@arcblock/payment-service 1.29.5 → 1.29.7

package/dist/index.js

@@ -9140,17 +9140,230 @@ var init_apple_root_certs = __esm({
   }
 });
 
-// ../../blocklets/core/api/src/integrations/app-store/signed-data-verifier.ts
-async function getVerifier(bundleId, environment) {
-  const key = `${bundleId}:${environment}`;
-  const cached = verifierCache.get(key);
-  if (cached) return cached;
-  const mod = await import("@apple/app-store-server-library");
-  const env12 = environment === "production" ? mod.Environment.PRODUCTION : mod.Environment.SANDBOX;
-  const verifier = new mod.SignedDataVerifier(APPLE_ROOT_CERTS, false, env12, bundleId);
-  verifierCache.set(key, verifier);
-  return verifier;
+// ../../blocklets/core/api/src/integrations/app-store/native-asn1.ts
+function oidToDerTag(oid) {
+  const parts = oid.split(".").map((p) => Number.parseInt(p, 10));
+  if (parts.length < 2 || parts.some((n) => !Number.isInteger(n) || n < 0)) {
+    throw new Error(`oidToDerTag: invalid OID "${oid}"`);
+  }
+  const content = [40 * parts[0] + parts[1]];
+  for (let i = 2; i < parts.length; i++) {
+    let v = parts[i];
+    const sevenBitGroups = [v & 127];
+    v = Math.floor(v / 128);
+    while (v > 0) {
+      sevenBitGroups.unshift(v & 127 | 128);
+      v = Math.floor(v / 128);
+    }
+    content.push(...sevenBitGroups);
+  }
+  if (content.length > 127) {
+    throw new Error(`oidToDerTag: OID "${oid}" content too long for single-byte length`);
+  }
+  return Buffer.from([6, content.length, ...content]);
+}
+function certHasOid(cert, oid) {
+  return Buffer.from(cert.raw).includes(oidToDerTag(oid));
+}
+var init_native_asn1 = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-asn1.ts"() {
+    "use strict";
+  }
+});
+
+// ../../blocklets/core/api/src/integrations/app-store/native-jws.ts
+function base64UrlToJson(segment, code) {
+  let text;
+  try {
+    text = Buffer.from(segment, "base64url").toString("utf8");
+  } catch {
+    throw new AppleJwsVerifyError(code, "segment is not valid base64url");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    throw new AppleJwsVerifyError(code, "segment is not valid JSON");
+  }
+  if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new AppleJwsVerifyError(code, "segment is not a JSON object");
+  }
+  const out = parsed;
+  for (const key of ["__proto__", "constructor", "prototype"]) {
+    if (Object.prototype.hasOwnProperty.call(out, key)) {
+      delete out[key];
+    }
+  }
+  return out;
+}
+function buildCert(b64, label) {
+  try {
+    return new import_node_crypto.X509Certificate(Buffer.from(b64, "base64"));
+  } catch {
+    throw new AppleJwsVerifyError("MALFORMED_CERT", `${label} cert is not valid DER`);
+  }
+}
+function assertCertValid(cert, effectiveDate, label) {
+  const validFrom = Date.parse(cert.validFrom);
+  const validTo = Date.parse(cert.validTo);
+  if (Number.isNaN(validFrom) || Number.isNaN(validTo)) {
+    throw new AppleJwsVerifyError("CERT_VALIDITY", `${label} cert has unparseable validity dates`);
+  }
+  if (validFrom > effectiveDate + MAX_SKEW_MS) {
+    throw new AppleJwsVerifyError("CERT_NOT_YET_VALID", `${label} cert not valid until after signedDate`);
+  }
+  if (validTo < effectiveDate - MAX_SKEW_MS) {
+    throw new AppleJwsVerifyError("CERT_EXPIRED", `${label} cert expired before signedDate`);
+  }
+}
+async function verifyAppleJws(jws, opts = {}) {
+  const trustedRoots = opts.trustedRoots ?? APPLE_ROOT_CERTS;
+  const parts = jws.split(".");
+  if (parts.length !== 3) {
+    throw new AppleJwsVerifyError("FORMAT", "expected 3 JWS segments");
+  }
+  const [headerSeg, payloadSeg, signatureSeg] = parts;
+  const header = base64UrlToJson(headerSeg, "HEADER");
+  if (header.alg !== "ES256") {
+    throw new AppleJwsVerifyError("ALG", "only ES256 is accepted");
+  }
+  if (!Array.isArray(header.x5c) || header.x5c.length !== 3) {
+    throw new AppleJwsVerifyError("INVALID_CHAIN_LENGTH", "x5c must contain exactly 3 certs");
+  }
+  const leaf = buildCert(header.x5c[0], "leaf");
+  const intermediate = buildCert(header.x5c[1], "intermediate");
+  const rootFromJws = buildCert(header.x5c[2], "root");
+  const rootDer = Buffer.from(rootFromJws.raw);
+  const anchored = trustedRoots.some((trusted) => trusted.equals(rootDer));
+  if (!anchored) {
+    throw new AppleJwsVerifyError("ANCHOR", "presented root is not a trusted Apple root");
+  }
+  if (!intermediate.verify(rootFromJws.publicKey) || intermediate.issuer !== rootFromJws.subject) {
+    throw new AppleJwsVerifyError("CHAIN", "intermediate does not chain to root");
+  }
+  if (!leaf.verify(intermediate.publicKey) || leaf.issuer !== intermediate.subject) {
+    throw new AppleJwsVerifyError("CHAIN", "leaf does not chain to intermediate");
+  }
+  if (intermediate.ca !== true || !certHasOid(intermediate, APPLE_INTERMEDIATE_OID)) {
+    throw new AppleJwsVerifyError("OID", "intermediate missing CA flag or Apple OID");
+  }
+  if (!certHasOid(leaf, APPLE_LEAF_OID)) {
+    throw new AppleJwsVerifyError("OID", "leaf missing Apple OID");
+  }
+  const payload = base64UrlToJson(payloadSeg, "PAYLOAD");
+  const effectiveDate = opts.signedDate ?? (typeof payload.signedDate === "number" ? payload.signedDate : void 0);
+  if (typeof effectiveDate !== "number") {
+    throw new AppleJwsVerifyError("NO_SIGNED_DATE", "payload has no numeric signedDate to validate against");
+  }
+  assertCertValid(leaf, effectiveDate, "leaf");
+  assertCertValid(intermediate, effectiveDate, "intermediate");
+  assertCertValid(rootFromJws, effectiveDate, "root");
+  const spki = leaf.publicKey.export({ type: "spki", format: "der" });
+  const key = await crypto.subtle.importKey(
+    "spki",
+    spki,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+  const signature = Buffer.from(signatureSeg, "base64url");
+  const signingInput = Buffer.from(`${headerSeg}.${payloadSeg}`, "ascii");
+  const valid = await crypto.subtle.verify({ name: "ECDSA", hash: "SHA-256" }, key, signature, signingInput);
+  if (!valid) {
+    throw new AppleJwsVerifyError("SIGNATURE", "ES256 signature does not verify against the leaf key");
+  }
+  return payload;
+}
+var import_node_crypto, APPLE_LEAF_OID, APPLE_INTERMEDIATE_OID, MAX_SKEW_MS, AppleJwsVerifyError;
+var init_native_jws = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-jws.ts"() {
+    "use strict";
+    import_node_crypto = require("node:crypto");
+    init_apple_root_certs();
+    init_native_asn1();
+    APPLE_LEAF_OID = "1.2.840.113635.100.6.11.1";
+    APPLE_INTERMEDIATE_OID = "1.2.840.113635.100.6.2.1";
+    MAX_SKEW_MS = 6e4;
+    AppleJwsVerifyError = class extends Error {
+      constructor(code, detail) {
+        super(detail ? `AppStore JWS verify failed [${code}]: ${detail}` : `AppStore JWS verify failed [${code}]`);
+        this.name = "AppleJwsVerifyError";
+        this.code = code;
+      }
+    };
+  }
+});
+
+// ../../blocklets/core/api/src/integrations/app-store/native-api.ts
+function pemToDer(pem) {
+  const body = pem.replace(/-----BEGIN [^-]+-----/g, "").replace(/-----END [^-]+-----/g, "").replace(/\s+/g, "");
+  if (!body) {
+    throw new Error("AppStore API: private_key_pem is empty or not PEM-armored");
+  }
+  return Buffer.from(body, "base64");
+}
+async function signBearerJwt(creds) {
+  const header = { alg: "ES256", kid: creds.keyId, typ: "JWT" };
+  const iat = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: creds.issuerId,
+    iat,
+    exp: iat + JWT_TTL_SECONDS,
+    aud: "appstoreconnect-v1",
+    bid: creds.bundleId
+  };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signingInput = `${headerB64}.${payloadB64}`;
+  let key;
+  try {
+    key = await crypto.subtle.importKey(
+      "pkcs8",
+      pemToDer(creds.privateKeyPem),
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      ["sign"]
+    );
+  } catch {
+    throw new Error("AppStore API: private_key_pem is not a valid EC P-256 PKCS#8 key");
+  }
+  const signature = await crypto.subtle.sign(
+    { name: "ECDSA", hash: "SHA-256" },
+    key,
+    Buffer.from(signingInput, "ascii")
+  );
+  return `${signingInput}.${Buffer.from(signature).toString("base64url")}`;
+}
+async function nativeGetAllSubscriptionStatuses(originalTransactionId, creds) {
+  if (!creds.issuerId || !creds.keyId || !creds.privateKeyPem) {
+    throw new Error("AppStore API: issuer_id/key_id/private_key_pem are required");
+  }
+  const host = creds.environment === "production" ? API_HOST_PRODUCTION : API_HOST_SANDBOX;
+  const url = `${host}/inApps/v1/subscriptions/${encodeURIComponent(originalTransactionId)}`;
+  const jwt = await signBearerJwt(creds);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: { Authorization: `Bearer ${jwt}`, Accept: "application/json" }
+  });
+  if (response.status === 404) {
+    return { data: [] };
+  }
+  if (!response.ok) {
+    throw new Error(`AppStore API: getAllSubscriptionStatuses failed with HTTP ${response.status}`);
+  }
+  return await response.json();
 }
+var API_HOST_PRODUCTION, API_HOST_SANDBOX, JWT_TTL_SECONDS;
+var init_native_api = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-api.ts"() {
+    "use strict";
+    API_HOST_PRODUCTION = "https://api.storekit.apple.com";
+    API_HOST_SANDBOX = "https://api.storekit-sandbox.apple.com";
+    JWT_TTL_SECONDS = 300;
+  }
+});
+
+// ../../blocklets/core/api/src/integrations/app-store/signed-data-verifier.ts
 function isSignatureVerificationSkipped() {
   if (!appStoreSkipSignatureVerify()) return false;
   if (isProduction()) {
@@ -9161,21 +9374,19 @@ function isSignatureVerificationSkipped() {
   }
   return true;
 }
-async function verifySignedTransaction(signedTransaction, bundleId, environment) {
+async function verifySignedTransaction(signedTransaction, _bundleId, _environment) {
   if (isSignatureVerificationSkipped()) {
     logger_default.warn("app_store: signature verification skipped via APP_STORE_SKIP_SIGNATURE_VERIFY");
     return decodeUnsafe(signedTransaction);
   }
-  const verifier = await getVerifier(bundleId, environment);
-  return verifier.verifyAndDecodeTransaction(signedTransaction);
+  return verifyAppleJws(signedTransaction);
 }
-async function verifySignedNotification(signedPayload, bundleId, environment) {
+async function verifySignedNotification(signedPayload, _bundleId, _environment) {
   if (isSignatureVerificationSkipped()) {
     logger_default.warn("app_store: signature verification skipped via APP_STORE_SKIP_SIGNATURE_VERIFY");
     return decodeUnsafe(signedPayload);
   }
-  const verifier = await getVerifier(bundleId, environment);
-  return verifier.verifyAndDecodeNotification(signedPayload);
+  return verifyAppleJws(signedPayload);
 }
 function decodeUnsafe(jws) {
   const parts = jws.split(".");
@@ -9188,41 +9399,85 @@ function decodeUnsafe(jws) {
     throw new Error(`AppStore JWS payload not valid JSON: ${err.message}`);
   }
 }
-async function getApiClient(creds) {
-  const key = `${creds.bundleId}:${creds.environment}:${creds.keyId}`;
-  const cached = apiClientCache.get(key);
-  if (cached) return cached;
-  const mod = await import("@apple/app-store-server-library");
-  const env12 = creds.environment === "production" ? mod.Environment.PRODUCTION : mod.Environment.SANDBOX;
-  const client = new mod.AppStoreServerAPIClient(creds.privateKeyPem, creds.keyId, creds.issuerId, creds.bundleId, env12);
-  apiClientCache.set(key, client);
-  return client;
-}
 async function getAllSubscriptionStatuses(originalTransactionId, creds) {
-  const client = await getApiClient(creds);
-  return client.getAllSubscriptionStatuses(originalTransactionId);
+  return nativeGetAllSubscriptionStatuses(originalTransactionId, creds);
 }
-var verifierCache, apiClientCache;
 var init_signed_data_verifier = __esm({
   "../../blocklets/core/api/src/integrations/app-store/signed-data-verifier.ts"() {
     "use strict";
     init_logger();
     init_env();
-    init_apple_root_certs();
-    verifierCache = /* @__PURE__ */ new Map();
-    apiClientCache = /* @__PURE__ */ new Map();
+    init_native_jws();
+    init_native_api();
+  }
+});
+
+// ../../blocklets/core/api/src/integrations/app-store/native-receipt.ts
+function toMs(v) {
+  if (v === void 0 || v === null || v === "") return void 0;
+  const n = Number(v);
+  return Number.isNaN(n) ? void 0 : n;
+}
+async function postReceipt(host, body) {
+  const response = await fetch(host, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    throw new Error(`AppStore verifyReceipt: HTTP ${response.status}`);
+  }
+  return await response.json();
+}
+async function verifyAppleReceiptNative({
+  receipt,
+  sharedSecret
+}) {
+  const body = {
+    "receipt-data": receipt,
+    password: sharedSecret,
+    // Deliberate, result-equivalent: client.ts reduces to the latest-expiry item
+    // anyway, so trimming old transactions here changes nothing downstream.
+    "exclude-old-transactions": true
+  };
+  let data = await postReceipt(PRODUCTION_HOST, body);
+  if (RETRY_SANDBOX_STATUSES.has(data.status)) {
+    data = await postReceipt(SANDBOX_HOST, body);
+  }
+  if (data.status !== 0) {
+    throw new Error(`AppStore verifyReceipt: Apple returned status ${data.status}`);
+  }
+  const rawItems = data.latest_receipt_info ?? data.receipt?.in_app ?? [];
+  const bundleId = data.receipt?.bundle_id;
+  return rawItems.map((item) => ({
+    productId: item.product_id ?? "",
+    transactionId: item.transaction_id ?? "",
+    originalTransactionId: item.original_transaction_id,
+    purchaseDate: toMs(item.purchase_date_ms),
+    expirationDate: toMs(item.expires_date_ms),
+    bundleId,
+    webOrderLineItemId: item.web_order_line_item_id
+  }));
+}
+var PRODUCTION_HOST, SANDBOX_HOST, RETRY_SANDBOX_STATUSES;
+var init_native_receipt = __esm({
+  "../../blocklets/core/api/src/integrations/app-store/native-receipt.ts"() {
+    "use strict";
+    PRODUCTION_HOST = "https://buy.itunes.apple.com/verifyReceipt";
+    SANDBOX_HOST = "https://sandbox.itunes.apple.com/verifyReceipt";
+    RETRY_SANDBOX_STATUSES = /* @__PURE__ */ new Set([21007, 21002]);
   }
 });
 
 // ../../blocklets/core/api/src/integrations/app-store/client.ts
-var import_node_apple_receipt_verify, AppStoreClient;
+var AppStoreClient;
 var init_client = __esm({
   "../../blocklets/core/api/src/integrations/app-store/client.ts"() {
     "use strict";
-    import_node_apple_receipt_verify = require("node-apple-receipt-verify");
     init_env();
     init_logger();
     init_signed_data_verifier();
+    init_native_receipt();
     AppStoreClient = class _AppStoreClient {
       constructor(settings, environment) {
         this.bundleId = settings.bundle_id;
@@ -9327,9 +9582,9 @@ var init_client = __esm({
       /**
        * Verify a StoreKit 1 (legacy) base64 receipt via Apple's verifyReceipt endpoint.
        *
-       * Calls `node-apple-receipt-verify` which POSTs to
+       * Calls the native `verifyAppleReceiptNative` which POSTs to
        *   https://buy.itunes.apple.com/verifyReceipt   (production)
-       *   https://sandbox.itunes.apple.com/verifyReceipt (sandbox, auto fallback)
+       *   https://sandbox.itunes.apple.com/verifyReceipt (sandbox, auto fallback on 21007/21002)
        *
        * Returns a payload shaped like a StoreKit 2 transaction so downstream code
        * (ingestVerifiedAppStorePurchase) can stay agnostic. Note: legacy receipts
@@ -9343,12 +9598,7 @@ var init_client = __esm({
         if (!this.sharedSecret) {
           throw new Error("AppStoreClient: shared_secret is required for legacy receipt verification");
         }
-        (0, import_node_apple_receipt_verify.config)({
-          secret: this.sharedSecret,
-          verbose: false,
-          environment: ["production", "sandbox"]
-        });
-        const items = await (0, import_node_apple_receipt_verify.validate)({ receipt });
+        const items = await verifyAppleReceiptNative({ receipt, sharedSecret: this.sharedSecret });
         const filtered = options.expectedProductIds ? items.filter((i) => options.expectedProductIds.includes(i.productId)) : items;
         if (!filtered.length) {
           throw new Error("AppStoreClient: verifyReceipt returned no matching purchases");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcblock/payment-service",
-  "version": "1.29.5",
+  "version": "1.29.7",
   "description": "Embedded payment service factory (W2) — side-effect-free core for arc / blocklet server / standalone worker hosts",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -37,7 +37,6 @@
   },
   "dependencies": {
     "@abtnode/cron": "^1.17.13-beta-20260613-094425-b81920c8",
-    "@apple/app-store-server-library": "^3.1.0",
     "@arcblock/did": "^1.30.24",
     "@arcblock/did-connect-storage-nedb": "^1.8.0",
     "@arcblock/did-util": "^1.30.24",
@@ -45,7 +44,7 @@
     "@blocklet/constant": "^1.17.13-beta-20260613-094425-b81920c8",
     "@blocklet/error": "^0.3.5",
     "@blocklet/logger": "^1.17.13-beta-20260613-094425-b81920c8",
-    "@blocklet/payment-vendor": "1.29.5",
+    "@blocklet/payment-vendor": "1.29.7",
     "@blocklet/sdk": "^1.17.13-beta-20260613-094425-b81920c8",
     "@blocklet/xss": "^0.3.16",
     "@hono/node-server": "^2.0.4",
@@ -70,7 +69,6 @@
     "json-stable-stringify": "^1.3.0",
     "lodash": "^4.17.21",
     "nanoid": "^3.3.11",
-    "node-apple-receipt-verify": "^1.15.0",
     "p-all": "3.0.0",
     "p-wait-for": "^3.2.0",
     "pretty-ms-i18n": "^1.0.3",
@@ -92,5 +90,5 @@
     "ts-jest": "^29.1.2",
     "typescript": "^5.4.3"
   },
-  "gitHead": "b392a84d8557fd6f32f47540d76d642d62e59dd3"
+  "gitHead": "e1999aecfa9ce64bfd56da14bf47b255a19ef394"
 }