payment-kit 1.29.5 → 1.29.7

package/api/tests/integrations/app-store/native-jws.spec.ts

@@ -0,0 +1,219 @@
+// Unit tests for the native Apple JWS verifier (Phase 1, Path A).
+//
+// Synthetic chains (make-chain.ts) exercise the algorithm with an injected test
+// root; the committed REAL Apple sandbox JWS (real-sandbox.jws) proves the real
+// OID + 3-cert chain end-to-end (design §11). No env flag needed — verifyAppleJws
+// is pure (the flag only selects native vs legacy in signed-data-verifier).
+
+import { readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { buildJws, makeChain } from './fixtures/make-chain';
+import { AppleJwsVerifyError, verifyAppleJws } from '../../../src/integrations/app-store/native-jws';
+import type { JwsTransactionPayload } from '../../../src/integrations/app-store/native-jws';
+
+const FIXED_SIGNED_DATE = 1_700_000_000_000;
+
+/** A valid chain + the trustedRoots list that anchors it (the chain's own root). */
+function freshChainCtx(opts: Parameters<typeof makeChain>[0] = {}) {
+  const chain = makeChain({ signedDate: FIXED_SIGNED_DATE, ...opts });
+  const trustedRoots = [Buffer.from(chain.x5c[2]!, 'base64')];
+  return { chain, trustedRoots };
+}
+
+async function expectCode(promise: Promise<unknown>, code: string): Promise<void> {
+  await expect(promise).rejects.toMatchObject({ code });
+}
+
+describe('verifyAppleJws — happy path', () => {
+  it('decodes a synthetic chain when its root is trusted; fields match the signed payload', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      payload: { productId: 'sub_happy', expiresDate: 1_900_000_000_000, appAccountToken: 'uuid-happy' },
+    });
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots });
+    expect(decoded.transactionId).toBe('txn_synth_1');
+    expect(decoded.productId).toBe('sub_happy');
+    expect(decoded.expiresDate).toBe(1_900_000_000_000);
+    expect(decoded.appAccountToken).toBe('uuid-happy');
+    expect(decoded.signedDate).toBe(FIXED_SIGNED_DATE);
+  });
+
+  it('verifies the REAL Apple sandbox JWS against the vendored Apple roots end-to-end', async () => {
+    const jws = readFileSync(path.join(__dirname, 'fixtures', 'real-sandbox.jws'), 'utf8').trim();
+    const meta = JSON.parse(readFileSync(path.join(__dirname, 'fixtures', 'real-sandbox.json'), 'utf8'));
+    // default trustedRoots = APPLE_ROOT_CERTS (the real chain anchors to Apple Root CA G3)
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(jws);
+    expect(decoded.transactionId).toBe(meta.decoded_payload.transactionId);
+    expect(decoded.bundleId).toBe('io.arcblock.ai.stro');
+    expect(decoded.productId).toBe(meta.decoded_payload.productId);
+    expect(decoded.signedDate).toBe(meta.decoded_payload.signedDate);
+  });
+});
+
+describe('verifyAppleJws — bad input', () => {
+  it('rejects non-3-segment JWS', async () => {
+    await expectCode(verifyAppleJws('a.b'), 'FORMAT');
+  });
+
+  it('rejects x5c.length !== 3 with INVALID_CHAIN_LENGTH', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const { jws } = buildJws({ alg: 'ES256', x5c: chain.x5c.slice(0, 2) }, chain.payload, chain.keys.leafKeyPem);
+    await expectCode(verifyAppleJws(jws, { trustedRoots }), 'INVALID_CHAIN_LENGTH');
+  });
+
+  it('rejects a header that is not base64url JSON', async () => {
+    await expectCode(verifyAppleJws('!!!notjson.payload.sig'), 'HEADER');
+  });
+
+  it('rejects a payload that is not valid JSON (after a valid chain)', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const headerSeg = chain.jws.split('.')[0]!;
+    const badPayload = Buffer.from('not json at all').toString('base64url');
+    const jws = `${headerSeg}.${badPayload}.${chain.jws.split('.')[2]}`;
+    await expectCode(verifyAppleJws(jws, { trustedRoots }), 'PAYLOAD');
+  });
+});
+
+describe('verifyAppleJws — security', () => {
+  it('rejects a tampered payload (signature no longer matches)', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const [h, , s] = chain.jws.split('.');
+    const tampered = Buffer.from(JSON.stringify({ ...chain.payload, productId: 'EVIL' })).toString('base64url');
+    await expectCode(verifyAppleJws(`${h}.${tampered}.${s}`, { trustedRoots }), 'SIGNATURE');
+  });
+
+  it('rejects a tampered signature', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const [h, p] = chain.jws.split('.');
+    const sigBytes = Buffer.from(chain.jws.split('.')[2]!, 'base64url');
+    sigBytes[0] = sigBytes[0]! ^ 0xff;
+    await expectCode(verifyAppleJws(`${h}.${p}.${sigBytes.toString('base64url')}`, { trustedRoots }), 'SIGNATURE');
+  });
+
+  it('rejects alg: "none" and alg: "RS256" (alg whitelist)', async () => {
+    const none = freshChainCtx({ alg: 'none' });
+    await expectCode(verifyAppleJws(none.chain.jws, { trustedRoots: none.trustedRoots }), 'ALG');
+    const rs = freshChainCtx({ alg: 'RS256' });
+    await expectCode(verifyAppleJws(rs.chain.jws, { trustedRoots: rs.trustedRoots }), 'ALG');
+  });
+
+  it('rejects when the presented root is NOT a trusted anchor', async () => {
+    const { chain } = freshChainCtx();
+    // default APPLE_ROOT_CERTS does NOT contain the synthetic root
+    await expectCode(verifyAppleJws(chain.jws), 'ANCHOR');
+  });
+
+  it('rejects a cross-signed leaf (chain break) before signature', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const header = { alg: 'ES256', x5c: [chain.crossSignedLeaf, chain.x5c[1], chain.x5c[2]] };
+    const { jws } = buildJws(header, chain.payload, chain.keys.leafKeyPem);
+    await expectCode(verifyAppleJws(jws, { trustedRoots }), 'CHAIN');
+  });
+
+  it('rejects when the leaf is missing the Apple OID', async () => {
+    const { chain, trustedRoots } = freshChainCtx({ leafOid: false });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'OID');
+  });
+
+  it('rejects when the intermediate is missing the Apple OID', async () => {
+    const { chain, trustedRoots } = freshChainCtx({ intOid: false });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'OID');
+  });
+
+  it('does not pollute Object.prototype from a hostile __proto__ payload', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const headerSeg = chain.jws.split('.')[0]!;
+    // own __proto__ key via JSON.parse, then sign it so the chain is valid
+    const hostile = JSON.parse(
+      '{"__proto__":{"polluted":true},"transactionId":"t","productId":"p","signedDate":1700000000000}'
+    );
+    const { jws } = buildJws(
+      JSON.parse(Buffer.from(headerSeg, 'base64url').toString('utf8')),
+      hostile,
+      chain.keys.leafKeyPem
+    );
+    const decoded = await verifyAppleJws<Record<string, unknown>>(jws, { trustedRoots });
+    expect(({} as Record<string, unknown>).polluted).toBeUndefined();
+    expect(Object.prototype.hasOwnProperty.call(decoded, '__proto__')).toBe(false);
+  });
+});
+
+describe('verifyAppleJws — validity & clock skew (±60s, all 3 certs)', () => {
+  // boundary: reject if validTo < effectiveDate − 60s; pass at exactly −60s.
+  it('passes at the expiry boundary (effectiveDate = validTo + 60s) and rejects 1ms past it', async () => {
+    const validTo = new Date(FIXED_SIGNED_DATE);
+    const ctxPass = freshChainCtx({ certValidTo: validTo, signedDate: FIXED_SIGNED_DATE + 60_000 });
+    await expect(verifyAppleJws(ctxPass.chain.jws, { trustedRoots: ctxPass.trustedRoots })).resolves.toBeDefined();
+    const ctxFail = freshChainCtx({ certValidTo: validTo, signedDate: FIXED_SIGNED_DATE + 60_000 + 1 });
+    await expectCode(verifyAppleJws(ctxFail.chain.jws, { trustedRoots: ctxFail.trustedRoots }), 'CERT_EXPIRED');
+  });
+
+  it('passes at the not-yet-valid boundary (effectiveDate = validFrom − 60s) and rejects 1ms before it', async () => {
+    const validFrom = new Date(FIXED_SIGNED_DATE);
+    const ctxPass = freshChainCtx({ certValidFrom: validFrom, signedDate: FIXED_SIGNED_DATE - 60_000 });
+    await expect(verifyAppleJws(ctxPass.chain.jws, { trustedRoots: ctxPass.trustedRoots })).resolves.toBeDefined();
+    const ctxFail = freshChainCtx({ certValidFrom: validFrom, signedDate: FIXED_SIGNED_DATE - 60_000 - 1 });
+    await expectCode(verifyAppleJws(ctxFail.chain.jws, { trustedRoots: ctxFail.trustedRoots }), 'CERT_NOT_YET_VALID');
+  });
+
+  it('rejects when ONLY the intermediate is expired (proves int is checked, not just leaf)', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      certWindows: { intermediate: { to: new Date(FIXED_SIGNED_DATE - 3_600_000) } },
+    });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'CERT_EXPIRED');
+  });
+
+  it('rejects when ONLY the root is expired (proves root is checked)', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      certWindows: { root: { to: new Date(FIXED_SIGNED_DATE - 3_600_000) } },
+    });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'CERT_EXPIRED');
+  });
+});
+
+describe('verifyAppleJws — data loss (concurrency / statelessness)', () => {
+  it('resolves all concurrent verifications correctly (no shared mutable state)', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const results = await Promise.all(
+      Array.from({ length: 12 }, () => verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots }))
+    );
+    for (const r of results) expect(r.transactionId).toBe('txn_synth_1');
+  });
+});
+
+describe('verifyAppleJws — data damage (type/encoding fidelity)', () => {
+  it('keeps numbers as numbers and round-trips unicode byte-faithfully', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      payload: { productId: '产品_🎉', expiresDate: 1_888_888_888_888, appAccountToken: 'uuid-😀' },
+    });
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots });
+    expect(decoded.productId).toBe('产品_🎉');
+    expect(decoded.appAccountToken).toBe('uuid-😀');
+    expect(typeof decoded.expiresDate).toBe('number');
+    expect(decoded.expiresDate).toBe(1_888_888_888_888);
+  });
+
+  it('leaves a missing expiresDate as undefined (never coerced to 0/null)', async () => {
+    const { chain, trustedRoots } = freshChainCtx(); // default payload has no expiresDate
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots });
+    expect('expiresDate' in decoded).toBe(false);
+    expect(decoded.expiresDate).toBeUndefined();
+  });
+});
+
+describe('verifyAppleJws — data leak (errors name the failure, not secrets)', () => {
+  it('throws AppleJwsVerifyError with a code and never echoes the raw cert/JWS material', async () => {
+    const { chain } = freshChainCtx();
+    try {
+      await verifyAppleJws(chain.jws); // ANCHOR (synthetic root not trusted)
+      throw new Error('should have rejected');
+    } catch (err) {
+      expect(err).toBeInstanceOf(AppleJwsVerifyError);
+      const message = (err as Error).message;
+      expect((err as AppleJwsVerifyError).code).toBe('ANCHOR');
+      // the long base64 cert/jws material must not leak into the message
+      expect(message).not.toContain(chain.x5c[0]!.slice(0, 40));
+      expect(message).not.toContain(chain.jws.split('.')[2]!.slice(0, 20));
+    }
+  });
+});

package/api/tests/integrations/app-store/native-receipt.spec.ts

@@ -0,0 +1,161 @@
+// Unit tests for native StoreKit 1 receipt verification (Phase 3, Path C).
+// fetch is mocked — we never hit Apple. Asserts parity with the evicted
+// node-apple-receipt-verify: hosts, body, sandbox fallback, output shape.
+
+import { verifyAppleReceiptNative } from '../../../src/integrations/app-store/native-receipt';
+
+type Call = { url: string; body: any };
+let calls: Call[] = [];
+
+/** Mock fetch with one response per call (for the production→sandbox retry). */
+function mockFetchSequence(responses: Array<{ ok?: boolean; status: number; json: object }>): void {
+  let i = 0;
+  calls = [];
+  global.fetch = jest.fn(async (url: unknown, init?: unknown) => {
+    const reqInit = init as RequestInit;
+    calls.push({ url: String(url), body: JSON.parse(String(reqInit.body)) });
+    const r = responses[Math.min(i, responses.length - 1)]!;
+    i += 1;
+    return { ok: r.ok ?? true, status: 200, json: async () => r.json } as unknown as Response;
+  }) as unknown as typeof fetch;
+}
+
+const item = (over: Record<string, unknown> = {}) => ({
+  product_id: 'sub_06',
+  transaction_id: 'txn_1',
+  original_transaction_id: 'orig_1',
+  purchase_date_ms: '1700000000000',
+  expires_date_ms: '1800000000000',
+  web_order_line_item_id: 'wo_1',
+  ...over,
+});
+
+const appleOk = (items: object[], bundleId = 'com.example.app') => ({
+  status: 0,
+  receipt: { bundle_id: bundleId, in_app: items },
+  latest_receipt_info: items,
+});
+
+afterEach(() => jest.restoreAllMocks());
+
+describe('verifyAppleReceiptNative — happy path', () => {
+  it('maps Apple latest_receipt_info to the normalized shape (snake→camel, ms→Number)', async () => {
+    mockFetchSequence([{ status: 200, json: appleOk([item()]) }]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result).toEqual([
+      {
+        productId: 'sub_06',
+        transactionId: 'txn_1',
+        originalTransactionId: 'orig_1',
+        purchaseDate: 1700000000000,
+        expirationDate: 1800000000000,
+        bundleId: 'com.example.app',
+        webOrderLineItemId: 'wo_1',
+      },
+    ]);
+    expect(typeof result[0]!.expirationDate).toBe('number');
+  });
+
+  it('falls back to receipt.in_app when latest_receipt_info is absent', async () => {
+    mockFetchSequence([
+      { status: 200, json: { status: 0, receipt: { bundle_id: 'com.example.app', in_app: [item()] } } },
+    ]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result[0]!.transactionId).toBe('txn_1');
+  });
+});
+
+describe('verifyAppleReceiptNative — bad input', () => {
+  it('returns [] when both latest_receipt_info and in_app are empty', async () => {
+    mockFetchSequence([{ status: 200, json: { status: 0, receipt: { bundle_id: 'x', in_app: [] } } }]);
+    expect(await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' })).toEqual([]);
+  });
+
+  it('handles a non-numeric expires_date_ms as undefined (no NaN leak)', async () => {
+    mockFetchSequence([{ status: 200, json: appleOk([item({ expires_date_ms: 'not-a-number' })]) }]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result[0]!.expirationDate).toBeUndefined();
+  });
+});
+
+describe('verifyAppleReceiptNative — security', () => {
+  it('POSTs password + exclude-old-transactions to the production Apple host only', async () => {
+    mockFetchSequence([{ status: 200, json: appleOk([item()]) }]);
+    await verifyAppleReceiptNative({ receipt: 'RECEIPT_B64', sharedSecret: 'sk_secret' });
+    expect(calls).toHaveLength(1);
+    expect(calls[0]!.url).toBe('https://buy.itunes.apple.com/verifyReceipt');
+    expect(calls[0]!.body).toEqual({
+      'receipt-data': 'RECEIPT_B64',
+      password: 'sk_secret',
+      'exclude-old-transactions': true,
+    });
+  });
+
+  it('only ever talks to the two Apple verifyReceipt hosts (no host injection)', async () => {
+    mockFetchSequence([
+      { status: 200, json: { status: 21007 } },
+      { status: 200, json: appleOk([item()]) },
+    ]);
+    await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    const hosts = calls.map((c) => new URL(c.url).host);
+    expect(hosts).toEqual(['buy.itunes.apple.com', 'sandbox.itunes.apple.com']);
+  });
+});
+
+describe('verifyAppleReceiptNative — data loss (sandbox fallback + concurrency)', () => {
+  it.each([21007, 21002])('retries sandbox on status %i and returns the sandbox result', async (prodStatus) => {
+    mockFetchSequence([
+      { status: 200, json: { status: prodStatus } },
+      { status: 200, json: appleOk([item({ transaction_id: 'sandbox_txn' })]) },
+    ]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(calls).toHaveLength(2);
+    expect(calls[1]!.url).toBe('https://sandbox.itunes.apple.com/verifyReceipt');
+    expect(result[0]!.transactionId).toBe('sandbox_txn');
+  });
+
+  it('two concurrent calls with different secrets each POST their OWN secret (no shared state)', async () => {
+    const seen: string[] = [];
+    global.fetch = jest.fn(async (_url: unknown, init?: unknown) => {
+      const body = JSON.parse(String((init as RequestInit).body));
+      seen.push(body.password);
+      return { ok: true, status: 200, json: async () => appleOk([item()]) } as unknown as Response;
+    }) as unknown as typeof fetch;
+    await Promise.all([
+      verifyAppleReceiptNative({ receipt: 'r1', sharedSecret: 'secret_A' }),
+      verifyAppleReceiptNative({ receipt: 'r2', sharedSecret: 'secret_B' }),
+    ]);
+    expect(seen.sort()).toEqual(['secret_A', 'secret_B']);
+  });
+});
+
+describe('verifyAppleReceiptNative — data damage', () => {
+  it('returns all multi-item entries (client.ts picks the latest-expiry one)', async () => {
+    mockFetchSequence([
+      {
+        status: 200,
+        json: appleOk([
+          item({ transaction_id: 'old', expires_date_ms: '1500000000000' }),
+          item({ transaction_id: 'new', expires_date_ms: '1800000000000' }),
+        ]),
+      },
+    ]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result.map((r) => r.transactionId)).toEqual(['old', 'new']);
+    expect(result.every((r) => typeof r.expirationDate === 'number')).toBe(true);
+  });
+});
+
+describe('verifyAppleReceiptNative — data leak', () => {
+  it('throws on a non-retryable non-zero status with the code but NOT the shared secret', async () => {
+    mockFetchSequence([{ status: 200, json: { status: 21004 } }]);
+    let caught: Error | undefined;
+    try {
+      await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'super_secret_value' });
+    } catch (e) {
+      caught = e as Error;
+    }
+    expect(caught?.message).toMatch(/21004/);
+    expect(caught?.message).not.toContain('super_secret_value');
+  });
+});

package/blocklet.yml

@@ -14,7 +14,7 @@ repository:
   type: git
   url: git+https://github.com/blocklet/payment-kit.git
 specVersion: 1.2.8
-version: 1.29.5
+version: 1.29.7
 logo: logo.png
 files:
   - dist

package/cloudflare/cf-adapter.ts

@@ -39,6 +39,7 @@ import crons from '../api/src/crons/index';
 import { createEmbeddedPaymentService } from '../api/src/service';
 import type { EmbeddedPaymentService } from '../api/src/service';
 import { context as requestContext } from '../api/src/libs/context';
+import { warmTenantIdentity } from '../api/src/libs/did-connect/tenant-identity';
 import {
   createD1DbDriver,
   createD1LocksDriver,
@@ -231,7 +232,19 @@ export function buildFetch(deps: FetchDeps) {
     // the core's connect/context middleware then resolves via the identity driver,
     // which returns null → TENANT_HOST_UNRESOLVED 4xx (multi-mode fail-closed). The
     // bare health route still answers without a tenant.
-    const run = () => deps.svc.http.fetch(forwarded, { basePath: deps.basePath });
+    //
+    // Warm the tenant identity (app:ek + business wallets) INSIDE the withTenant
+    // scope before any route handler runs. The CF resource pipeline is the LITE
+    // app-shell (no contextMiddleware), so unlike the node host nothing else warms
+    // it — and wallet field access (e.g. `wallet.publicKey` in GET /api/vendors) is
+    // a SYNCHRONOUS getCachedTenantIdentity() that fails-closed on a cold cache.
+    // Best-effort (warmTenantIdentity swallows errors); cached 5 min per tenant so
+    // only the first request per window pays the RPC. Queue jobs / bootstrapTenant
+    // already warm on their own paths.
+    const run = async () => {
+      if (instanceDid) await warmTenantIdentity(instanceDid);
+      return deps.svc.http.fetch(forwarded, { basePath: deps.basePath });
+    };
     const res = instanceDid ? await requestContext.withTenant(instanceDid, run) : await run();
 
     await deps.flush(); // drain workerd deferred queue work before responding