_data
+        }.tap do |h|
+          h['password'] = secret if secret
+        end
+      end
+    end
+  end
+end

data/lib/candy_check/app_store/config.rb

@@ -0,0 +1,30 @@
+module CandyCheck
+  module AppStore
+    # Configure the verifier
+    class Config < Utils::Config
+      # @return [Symbol] the used environment
+      attr_reader :environment
+
+      # Initializes a new configuration from a hash
+      # @param attributes [Hash]
+      # @example
+      #   Config.new(
+      #     environment: :production # or :sandbox
+      #   )
+      def initialize(attributes)
+        super
+      end
+
+      # @return [Boolean] if it is production environment
+      def production?
+        environment == :production
+      end
+
+      private
+
+      def validate!
+        validates_inclusion(:environment, :production, :sandbox)
+      end
+    end
+  end
+end

data/lib/candy_check/app_store/receipt.rb

@@ -0,0 +1,83 @@
+module CandyCheck
+  module AppStore
+    # Describes a successful response from the AppStore verification server
+    class Receipt
+      include Utils::AttributeReader
+
+      # @return [Hash] the raw attributes returned from the server
+      attr_reader :attributes
+
+      # Initializes a new instance which bases on a JSON result
+      # from Apple's verification server
+      # @param attributes [Hash]
+      def initialize(attributes)
+        @attributes = attributes
+      end
+
+      # In most cases a receipt is a valid transaction except when the
+      # transaction was canceled.
+      # @return [Boolean]
+      def valid?
+        !has?('cancellation_date')
+      end
+
+      # The receipt's transaction id
+      # @return [String]
+      def transaction_id
+        read('transaction_id')
+      end
+
+      # The receipt's original transaction id which might differ from
+      # the transaction id for restored products
+      # @return [String]
+      def original_transaction_id
+        read('original_transaction_id')
+      end
+
+      # The version number for the app
+      # @return [String]
+      def app_version
+        read('bvrs')
+      end
+
+      # The app's bundle identifier
+      # @return [String]
+      def bundle_identifier
+        read('bid')
+      end
+
+      # The app's item id of the product
+      # @return [String]
+      def item_id
+        read('item_id')
+      end
+
+      # The quantity of the product
+      # @return [Fixnum]
+      def quantity
+        read_integer('quantity')
+      end
+
+      # The purchase date
+      # @return [DateTime]
+      def purchase_date
+        read_datetime_from_string('purchase_date')
+      end
+
+      # The original purchase date which might differ from the
+      # actual purchase date for restored products
+      # @return [DateTime]
+      def original_purchase_date
+        read_datetime_from_string('original_purchase_date')
+      end
+
+      # The date of when Apple has canceled this transaction.
+      # From Apple's documentation: "Treat a canceled receipt
+      # the same as if no purchase had ever been made."
+      # @return [DateTime]
+      def cancellation_date
+        read_datetime_from_string('cancellation_date')
+      end
+    end
+  end
+end

data/lib/candy_check/app_store/verification.rb

@@ -0,0 +1,49 @@
+module CandyCheck
+  module AppStore
+    # Verifies a receipt block against a verification server.
+    # The call return either an {Receipt} or a {VerificationFailure}
+    class Verification
+      # @return [String] the verification URL to use
+      attr_reader :endpoint_url
+      # @return [String] the raw data to be verified
+      attr_reader :receipt_data
+      # @return [String] the optional shared secret
+      attr_reader :secret
+
+      # Constant for successful responses
+      STATUS_OK = 0
+
+      # Builds a fresh verification run
+      # @param endpoint_url [String] the verification URL to use
+      # @param receipt_data [String] the raw data to be verified
+      # @param secret [String] the optional shared secret
+      def initialize(endpoint_url, receipt_data, secret = nil)
+        @endpoint_url, @receipt_data = endpoint_url, receipt_data
+        @secret = secret
+      end
+
+      # Performs the verification against the remote server
+      # @return [Receipt] if successful
+      # @return [VerificationFailure] otherwise
+      def call!
+        verify!
+        if valid?
+          Receipt.new(@response['receipt'])
+        else
+          VerificationFailure.fetch(@response['status'])
+        end
+      end
+
+      private
+
+      def valid?
+        @response && @response['status'] == STATUS_OK && @response['receipt']
+      end
+
+      def verify!
+        client    = Client.new(endpoint_url)
+        @response = client.verify(receipt_data, secret)
+      end
+    end
+  end
+end

data/lib/candy_check/app_store/verification_failure.rb

@@ -0,0 +1,60 @@
+module CandyCheck
+  module AppStore
+    # Represents a failing call against the verification server
+    class VerificationFailure < Struct.new(:code, :message)
+      # @!attribute code
+      #   @return [Fixnum] the code of the failure
+      # @!attribute message
+      #   @return [String] the message of the failure
+
+      class << self
+        # Gets a known failure or build an unknown failure
+        # without description
+        # @param code [Fixnum]
+        # @return [VerificationFailure]
+        def fetch(code)
+          known.fetch(code) do
+            fallback(code)
+          end
+        end
+
+        private
+
+        def fallback(code)
+          new(code || -1, 'Unknown error')
+        end
+
+        def known
+          @known ||= {}
+        end
+
+        def add(code, name)
+          known[code] = new(code, name)
+        end
+
+        def freeze!
+          known.freeze
+        end
+      end
+
+      add 21_000, 'The App Store could not read the JSON object you provided.'
+      add 21_002, 'The data in the receipt-data property was malformed' \
+                  ' or missing.'
+      add 21_003, 'The receipt could not be authenticated.'
+      add 21_004, 'The shared secret you provided does not match the shared' \
+                  ' secret on file for your account.'
+      add 21_005, 'The receipt server is not currently available.'
+      add 21_006, 'This receipt is valid but the subscription has expired.' \
+                  ' When this status code is returned to your server, the' \
+                  ' receipt data is also decoded and returned as part of'\
+                 ' the response.'
+      add 21_007, 'This receipt is from the test environment, but it was' \
+                  ' sent to the production environment for verification.' \
+                  ' Send it to the test environment instead.'
+      add 21_008, 'This receipt is from the production environment, but it' \
+                  ' was sent to the test environment for verification.' \
+                  ' Send it to the production environment instead.'
+      freeze!
+    end
+  end
+end

data/lib/candy_check/app_store/verifier.rb

@@ -0,0 +1,69 @@
+module CandyCheck
+  module AppStore
+    # Verifies receipts against the verification servers.
+    # The call return either an {Receipt} or a {VerificationFailure}
+    class Verifier
+      # HTTPS endpoint for production receipts
+      PRODUCTION_ENDPOINT = 'https://buy.itunes.apple.com/verifyReceipt'
+      # HTTPS endpoint for sandbox receipts
+      SANDBOX_ENDPOINT = 'https://sandbox.itunes.apple.com/verifyReceipt'
+      # Status code from production endpoint when receiving a sandbox
+      # receipt which occurs during the app's review process
+      REDIRECT_TO_SANDBOX_CODE = 21_007
+      # Status code from the sandbox endpoint when receiving a production
+      # receipt
+      REDIRECT_TO_PRODUCTION_CODE = 21_008
+
+      # @return [Config] the current configuration
+      attr_reader :config
+
+      # Initializes a new verifier for the application which is bound
+      # to a configuration
+      # @param config [Config]
+      def initialize(config)
+        @config = config
+      end
+
+      # Calls a verification for the given input
+      # @param receipt_data [String] the raw data to be verified
+      # @param secret [String] the optional shared secret
+      # @return [Receipt] if successful
+      # @return [VerificationFailure] otherwise
+      def verify(receipt_data, secret = nil)
+        default_endpoint, opposite_endpoint = endpoints
+        result = call_for(default_endpoint, receipt_data, secret)
+        if should_retry?(result)
+          return call_for(opposite_endpoint, receipt_data, secret)
+        end
+        result
+      end
+
+      private
+
+      def call_for(endpoint_url, receipt_data, secret)
+        Verification.new(endpoint_url, receipt_data, secret).call!
+      end
+
+      def should_retry?(result)
+        result.is_a?(VerificationFailure) && redirect?(result)
+      end
+
+      def endpoints
+        if config.production?
+          [PRODUCTION_ENDPOINT, SANDBOX_ENDPOINT]
+        else
+          [SANDBOX_ENDPOINT, PRODUCTION_ENDPOINT]
+        end
+      end
+
+      def redirect_code
+        config.production? ? REDIRECT_TO_SANDBOX_CODE :
+                             REDIRECT_TO_PRODUCTION_CODE
+      end
+
+      def redirect?(failure)
+        failure.code == redirect_code
+      end
+    end
+  end
+end

data/lib/candy_check/app_store.rb

@@ -0,0 +1,12 @@
+require 'candy_check/app_store/client'
+require 'candy_check/app_store/config'
+require 'candy_check/app_store/receipt'
+require 'candy_check/app_store/verification'
+require 'candy_check/app_store/verification_failure'
+require 'candy_check/app_store/verifier'
+
+module CandyCheck
+  # Module to request and verify a AppStore receipt
+  module AppStore
+  end
+end

data/lib/candy_check/play_store/client.rb

@@ -0,0 +1,102 @@
+module CandyCheck
+  module PlayStore
+    # A client which uses the official Google API SDK to authenticate
+    # and request product information from Google's API.
+    #
+    # @example Usage
+    #   config = ClientConfig.new({...})
+    #   client = Client.new(config)
+    #   client.boot! # a single time
+    #   client.verify('my.bundle', 'product_1', 'a-very-long-secure-token')
+    #   # ... multiple calls from now on
+    #   client.verify('my.bundle', 'product_1', 'another-long-token')
+    class Client
+      # Error thrown if the discovery of the API wasn't successful
+      class DiscoveryError < RuntimeError; end
+
+      # API endpoint
+      API_URL      = 'https://accounts.google.com/o/oauth2/token'
+      # API scope for Android services
+      API_SCOPE    = 'https://www.googleapis.com/auth/androidpublisher'
+      # API discovery namespace
+      API_DISCOVER = 'androidpublisher'
+      # API version
+      API_VERSION  = 'v2'
+
+      # Initializes a client using a configuration.
+      # @param config [ClientConfig]
+      def initialize(config)
+        self.config = config
+      end
+
+      # Boots a client by discovering the API's services and then authorizes
+      # by fetching an access token.
+      # If the config has a cache_file the client tries to load discovery
+      def boot!
+        self.api_client = Google::APIClient.new(
+          application_name:    config.application_name,
+          application_version: config.application_version
+        )
+        discover!
+        authorize!
+      end
+
+      # Calls the remote API to load the product information for a specific
+      # combination of parameter which should be loaded from the client.
+      # @param package [String] the app's package name
+      # @param product_id [String] the app's item id
+      # @param token [String] the purchase token
+      # @return [Hash] result of the API call
+      def verify(package, product_id, token)
+        api_client.execute(
+          api_method: rpc.purchases.products.get,
+          parameters: {
+            'packageName' => package,
+            'productId'   => product_id,
+            'token'       => token
+          }
+        ).data.to_hash
+      end
+
+      private
+
+      attr_accessor :config, :api_client, :rpc
+
+      def discover!
+        self.rpc = load_discover_dump || request_discover
+        validate_rpc!
+        write_discover_dump
+      end
+
+      def request_discover
+        api_client.discovered_api(API_DISCOVER, API_VERSION)
+      end
+
+      def authorize!
+        api_client.authorization = Signet::OAuth2::Client.new(
+          token_credential_uri: API_URL,
+          audience:             API_URL,
+          scope:                API_SCOPE,
+          issuer:               config.issuer,
+          signing_key:          config.api_key
+        )
+        api_client.authorization.fetch_access_token!
+      end
+
+      def validate_rpc!
+        return if rpc.purchases.products.get
+        fail DiscoveryError, 'Unable to get the API discovery'
+      rescue NoMethodError
+        raise DiscoveryError, 'Unable to get the API discovery'
+      end
+
+      def load_discover_dump
+        DiscoveryRepository.new(config.cache_file).load
+      end
+
+      def write_discover_dump
+        DiscoveryRepository.new(config.cache_file).save(rpc)
+      end
+    end
+  end
+end