payment-kit 1.29.5 → 1.29.7

package/api/tests/integrations/app-store/fixtures/make-chain.ts

@@ -0,0 +1,326 @@
+/**
+ * Synthetic Apple-style 3-cert chain + ES256 JWS generator for the App Store
+ * native-verify tests (and mirrored by the workerd probe's chain round).
+ *
+ * CONTRACT — read before using in validity / clock-skew tests:
+ *  - `verifyAppleJws` (Phase 1) uses the JWS payload's `signedDate` as the
+ *    `effectiveDate` for ALL certificate validity checks — NEVER Date.now().
+ *    So cert windows here are pinned with explicit notBefore/notAfter
+ *    (`certValidFrom`/`certValidTo`) and the spec positions `signedDate`
+ *    relative to them to exercise the ±60s skew boundary precisely.
+ *  - Production OID presence (native-asn1.ts) matches the FULL DER tag
+ *    `[0x06, len, ...content]`, STRICTER than the probe's content-only scan
+ *    (see 0.3). The certs below carry the real Apple OIDs as `DER:0500` exts.
+ *
+ * This generator NEVER validates — by design it can emit deliberately
+ * malformed inputs (missing OID, cross-signed leaf, and via `buildJws` any
+ * wrong-length x5c / tampered sig / forged alg) so the verifier's negative
+ * vectors have inputs to reject.
+ *
+ * "Callable from the probe": the probe is a raw-node `.mjs` that cannot import
+ * this `.ts` module under the ts-jest (CJS) setup, so
+ * `cloudflare/tests/x509-probe.mjs` mirrors this chain-building inline. Keep the
+ * two in sync — the algorithm (root → CA intermediate w/ Apple OID → leaf w/
+ * Apple OID, ES256 P1363 sig over `header.payload`) is identical.
+ *
+ * Determinism: the EC P-256 signing keys are COMMITTED under `fixtures/keys/`
+ * (synthetic, test-only) and the certs are derived from them at runtime with
+ * pinned validity windows — so golden-vector VALUE assertions are stable and
+ * the certs never expire. Pass `freshKeys: true` to generate unique keys for a
+ * single call (e.g. to make two chains demonstrably distinct). The committed
+ * keys are test-only and MUST never be imported by `src/` — a data-leak spec
+ * (`make-chain.spec.ts`) guards that invariant. The committed REAL Apple
+ * fixture (`real-sandbox.jws`) is the golden vector for real-chain field values.
+ */
+import { execFileSync } from 'node:child_process';
+import { X509Certificate, sign as nodeSign } from 'node:crypto';
+import { copyFileSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+export const APPLE_LEAF_OID = '1.2.840.113635.100.6.11.1';
+export const APPLE_INT_OID = '1.2.840.113635.100.6.2.1';
+
+const ONE_DAY_MS = 86_400_000;
+const TEN_YEARS_MS = 10 * 365 * ONE_DAY_MS;
+
+export interface MakeChainOptions {
+  /** ms; embedded as payload.signedDate (= effectiveDate verifyAppleJws uses). Default: Date.now(). */
+  signedDate?: number;
+  /** notBefore for all 3 certs. Default: signedDate − 1 day. */
+  certValidFrom?: Date;
+  /** notAfter for all 3 certs. Default: signedDate + 10 years. */
+  certValidTo?: Date;
+  /**
+   * Per-cert validity overrides, so a test can expire / not-yet-validate ONE cert
+   * (leaf, intermediate, or root) while the others stay valid — proving the
+   * verifier checks all three. Falls back to certValidFrom/certValidTo.
+   */
+  certWindows?: {
+    leaf?: { from?: Date; to?: Date };
+    intermediate?: { from?: Date; to?: Date };
+    root?: { from?: Date; to?: Date };
+  };
+  /** extra/override payload fields merged into the default transaction payload. */
+  payload?: Record<string, unknown>;
+  /** header `alg`; default 'ES256'. Override to forge alg-confusion vectors. */
+  alg?: string;
+  /** include the Apple leaf OID on the leaf (default true). */
+  leafOid?: boolean;
+  /** include the Apple intermediate OID on the intermediate (default true). */
+  intOid?: boolean;
+  /** generate unique keys instead of reusing the committed fixtures/keys/ PEMs (default false). */
+  freshKeys?: boolean;
+}
+
+export interface Chain {
+  /** [leafDER_b64, intermediateDER_b64, rootDER_b64] — standard base64 (as in a JWS header). */
+  x5c: string[];
+  /** valid `header.payload.p1363sig` JWS signed by the leaf key. */
+  jws: string;
+  /** `header.payload` — the ASCII bytes the ES256 signature covers. */
+  signingInput: string;
+  /** raw 64-byte IEEE-P1363 (r‖s) signature over `signingInput`. */
+  p1363Sig: Buffer;
+  /** b64 DER of a leaf signed by a DIFFERENT intermediate key (same subject DN): passes
+   *  issuer/subject equality but fails `leaf.verify(realIntermediate.publicKey)`. */
+  crossSignedLeaf: string;
+  keys: { rootKeyPem: string; intKeyPem: string; leafKeyPem: string; wrongIntKeyPem: string };
+  certs: { leaf: X509Certificate; intermediate: X509Certificate; root: X509Certificate };
+  payload: Record<string, unknown>;
+  header: Record<string, unknown>;
+}
+
+const SUBJ = {
+  root: '/CN=Test Apple Root CA/O=did-pay-test',
+  int: '/CN=Test Apple WWDR Intermediate/O=did-pay-test',
+  leaf: '/CN=Test Apple Leaf/O=did-pay-test',
+};
+
+/** Committed synthetic signing keys (test-only, never imported by src/). */
+const KEYS_DIR = path.join(__dirname, 'keys');
+
+/** openssl `-not_before`/`-not_after` want `[CC]YYMMDDHHMMSSZ`. */
+function fmtTime(d: Date): string {
+  return `${d
+    .toISOString()
+    .replace(/[-:]/g, '')
+    .replace('T', '')
+    .replace(/\.\d+Z$/, '')}Z`;
+}
+
+/** Sign `signingInput` (ASCII) with an EC P-256 key, returning a raw 64-byte P1363 sig. */
+export function signES256(signingInput: string, privateKeyPem: string): Buffer {
+  return nodeSign('sha256', Buffer.from(signingInput, 'ascii'), { key: privateKeyPem, dsaEncoding: 'ieee-p1363' });
+}
+
+/** Build a `header.payload.p1363sig` JWS from arbitrary header/payload objects (for crafting variants). */
+export function buildJws(
+  header: Record<string, unknown>,
+  payload: Record<string, unknown>,
+  leafKeyPem: string
+): { jws: string; signingInput: string; p1363Sig: Buffer } {
+  const h = Buffer.from(JSON.stringify(header)).toString('base64url');
+  const p = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const signingInput = `${h}.${p}`;
+  const p1363Sig = signES256(signingInput, leafKeyPem);
+  return { jws: `${signingInput}.${p1363Sig.toString('base64url')}`, signingInput, p1363Sig };
+}
+
+export function makeChain(opts: MakeChainOptions = {}): Chain {
+  const signedDate = opts.signedDate ?? Date.now();
+  const validFrom = opts.certValidFrom ?? new Date(signedDate - ONE_DAY_MS);
+  const validTo = opts.certValidTo ?? new Date(signedDate + TEN_YEARS_MS);
+  // Resolve the [notBefore, notAfter] pair for a given cert, honoring per-cert overrides.
+  const windowFor = (cert: 'leaf' | 'intermediate' | 'root'): { nb: string; na: string } => {
+    const o = opts.certWindows?.[cert];
+    return { nb: fmtTime(o?.from ?? validFrom), na: fmtTime(o?.to ?? validTo) };
+  };
+
+  const dir = mkdtempSync(path.join(os.tmpdir(), 'make-chain-'));
+  const file = (name: string): string => path.join(dir, name);
+  const ossl = (args: string[]): void => {
+    execFileSync('openssl', args, { cwd: dir, stdio: ['ignore', 'pipe', 'pipe'] });
+  };
+  // Reuse the committed synthetic keys (deterministic) unless freshKeys is set.
+  // `tmpName` is the working filename (e.g. 'root.key'); `committed` is the
+  // fixtures/keys/<committed>.key.pem stem.
+  const provisionKey = (tmpName: string, committed: string): void => {
+    if (opts.freshKeys) {
+      ossl(['ecparam', '-name', 'prime256v1', '-genkey', '-noout', '-out', file(tmpName)]);
+    } else {
+      copyFileSync(path.join(KEYS_DIR, `${committed}.key.pem`), file(tmpName));
+    }
+  };
+
+  try {
+    const rootW = windowFor('root');
+    const intW = windowFor('intermediate');
+    const leafW = windowFor('leaf');
+
+    // root — self-signed CA
+    provisionKey('root.key', 'root');
+    ossl([
+      'req',
+      '-new',
+      '-x509',
+      '-key',
+      file('root.key'),
+      '-out',
+      file('root.pem'),
+      '-subj',
+      SUBJ.root,
+      '-not_before',
+      rootW.nb,
+      '-not_after',
+      rootW.na,
+      '-addext',
+      'basicConstraints=critical,CA:TRUE',
+      '-addext',
+      'keyUsage=critical,keyCertSign,cRLSign',
+    ]);
+
+    // intermediate — CA + Apple intermediate OID, signed by root
+    provisionKey('int.key', 'int');
+    ossl(['req', '-new', '-key', file('int.key'), '-out', file('int.csr'), '-subj', SUBJ.int]);
+    const intExt = ['[v3]', 'basicConstraints=critical,CA:TRUE', 'keyUsage=critical,keyCertSign,cRLSign'];
+    if (opts.intOid !== false) intExt.push(`${APPLE_INT_OID}=DER:0500`);
+    writeFileSync(file('int.ext'), intExt.join('\n'));
+    ossl([
+      'x509',
+      '-req',
+      '-in',
+      file('int.csr'),
+      '-CA',
+      file('root.pem'),
+      '-CAkey',
+      file('root.key'),
+      '-CAcreateserial',
+      '-out',
+      file('int.pem'),
+      '-not_before',
+      intW.nb,
+      '-not_after',
+      intW.na,
+      '-extfile',
+      file('int.ext'),
+      '-extensions',
+      'v3',
+    ]);
+
+    // leaf — Apple leaf OID, signed by intermediate
+    provisionKey('leaf.key', 'leaf');
+    ossl(['req', '-new', '-key', file('leaf.key'), '-out', file('leaf.csr'), '-subj', SUBJ.leaf]);
+    const leafExt = ['[v3]', 'basicConstraints=critical,CA:FALSE'];
+    if (opts.leafOid !== false) leafExt.push(`${APPLE_LEAF_OID}=DER:0500`);
+    writeFileSync(file('leaf.ext'), leafExt.join('\n'));
+    ossl([
+      'x509',
+      '-req',
+      '-in',
+      file('leaf.csr'),
+      '-CA',
+      file('int.pem'),
+      '-CAkey',
+      file('int.key'),
+      '-CAcreateserial',
+      '-out',
+      file('leaf.pem'),
+      '-not_before',
+      leafW.nb,
+      '-not_after',
+      leafW.na,
+      '-extfile',
+      file('leaf.ext'),
+      '-extensions',
+      'v3',
+    ]);
+
+    // wrong intermediate — SAME subject DN, DIFFERENT key. A leaf it signs passes
+    // issuer/subject equality but fails leaf.verify(realIntermediate.publicKey),
+    // isolating the chain-signature failure for the negative control.
+    provisionKey('wrongint.key', 'wrongint');
+    ossl([
+      'req',
+      '-new',
+      '-x509',
+      '-key',
+      file('wrongint.key'),
+      '-out',
+      file('wrongint.pem'),
+      '-subj',
+      SUBJ.int,
+      '-not_before',
+      intW.nb,
+      '-not_after',
+      intW.na,
+      '-addext',
+      'basicConstraints=critical,CA:TRUE',
+    ]);
+    provisionKey('crossleaf.key', 'leaf');
+    ossl(['req', '-new', '-key', file('crossleaf.key'), '-out', file('crossleaf.csr'), '-subj', SUBJ.leaf]);
+    ossl([
+      'x509',
+      '-req',
+      '-in',
+      file('crossleaf.csr'),
+      '-CA',
+      file('wrongint.pem'),
+      '-CAkey',
+      file('wrongint.key'),
+      '-CAcreateserial',
+      '-out',
+      file('crossleaf.pem'),
+      '-not_before',
+      leafW.nb,
+      '-not_after',
+      leafW.na,
+      '-extfile',
+      file('leaf.ext'),
+      '-extensions',
+      'v3',
+    ]);
+
+    const leafCert = new X509Certificate(readFileSync(file('leaf.pem')));
+    const intCert = new X509Certificate(readFileSync(file('int.pem')));
+    const rootCert = new X509Certificate(readFileSync(file('root.pem')));
+    const crossLeafCert = new X509Certificate(readFileSync(file('crossleaf.pem')));
+
+    const x5c = [
+      Buffer.from(leafCert.raw).toString('base64'),
+      Buffer.from(intCert.raw).toString('base64'),
+      Buffer.from(rootCert.raw).toString('base64'),
+    ];
+    const header = { alg: opts.alg ?? 'ES256', x5c };
+    const payload: Record<string, unknown> = {
+      transactionId: 'txn_synth_1',
+      originalTransactionId: 'orig_synth_1',
+      productId: 'sub_synthetic',
+      bundleId: 'com.example.app',
+      environment: 'Sandbox',
+      signedDate,
+      ...opts.payload,
+    };
+    const leafKeyPem = readFileSync(file('leaf.key'), 'utf8');
+    const { jws, signingInput, p1363Sig } = buildJws(header, payload, leafKeyPem);
+
+    return {
+      x5c,
+      jws,
+      signingInput,
+      p1363Sig,
+      crossSignedLeaf: Buffer.from(crossLeafCert.raw).toString('base64'),
+      keys: {
+        rootKeyPem: readFileSync(file('root.key'), 'utf8'),
+        intKeyPem: readFileSync(file('int.key'), 'utf8'),
+        leafKeyPem,
+        wrongIntKeyPem: readFileSync(file('wrongint.key'), 'utf8'),
+      },
+      certs: { leaf: leafCert, intermediate: intCert, root: rootCert },
+      payload,
+      header,
+    };
+  } finally {
+    rmSync(dir, { recursive: true, force: true });
+  }
+}

package/api/tests/integrations/app-store/fixtures/real-sandbox.json

@@ -0,0 +1,43 @@
+{
+  "_meta": {
+    "source": "Apple App Store Server API getTransactionInfo()",
+    "fetched_at": "2026-06-15T11:02:00Z",
+    "bundle_id": "io.arcblock.ai.stro",
+    "environment": "Sandbox",
+    "transaction_id": "2000001186283296",
+    "verify_url": "https://payment-demo.ofind.cn/api/integrations/app-store/verify",
+    "notes": "Apple-signed (ES256). Verifiable against Apple Root CA G3. Use as a fixture for unit tests that need a real signed transaction."
+  },
+  "decoded_header": {
+    "alg": "ES256",
+    "x5c_chain": [
+      "Prod ECC Mac App Store and iTunes Store Receipt Signing  (leaf, expires 2027-10-13)",
+      "Apple Worldwide Developer Relations Certification Authority G6  (intermediate)",
+      "Apple Root CA - G3  (root, expires 2039-04-30)"
+    ]
+  },
+  "decoded_payload": {
+    "transactionId": "2000001186283296",
+    "originalTransactionId": "2000001185803701",
+    "webOrderLineItemId": "2000000145344971",
+    "bundleId": "io.arcblock.ai.stro",
+    "productId": "io.aistro.monthly",
+    "subscriptionGroupIdentifier": "21331532",
+    "purchaseDate": 1781142078000,
+    "originalPurchaseDate": 1781080008000,
+    "expiresDate": 1781142258000,
+    "quantity": 1,
+    "type": "Auto-Renewable Subscription",
+    "appAccountToken": "040288cc-5062-5af3-ae64-1b1576bd3af7",
+    "inAppOwnershipType": "PURCHASED",
+    "signedDate": 1781521334379,
+    "environment": "Sandbox",
+    "transactionReason": "PURCHASE",
+    "storefront": "USA",
+    "storefrontId": "143441",
+    "price": 9990,
+    "currency": "USD",
+    "appTransactionId": "705611184395056381",
+    "billingPlanType": "BILLED_UPFRONT"
+  }
+}

package/api/tests/integrations/app-store/fixtures/real-sandbox.jws

@@ -0,0 +1 @@
+eyJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlFTVRDQ0E3YWdBd0lCQWdJUVI4S0h6ZG41NTRaL1VvcmFkTng5dHpBS0JnZ3Foa2pPUFFRREF6QjFNVVF3UWdZRFZRUURERHRCY0hCc1pTQlhiM0pzWkhkcFpHVWdSR1YyWld4dmNHVnlJRkpsYkdGMGFXOXVjeUJEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURUxNQWtHQTFVRUN3d0NSell4RXpBUkJnTlZCQW9NQ2tGd2NHeGxJRWx1WXk0eEN6QUpCZ05WQkFZVEFsVlRNQjRYRFRJMU1Ea3hPVEU1TkRRMU1Wb1hEVEkzTVRBeE16RTNORGN5TTFvd2daSXhRREErQmdOVkJBTU1OMUJ5YjJRZ1JVTkRJRTFoWXlCQmNIQWdVM1J2Y21VZ1lXNWtJR2xVZFc1bGN5QlRkRzl5WlNCU1pXTmxhWEIwSUZOcFoyNXBibWN4TERBcUJnTlZCQXNNSTBGd2NHeGxJRmR2Y214a2QybGtaU0JFWlhabGJHOXdaWElnVW1Wc1lYUnBiMjV6TVJNd0VRWURWUVFLREFwQmNIQnNaU0JKYm1NdU1Rc3dDUVlEVlFRR0V3SlZVekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCTm5WdmhjdjdpVCs3RXg1dEJNQmdyUXNwSHpJc1hSaTBZeGZlazdsdjh3RW1qL2JIaVd0TndKcWMyQm9IenNRaUVqUDdLRklJS2c0WTh5MC9ueW51QW1qZ2dJSU1JSUNCREFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUFGRDh2bENOUjAxREptaWc5N2JCODVjK2xrR0taTUhBR0NDc0dBUVVGQndFQkJHUXdZakF0QmdnckJnRUZCUWN3QW9ZaGFIUjBjRG92TDJObGNuUnpMbUZ3Y0d4bExtTnZiUzkzZDJSeVp6WXVaR1Z5TURFR0NDc0dBUVVGQnpBQmhpVm9kSFJ3T2k4dmIyTnpjQzVoY0hCc1pTNWpiMjB2YjJOemNEQXpMWGQzWkhKbk5qQXlNSUlCSGdZRFZSMGdCSUlCRlRDQ0FSRXdnZ0VOQmdvcWhraUc5Mk5rQlFZQk1JSCtNSUhEQmdnckJnRUZCUWNDQWpDQnRneUJzMUpsYkdsaGJtTmxJRzl1SUhSb2FYTWdZMlZ5ZEdsbWFXTmhkR1VnWW5rZ1lXNTVJSEJoY25SNUlHRnpjM1Z0WlhNZ1lXTmpaWEIwWVc1alpTQnZaaUIwYUdVZ2RHaGxiaUJoY0hCc2FXTmhZbXhsSUhOMFlXNWtZWEprSUhSbGNtMXpJR0Z1WkNCamIyNWthWFJwYjI1eklHOW1JSFZ6WlN3Z1kyVnlkR2xtYVdOaGRHVWdjRzlzYVdONUlHRnVaQ0JqWlhKMGFXWnBZMkYwYVc5dUlIQnlZV04wYVdObElITjBZWFJsYldWdWRITXVNRFlHQ0NzR0FRVUZCd0lCRmlwb2RIUndPaTh2ZDNkM0xtRndjR3hsTG1OdmJTOWpaWEowYVdacFkyRjBaV0YxZEdodmNtbDBlUzh3SFFZRFZSME9CQllFRklGaW9HNHdNTVZBMWt1OXpKbUdOUEFWbjNlcU1BNEdBMVVkRHdFQi93UUVBd0lIZ0RBUUJnb3Foa2lHOTJOa0Jnc0JCQUlGQURBS0JnZ3Foa2pPUFFRREF3TnBBREJtQWpFQStxWG5SRUM3aFhJV1ZMc0x4em5qUnBJelBmN1ZIejlWL0NUbTgrTEpsclFlcG5tY1B2R0xOY1g2WFBubGNnTEFBakVBNUlqTlpLZ2c1cFE3OWtuRjRJYlRYZEt2OHZ1dElETVhEbWpQVlQzZEd2RnRzR1J3WE95d1Iya1pDZFNyZmVvdCIsIk1JSURGakNDQXB5Z0F3SUJBZ0lVSXNHaFJ3cDBjMm52VTRZU3ljYWZQVGp6Yk5jd0NnWUlLb1pJemowRUF3TXdaekViTUJrR0ExVUVBd3dTUVhCd2JHVWdVbTl2ZENCRFFTQXRJRWN6TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd0hoY05NakV3TXpFM01qQXpOekV3V2hjTk16WXdNekU1TURBd01EQXdXakIxTVVRd1FnWURWUVFERER0QmNIQnNaU0JYYjNKc1pIZHBaR1VnUkdWMlpXeHZjR1Z5SUZKbGJHRjBhVzl1Y3lCRFpYSjBhV1pwWTJGMGFXOXVJRUYxZEdodmNtbDBlVEVMTUFrR0ExVUVDd3dDUnpZeEV6QVJCZ05WQkFvTUNrRndjR3hsSUVsdVl5NHhDekFKQmdOVkJBWVRBbFZUTUhZd0VBWUhLb1pJemowQ0FRWUZLNEVFQUNJRFlnQUVic1FLQzk0UHJsV21aWG5YZ3R4emRWSkw4VDBTR1luZ0RSR3BuZ24zTjZQVDhKTUViN0ZEaTRiQm1QaENuWjMvc3E2UEYvY0djS1hXc0w1dk90ZVJoeUo0NXgzQVNQN2NPQithYW85MGZjcHhTdi9FWkZibmlBYk5nWkdoSWhwSW80SDZNSUgzTUJJR0ExVWRFd0VCL3dRSU1BWUJBZjhDQVFBd0h3WURWUjBqQkJnd0ZvQVV1N0Rlb1ZnemlKcWtpcG5ldnIzcnI5ckxKS3N3UmdZSUt3WUJCUVVIQVFFRU9qQTRNRFlHQ0NzR0FRVUZCekFCaGlwb2RIUndPaTh2YjJOemNDNWhjSEJzWlM1amIyMHZiMk56Y0RBekxXRndjR3hsY205dmRHTmhaek13TndZRFZSMGZCREF3TGpBc29DcWdLSVltYUhSMGNEb3ZMMk55YkM1aGNIQnNaUzVqYjIwdllYQndiR1Z5YjI5MFkyRm5NeTVqY213d0hRWURWUjBPQkJZRUZEOHZsQ05SMDFESm1pZzk3YkI4NWMrbGtHS1pNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVFCZ29xaGtpRzkyTmtCZ0lCQkFJRkFEQUtCZ2dxaGtqT1BRUURBd05vQURCbEFqQkFYaFNxNUl5S29nTUNQdHc0OTBCYUI2NzdDYUVHSlh1ZlFCL0VxWkdkNkNTamlDdE9udU1UYlhWWG14eGN4ZmtDTVFEVFNQeGFyWlh2TnJreFUzVGtVTUkzM3l6dkZWVlJUNHd4V0pDOTk0T3NkY1o0K1JHTnNZRHlSNWdtZHIwbkRHZz0iLCJNSUlDUXpDQ0FjbWdBd0lCQWdJSUxjWDhpTkxGUzVVd0NnWUlLb1pJemowRUF3TXdaekViTUJrR0ExVUVBd3dTUVhCd2JHVWdVbTl2ZENCRFFTQXRJRWN6TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd0hoY05NVFF3TkRNd01UZ3hPVEEyV2hjTk16a3dORE13TVRneE9UQTJXakJuTVJzd0dRWURWUVFEREJKQmNIQnNaU0JTYjI5MElFTkJJQzBnUnpNeEpqQWtCZ05WQkFzTUhVRndjR3hsSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVFzd0NRWURWUVFHRXdKVlV6QjJNQkFHQnlxR1NNNDlBZ0VHQlN1QkJBQWlBMklBQkpqcEx6MUFjcVR0a3lKeWdSTWMzUkNWOGNXalRuSGNGQmJaRHVXbUJTcDNaSHRmVGpqVHV4eEV0WC8xSDdZeVlsM0o2WVJiVHpCUEVWb0EvVmhZREtYMUR5eE5CMGNUZGRxWGw1ZHZNVnp0SzUxN0lEdll1VlRaWHBta09sRUtNYU5DTUVBd0hRWURWUjBPQkJZRUZMdXczcUZZTTRpYXBJcVozcjY5NjYvYXl5U3JNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01Bb0dDQ3FHU000OUJBTURBMmdBTUdVQ01RQ0Q2Y0hFRmw0YVhUUVkyZTN2OUd3T0FFWkx1Tit5UmhIRkQvM21lb3locG12T3dnUFVuUFdUeG5TNGF0K3FJeFVDTUcxbWloREsxQTNVVDgyTlF6NjBpbU9sTTI3amJkb1h0MlFmeUZNbStZaGlkRGtMRjF2TFVhZ002QmdENTZLeUtBPT0iXX0.eyJ0cmFuc2FjdGlvbklkIjoiMjAwMDAwMTE4NjI4MzI5NiIsIm9yaWdpbmFsVHJhbnNhY3Rpb25JZCI6IjIwMDAwMDExODU4MDM3MDEiLCJ3ZWJPcmRlckxpbmVJdGVtSWQiOiIyMDAwMDAwMTQ1MzQ0OTcxIiwiYnVuZGxlSWQiOiJpby5hcmNibG9jay5haS5zdHJvIiwicHJvZHVjdElkIjoiaW8uYWlzdHJvLm1vbnRobHkiLCJzdWJzY3JpcHRpb25Hcm91cElkZW50aWZpZXIiOiIyMTMzMTUzMiIsInB1cmNoYXNlRGF0ZSI6MTc4MTE0MjA3ODAwMCwib3JpZ2luYWxQdXJjaGFzZURhdGUiOjE3ODEwODAwMDgwMDAsImV4cGlyZXNEYXRlIjoxNzgxMTQyMjU4MDAwLCJxdWFudGl0eSI6MSwidHlwZSI6IkF1dG8tUmVuZXdhYmxlIFN1YnNjcmlwdGlvbiIsImFwcEFjY291bnRUb2tlbiI6IjA0MDI4OGNjLTUwNjItNWFmMy1hZTY0LTFiMTU3NmJkM2FmNyIsImluQXBwT3duZXJzaGlwVHlwZSI6IlBVUkNIQVNFRCIsInNpZ25lZERhdGUiOjE3ODE1MjEzMzQzNzksImVudmlyb25tZW50IjoiU2FuZGJveCIsInRyYW5zYWN0aW9uUmVhc29uIjoiUFVSQ0hBU0UiLCJzdG9yZWZyb250IjoiVVNBIiwic3RvcmVmcm9udElkIjoiMTQzNDQxIiwicHJpY2UiOjk5OTAsImN1cnJlbmN5IjoiVVNEIiwiYXBwVHJhbnNhY3Rpb25JZCI6IjcwNTYxMTE4NDM5NTA1NjM4MSIsImJpbGxpbmdQbGFuVHlwZSI6IkJJTExFRF9VUEZST05UIn0.uy7PLqCBuoT9vcUjr8S5qkxpzRGZVwoB9wMum67HXonX7zMrP-VjIzOcWlkt0_WFnjDaMzE0plvEiMkFSWVBoA

package/api/tests/integrations/app-store/native-api.spec.ts

@@ -0,0 +1,172 @@
+// Unit tests for the native App Store Server API client (Phase 2, Path B).
+// fetch is mocked — we never hit Apple. A real EC P-256 PKCS#8 key is generated
+// per-suite (Apple `.p8` keys are PKCS#8) to exercise the subtle pkcs8 sign path.
+
+import { generateKeyPairSync } from 'node:crypto';
+
+import { nativeGetAllSubscriptionStatuses } from '../../../src/integrations/app-store/native-api';
+import type { AppStoreApiCredentials } from '../../../src/integrations/app-store/signed-data-verifier';
+
+const { privateKey } = generateKeyPairSync('ec', { namedCurve: 'P-256' });
+const PKCS8_PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string;
+
+const creds = (over: Partial<AppStoreApiCredentials> = {}): AppStoreApiCredentials => ({
+  issuerId: 'iss_1',
+  keyId: 'KEY_ID_1',
+  privateKeyPem: PKCS8_PEM,
+  bundleId: 'com.example.app',
+  environment: 'sandbox',
+  ...over,
+});
+
+type FetchCapture = { url: string; init: RequestInit | undefined };
+let lastFetch: FetchCapture;
+
+function mockFetch(impl: () => { ok: boolean; status: number; json?: () => Promise<unknown> }): void {
+  global.fetch = jest.fn(async (url: unknown, init?: unknown) => {
+    lastFetch = { url: String(url), init: init as RequestInit };
+    const r = impl();
+    return { ok: r.ok, status: r.status, json: r.json ?? (async () => ({})) } as unknown as Response;
+  }) as unknown as typeof fetch;
+}
+
+const okStatusResponse = () => ({
+  ok: true,
+  status: 200,
+  json: async () => ({
+    data: [
+      {
+        subscriptionGroupIdentifier: 'g1',
+        lastTransactions: [{ originalTransactionId: 'orig_X', status: 1, signedTransactionInfo: 'inner.jws.sig' }],
+      },
+    ],
+  }),
+});
+
+function authHeader(): string {
+  return (lastFetch.init!.headers as Record<string, string>).Authorization ?? '';
+}
+
+function decodeJwt(header: string): { header: any; payload: any } {
+  const jwt = header.replace(/^Bearer /, '');
+  const [h, p] = jwt.split('.');
+  return {
+    header: JSON.parse(Buffer.from(h!, 'base64url').toString('utf8')),
+    payload: JSON.parse(Buffer.from(p!, 'base64url').toString('utf8')),
+  };
+}
+
+afterEach(() => {
+  jest.restoreAllMocks();
+});
+
+describe('nativeGetAllSubscriptionStatuses — happy path', () => {
+  it('hits the sandbox host with a Bearer token and parses StatusResponse', async () => {
+    mockFetch(okStatusResponse);
+    const res = await nativeGetAllSubscriptionStatuses('orig_X', creds());
+    expect(new URL(lastFetch.url).host).toBe('api.storekit-sandbox.apple.com');
+    expect(new URL(lastFetch.url).pathname).toBe('/inApps/v1/subscriptions/orig_X');
+    const auth = authHeader();
+    expect(auth).toMatch(/^Bearer /);
+    expect(res.data?.[0]?.lastTransactions?.[0]?.originalTransactionId).toBe('orig_X');
+  });
+
+  it('hits the PRODUCTION host (no itunes) when environment=production', async () => {
+    mockFetch(okStatusResponse);
+    await nativeGetAllSubscriptionStatuses('orig_X', creds({ environment: 'production' }));
+    expect(new URL(lastFetch.url).host).toBe('api.storekit.apple.com');
+  });
+});
+
+describe('nativeGetAllSubscriptionStatuses — bad input', () => {
+  it('throws when issuer/key/pem are missing', async () => {
+    mockFetch(okStatusResponse);
+    await expect(nativeGetAllSubscriptionStatuses('orig_X', creds({ issuerId: '' }))).rejects.toThrow(
+      /issuer_id\/key_id\/private_key_pem/
+    );
+  });
+
+  it('throws on a malformed .p8 PEM (not a silent unsigned request)', async () => {
+    mockFetch(okStatusResponse);
+    await expect(
+      nativeGetAllSubscriptionStatuses(
+        'orig_X',
+        creds({ privateKeyPem: '-----BEGIN PRIVATE KEY-----\nGARBAGE\n-----END PRIVATE KEY-----' })
+      )
+    ).rejects.toThrow(/not a valid EC P-256 PKCS#8 key/);
+    expect(global.fetch).not.toHaveBeenCalled();
+  });
+});
+
+describe('nativeGetAllSubscriptionStatuses — security', () => {
+  it('signs an ES256 JWT with aud=appstoreconnect-v1 and exp−iat=300s', async () => {
+    mockFetch(okStatusResponse);
+    await nativeGetAllSubscriptionStatuses('orig_X', creds());
+    const { header, payload } = decodeJwt(authHeader());
+    expect(header.alg).toBe('ES256');
+    expect(header.kid).toBe('KEY_ID_1');
+    expect(payload.aud).toBe('appstoreconnect-v1');
+    expect(payload.iss).toBe('iss_1');
+    expect(payload.bid).toBe('com.example.app');
+    expect(payload.exp - payload.iat).toBe(300);
+  });
+
+  it('never leaks the private key into the URL or request body', async () => {
+    mockFetch(okStatusResponse);
+    await nativeGetAllSubscriptionStatuses('orig_X', creds());
+    expect(lastFetch.url).not.toContain('PRIVATE KEY');
+    expect(JSON.stringify(lastFetch.init)).not.toContain('PRIVATE KEY');
+    expect(lastFetch.init!.method).toBe('GET'); // no body at all
+  });
+
+  it.each(['../../v1/other', '..%2f..%2f', 'x@evil.host', 'x/../../', 'A'.repeat(4096)])(
+    'confines a crafted originalTransactionId %p to one path segment (SSRF guard)',
+    async (badId) => {
+      mockFetch(okStatusResponse);
+      await nativeGetAllSubscriptionStatuses(badId, creds());
+      const u = new URL(lastFetch.url);
+      expect(u.host).toBe('api.storekit-sandbox.apple.com');
+      // exactly the fixed prefix + ONE encoded segment, no extra slashes from the id
+      expect(u.pathname).toBe(`/inApps/v1/subscriptions/${encodeURIComponent(badId)}`);
+    }
+  );
+});
+
+describe('nativeGetAllSubscriptionStatuses — data loss', () => {
+  it('returns an empty response on 404 instead of throwing (does not drop a pending reconcile)', async () => {
+    mockFetch(() => ({ ok: false, status: 404 }));
+    const res = await nativeGetAllSubscriptionStatuses('orig_unknown', creds());
+    expect(res).toEqual({ data: [] });
+  });
+});
+
+describe('nativeGetAllSubscriptionStatuses — data damage', () => {
+  it('passes signedTransactionInfo through unmodified and keeps numeric field types', async () => {
+    mockFetch(() => ({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        data: [{ lastTransactions: [{ originalTransactionId: 'o', status: 2, signedTransactionInfo: 'A.B.C' }] }],
+      }),
+    }));
+    const res = await nativeGetAllSubscriptionStatuses('o', creds());
+    const tx = res.data?.[0]?.lastTransactions?.[0];
+    expect(tx?.signedTransactionInfo).toBe('A.B.C');
+    expect(typeof (tx as { status?: number }).status).toBe('number');
+  });
+});
+
+describe('nativeGetAllSubscriptionStatuses — data leak', () => {
+  it('on 401/403 surfaces only the status, never the bearer JWT or .p8', async () => {
+    mockFetch(() => ({ ok: false, status: 401 }));
+    let caught: Error | undefined;
+    try {
+      await nativeGetAllSubscriptionStatuses('orig_X', creds());
+    } catch (e) {
+      caught = e as Error;
+    }
+    expect(caught?.message).toMatch(/HTTP 401/);
+    expect(caught?.message).not.toContain('Bearer');
+    expect(caught?.message).not.toContain('PRIVATE KEY');
+  });
+});

package/api/tests/integrations/app-store/native-integration.spec.ts

@@ -0,0 +1,78 @@
+// Integration (Phase 2): with APP_STORE_NATIVE_VERIFY=true and a mocked fetch,
+// AppStoreClient.getSubscriptionStatus drives the WHOLE native path —
+// native API client (Path B, ES256 JWT bearer + fetch) → the returned
+// signedTransactionInfo re-verified by the native JWS verifier (Path A) — using
+// the REAL Apple sandbox JWS as the inner transaction. No apple lib involved.
+
+/* eslint-disable import/first */
+process.env.APP_STORE_NATIVE_VERIFY = 'true';
+delete process.env.APP_STORE_SKIP_SIGNATURE_VERIFY;
+
+import { generateKeyPairSync } from 'node:crypto';
+import { readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { AppStoreClient } from '../../../src/integrations/app-store/client';
+
+const REAL_JWS = readFileSync(path.join(__dirname, 'fixtures', 'real-sandbox.jws'), 'utf8').trim();
+const REAL = JSON.parse(readFileSync(path.join(__dirname, 'fixtures', 'real-sandbox.json'), 'utf8')).decoded_payload;
+const { privateKey } = generateKeyPairSync('ec', { namedCurve: 'P-256' });
+const PKCS8_PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string;
+
+afterEach(() => jest.restoreAllMocks());
+afterAll(() => {
+  delete process.env.APP_STORE_NATIVE_VERIFY;
+});
+
+describe('AppStoreClient.getSubscriptionStatus — native end-to-end', () => {
+  it('signs a bearer, fetches statuses, and re-verifies the real signedTransactionInfo natively', async () => {
+    let fetchedUrl = '';
+    global.fetch = jest.fn(async (url: unknown) => {
+      fetchedUrl = String(url);
+      return {
+        ok: true,
+        status: 200,
+        json: async () => ({
+          data: [
+            {
+              lastTransactions: [
+                { originalTransactionId: REAL.originalTransactionId, signedTransactionInfo: REAL_JWS },
+              ],
+            },
+          ],
+        }),
+      } as unknown as Response;
+    }) as unknown as typeof fetch;
+
+    const client = AppStoreClient.fromSettings({
+      bundle_id: REAL.bundleId, // io.arcblock.ai.stro — must match the JWS or verify rejects
+      environment: 'sandbox',
+      issuer_id: 'iss_1',
+      key_id: 'KEY_ID_1',
+      private_key_pem: PKCS8_PEM,
+    });
+
+    const tx = await client.getSubscriptionStatus(REAL.originalTransactionId);
+
+    // Path B reached the sandbox API host (no itunes); Path A decoded the real txn.
+    expect(new URL(fetchedUrl).host).toBe('api.storekit-sandbox.apple.com');
+    expect(tx).not.toBeNull();
+    expect(tx!.transactionId).toBe(REAL.transactionId);
+    expect(tx!.bundleId).toBe('io.arcblock.ai.stro');
+    expect(tx!.productId).toBe(REAL.productId);
+  });
+
+  it('returns null when no transaction matches (404 path-through)', async () => {
+    global.fetch = jest.fn(
+      async () => ({ ok: false, status: 404, json: async () => ({}) }) as unknown as Response
+    ) as unknown as typeof fetch;
+    const client = AppStoreClient.fromSettings({
+      bundle_id: 'io.arcblock.ai.stro',
+      environment: 'sandbox',
+      issuer_id: 'iss_1',
+      key_id: 'KEY_ID_1',
+      private_key_pem: PKCS8_PEM,
+    });
+    expect(await client.getSubscriptionStatus('orig_unknown')).toBeNull();
+  });
+});