native-update 1.0.0

package/ios/Plugin/LiveUpdate/WebViewConfiguration.swift

@@ -0,0 +1,45 @@
+import Foundation
+import Capacitor
+import WebKit
+
+extension NativeUpdatePlugin {
+    
+    // This method should be called by the Capacitor app during WebView setup
+    @objc public func configureWebView(for webView: WKWebView) {
+        // Check if there's an active bundle to load
+        if let activeBundleId = UserDefaults.standard.string(forKey: "native_update_active_bundle"),
+           let bundles = UserDefaults.standard.dictionary(forKey: "native_update_bundles"),
+           let bundleInfo = bundles[activeBundleId] as? [String: Any],
+           let extractedPath = bundleInfo["extractedPath"] as? String {
+            
+            // Verify the bundle still exists
+            let bundleURL = URL(fileURLWithPath: extractedPath)
+            let indexURL = bundleURL.appendingPathComponent("index.html")
+            
+            if FileManager.default.fileExists(atPath: indexURL.path) {
+                // Configure WebView to load from the active bundle
+                webView.loadFileURL(indexURL, allowingReadAccessTo: bundleURL)
+                return
+            }
+        }
+        
+        // If no active bundle or bundle doesn't exist, clear the active bundle
+        UserDefaults.standard.removeObject(forKey: "native_update_active_bundle")
+    }
+    
+    // Helper method to get the current bundle's base URL
+    @objc public func getCurrentBundleURL() -> URL? {
+        if let activeBundleId = UserDefaults.standard.string(forKey: "native_update_active_bundle"),
+           let bundles = UserDefaults.standard.dictionary(forKey: "native_update_bundles"),
+           let bundleInfo = bundles[activeBundleId] as? [String: Any],
+           let extractedPath = bundleInfo["extractedPath"] as? String {
+            
+            let bundleURL = URL(fileURLWithPath: extractedPath)
+            if FileManager.default.fileExists(atPath: bundleURL.path) {
+                return bundleURL
+            }
+        }
+        
+        return nil
+    }
+}

package/ios/Plugin/Security/SecurityManager.swift

@@ -0,0 +1,289 @@
+import Foundation
+import Security
+import CommonCrypto
+import CryptoKit
+
+class SecurityManager {
+    private var config: [String: Any]?
+    private let keychain = KeychainWrapper()
+    
+    func configure(_ config: [String: Any]) throws {
+        self.config = config
+        
+        // Validate security configuration
+        let enforceHttps = config["enforceHttps"] as? Bool ?? true
+        if !enforceHttps {
+            print("⚠️ SecurityManager: HTTPS enforcement is disabled. This is not recommended for production.")
+        }
+    }
+    
+    func getSecurityInfo() -> [String: Any] {
+        return [
+            "enforceHttps": config?["enforceHttps"] as? Bool ?? true,
+            "certificatePinning": [
+                "enabled": (config?["certificatePinning"] as? [String: Any])?["enabled"] as? Bool ?? false,
+                "pins": getCertificatePins()
+            ],
+            "validateInputs": config?["validateInputs"] as? Bool ?? true,
+            "secureStorage": config?["secureStorage"] as? Bool ?? true
+        ]
+    }
+    
+    func getCertificatePins() -> [String: [String]] {
+        guard let pinningConfig = config?["certificatePinning"] as? [String: Any],
+              pinningConfig["enabled"] as? Bool == true,
+              let pins = pinningConfig["pins"] as? [[String: Any]] else {
+            return [:]
+        }
+        
+        var hostPins: [String: [String]] = [:]
+        
+        for pin in pins {
+            guard let hostname = pin["hostname"] as? String,
+                  let sha256Pins = pin["sha256"] as? [String] else {
+                continue
+            }
+            
+            hostPins[hostname] = sha256Pins
+        }
+        
+        return hostPins
+    }
+    
+    func validateUrl(_ url: String) -> Bool {
+        if !url.hasPrefix("https://") && isHttpsEnforced() {
+            return false
+        }
+        
+        // Check against allowed hosts if configured
+        if let allowedHosts = getAllowedHosts(), !allowedHosts.isEmpty {
+            guard let urlComponents = URLComponents(string: url),
+                  let host = urlComponents.host else {
+                return false
+            }
+            return allowedHosts.contains(host)
+        }
+        
+        return true
+    }
+    
+    func verifySignature(data: Data, signature: String, publicKeyString: String) -> Bool {
+        // Handle PEM format or base64 encoded public key
+        let publicKeyData: Data
+        if publicKeyString.contains("-----BEGIN PUBLIC KEY-----") {
+            // Convert PEM to base64
+            let base64String = publicKeyString
+                .replacingOccurrences(of: "-----BEGIN PUBLIC KEY-----", with: "")
+                .replacingOccurrences(of: "-----END PUBLIC KEY-----", with: "")
+                .replacingOccurrences(of: "\n", with: "")
+                .replacingOccurrences(of: "\r", with: "")
+                .trimmingCharacters(in: .whitespacesAndNewlines)
+            
+            guard let data = Data(base64Encoded: base64String) else {
+                print("Failed to decode PEM public key")
+                return false
+            }
+            publicKeyData = data
+        } else {
+            // Already base64 encoded
+            guard let data = Data(base64Encoded: publicKeyString) else {
+                print("Failed to decode base64 public key")
+                return false
+            }
+            publicKeyData = data
+        }
+        
+        guard let signatureData = Data(base64Encoded: signature) else {
+            print("Failed to decode signature")
+            return false
+        }
+        
+        do {
+            // Create SecKey from public key data
+            let attributes: [String: Any] = [
+                kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
+                kSecAttrKeyClass as String: kSecAttrKeyClassPublic,
+                kSecAttrKeySizeInBits as String: 2048
+            ]
+            
+            guard let secKey = SecKeyCreateWithData(publicKeyData as CFData, attributes as CFDictionary, nil) else {
+                print("Failed to create SecKey from public key data")
+                return false
+            }
+            
+            // Verify signature using RSA-PSS (matching web implementation)
+            let algorithm = SecKeyAlgorithm.rsaSignatureMessagePSSSHA256
+            let result = SecKeyVerifySignature(secKey, algorithm, data as CFData, signatureData as CFData, nil)
+            
+            if !result {
+                print("Signature verification failed")
+            }
+            
+            return result
+        } catch {
+            print("Signature verification error: \(error)")
+            return false
+        }
+    }
+    
+    func calculateChecksum(for data: Data, algorithm: String = "SHA-256") -> String {
+        let digest: Data
+        
+        switch algorithm {
+        case "SHA-256":
+            digest = SHA256.hash(data: data).data
+        case "SHA-512":
+            digest = SHA512.hash(data: data).data
+        default:
+            // Fallback to SHA-256
+            digest = SHA256.hash(data: data).data
+        }
+        
+        return digest.map { String(format: "%02x", $0) }.joined()
+    }
+    
+    func saveSecureData(key: String, value: String) {
+        if isSecureStorageEnabled() {
+            keychain.set(value, forKey: key)
+        } else {
+            // Fallback to UserDefaults (not recommended)
+            UserDefaults.standard.set(value, forKey: key)
+        }
+    }
+    
+    func getSecureData(key: String) -> String? {
+        if isSecureStorageEnabled() {
+            return keychain.string(forKey: key)
+        } else {
+            return UserDefaults.standard.string(forKey: key)
+        }
+    }
+    
+    func validatePath(_ path: String) -> Bool {
+        // Prevent directory traversal attacks
+        if path.contains("..") || path.contains("//") {
+            return false
+        }
+        
+        // Ensure path is within app's sandbox
+        let url = URL(fileURLWithPath: path)
+        let standardizedPath = url.standardizedFileURL.path
+        
+        // Check if path is within allowed directories
+        let documentsPath = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask).first!.path
+        let cachesPath = FileManager.default.urls(for: .cachesDirectory, in: .userDomainMask).first!.path
+        let tempPath = NSTemporaryDirectory()
+        
+        return standardizedPath.hasPrefix(documentsPath) ||
+               standardizedPath.hasPrefix(cachesPath) ||
+               standardizedPath.hasPrefix(tempPath)
+    }
+    
+    func sanitizeInput(_ input: String) -> String {
+        // Remove potentially dangerous characters
+        let allowedCharacters = CharacterSet.alphanumerics.union(CharacterSet(charactersIn: "._-"))
+        return input.components(separatedBy: allowedCharacters.inverted).joined()
+    }
+    
+    func isHttpsEnforced() -> Bool {
+        return config?["enforceHttps"] as? Bool ?? true
+    }
+    
+    func isSecureStorageEnabled() -> Bool {
+        return config?["secureStorage"] as? Bool ?? true
+    }
+    
+    func isInputValidationEnabled() -> Bool {
+        return config?["validateInputs"] as? Bool ?? true
+    }
+    
+    func logSecurityEvent(_ event: String, details: String? = nil) {
+        guard config?["logSecurityEvents"] as? Bool == true else { return }
+        
+        let message = "Security Event: \(event) \(details ?? "")"
+        print("🔒 \(message)")
+        
+        // In production, you might want to send these to a security monitoring service
+    }
+    
+    private func getAllowedHosts() -> [String]? {
+        var hosts: [String] = []
+        
+        // Add hosts from live update config
+        if let liveUpdateConfig = config?["liveUpdate"] as? [String: Any],
+           let allowedHosts = liveUpdateConfig["allowedHosts"] as? [String] {
+            hosts.append(contentsOf: allowedHosts)
+        }
+        
+        // Add host from server URL
+        if let serverUrl = config?["serverUrl"] as? String,
+           let urlComponents = URLComponents(string: serverUrl),
+           let host = urlComponents.host {
+            hosts.append(host)
+        }
+        
+        return hosts.isEmpty ? nil : Array(Set(hosts))
+    }
+}
+
+// MARK: - Keychain Wrapper
+
+private class KeychainWrapper {
+    private let serviceName = "com.aoneahsan.nativeupdate"
+    
+    func set(_ value: String, forKey key: String) {
+        guard let data = value.data(using: .utf8) else { return }
+        
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: serviceName,
+            kSecAttrAccount as String: key,
+            kSecValueData as String: data
+        ]
+        
+        // Delete any existing item
+        SecItemDelete(query as CFDictionary)
+        
+        // Add new item
+        SecItemAdd(query as CFDictionary, nil)
+    }
+    
+    func string(forKey key: String) -> String? {
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: serviceName,
+            kSecAttrAccount as String: key,
+            kSecReturnData as String: true,
+            kSecMatchLimit as String: kSecMatchLimitOne
+        ]
+        
+        var dataTypeRef: AnyObject?
+        let status = SecItemCopyMatching(query as CFDictionary, &dataTypeRef)
+        
+        guard status == errSecSuccess,
+              let data = dataTypeRef as? Data,
+              let string = String(data: data, encoding: .utf8) else {
+            return nil
+        }
+        
+        return string
+    }
+    
+    func remove(forKey key: String) {
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: serviceName,
+            kSecAttrAccount as String: key
+        ]
+        
+        SecItemDelete(query as CFDictionary)
+    }
+}
+
+// MARK: - CryptoKit Extensions
+
+extension Digest {
+    var data: Data {
+        Data(self)
+    }
+}

package/package.json

@@ -0,0 +1,90 @@
+{
+  "name": "native-update",
+  "version": "1.0.0",
+  "description": "Foundation package for building a comprehensive update system for Capacitor apps. Provides architecture and interfaces but requires backend implementation.",
+  "type": "module",
+  "main": "dist/plugin.cjs.js",
+  "module": "dist/esm/index.js",
+  "types": "dist/esm/index.d.ts",
+  "unpkg": "dist/plugin.js",
+  "files": [
+    "android/src/main/",
+    "android/build.gradle",
+    "android/variables.gradle",
+    "android/gradle.properties",
+    "android/gradle/",
+    "android/settings.gradle",
+    "android/proguard-rules.pro",
+    "dist/",
+    "ios/Plugin/",
+    "CapacitorNativeUpdate.podspec",
+    "docs/"
+  ],
+  "author": {
+    "name": "Ahsan Mahmood",
+    "email": "aoneahsan@gmail.com",
+    "url": "https://aoneahsan.com"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aoneahsan/native-update.git"
+  },
+  "bugs": {
+    "url": "https://github.com/aoneahsan/native-update/issues"
+  },
+  "homepage": "https://github.com/aoneahsan/native-update#readme",
+  "keywords": [
+    "capacitor",
+    "plugin",
+    "native",
+    "app-updates",
+    "native-updates"
+  ],
+  "scripts": {
+    "build": "npm run clean && npm run tsc && rollup -c rollup.config.js",
+    "build:prod": "npm run clean && npm run tsc && NODE_ENV=production rollup -c rollup.config.js",
+    "clean": "rimraf ./dist",
+    "tsc": "tsc",
+    "watch": "tsc --watch",
+    "lint": "eslint . --ext ts",
+    "prettier": "prettier --write .",
+    "prepublishOnly": "npm run build:prod",
+    "swiftlint": "cd ios && swiftlint lint --fix --format --path Plugin --verbose",
+    "test": "vitest",
+    "test:ui": "vitest --ui",
+    "test:coverage": "vitest --coverage"
+  },
+  "devDependencies": {
+    "@capacitor/android": "^7.4.2",
+    "@capacitor/core": "^7.4.2",
+    "@capacitor/filesystem": "^7.1.4",
+    "@capacitor/ios": "^7.4.2",
+    "@capacitor/preferences": "^7.0.2",
+    "@rollup/plugin-json": "^6.1.0",
+    "@rollup/plugin-node-resolve": "^16.0.1",
+    "@rollup/plugin-terser": "^0.4.4",
+    "@types/node": "^24.2.1",
+    "@typescript-eslint/eslint-plugin": "^8.39.1",
+    "@typescript-eslint/parser": "^8.39.1",
+    "@vitest/ui": "^3.2.4",
+    "eslint": "^9.33.0",
+    "happy-dom": "^18.0.1",
+    "prettier": "^3.6.2",
+    "rimraf": "^6.0.1",
+    "rollup": "^4.46.2",
+    "typescript": "^5.9.2",
+    "vitest": "^3.2.4"
+  },
+  "peerDependencies": {
+    "@capacitor/core": "^7.4.2"
+  },
+  "capacitor": {
+    "ios": {
+      "src": "ios"
+    },
+    "android": {
+      "src": "android"
+    }
+  }
+}