payment-kit 1.29.6 → 1.29.7

package/api/src/integrations/app-store/client.ts

@@ -17,7 +17,6 @@
 //
 // Tests replace this class via jest mocks.
 
-import { config as configApple, validate as validateAppleReceipt } from 'node-apple-receipt-verify';
 import { appStoreWriteEnabled } from '../../libs/env';
 
 import logger from '../../libs/logger';
@@ -27,6 +26,7 @@ import {
   verifySignedNotification,
   verifySignedTransaction,
 } from './signed-data-verifier';
+import { verifyAppleReceiptNative } from './native-receipt';
 
 /** App Store Server Notification V2 `notificationType` — Apple-defined string enum. */
 export type AppStoreNotificationType =
@@ -239,9 +239,9 @@ export class AppStoreClient {
   /**
    * Verify a StoreKit 1 (legacy) base64 receipt via Apple's verifyReceipt endpoint.
    *
-   * Calls `node-apple-receipt-verify` which POSTs to
+   * Calls the native `verifyAppleReceiptNative` which POSTs to
    *   https://buy.itunes.apple.com/verifyReceipt   (production)
-   *   https://sandbox.itunes.apple.com/verifyReceipt (sandbox, auto fallback)
+   *   https://sandbox.itunes.apple.com/verifyReceipt (sandbox, auto fallback on 21007/21002)
    *
    * Returns a payload shaped like a StoreKit 2 transaction so downstream code
    * (ingestVerifiedAppStorePurchase) can stay agnostic. Note: legacy receipts
@@ -259,16 +259,10 @@ export class AppStoreClient {
       throw new Error('AppStoreClient: shared_secret is required for legacy receipt verification');
     }
 
-    // `node-apple-receipt-verify` uses a module-level config. We re-configure on
-    // every call so that multiple PaymentMethods (different secrets) don't
-    // shadow each other.
-    configApple({
-      secret: this.sharedSecret,
-      verbose: false,
-      environment: ['production', 'sandbox'],
-    });
-
-    const items = (await validateAppleReceipt({ receipt })) as Array<any>;
+    // Stateless native verifyReceipt — each call carries its own shared secret,
+    // so concurrent PaymentMethods can't shadow each other (the old module-level
+    // `configApple` had that race).
+    const items = await verifyAppleReceiptNative({ receipt, sharedSecret: this.sharedSecret });
     const filtered = options.expectedProductIds
       ? items.filter((i) => options.expectedProductIds!.includes(i.productId))
       : items;

package/api/src/integrations/app-store/native-api.ts

@@ -0,0 +1,102 @@
+// Native App Store Server API client (Path B) — replaces the apple lib's
+// AppStoreServerAPIClient for the one call we use (getAllSubscriptionStatuses),
+// so dist/index.js stops importing the apple lib for the API path too (design §3B).
+//
+// It signs an ES256 JWT bearer with `crypto.subtle` (pkcs8 import — proven under
+// workerd in the probe's pkcs8_sign_round, design §2/§4) and `fetch`es Apple's
+// endpoint. NO new dependency. The returned signedTransactionInfo is verified by
+// the caller via the native verifier (Phase 1), not here.
+
+import type { AppStoreApiCredentials, StatusResponse } from './signed-data-verifier';
+
+// App Store Server API hosts — NOTE: NO `itunes` (unlike the legacy verifyReceipt
+// host in native-receipt.ts). Do not conflate the two.
+const API_HOST_PRODUCTION = 'https://api.storekit.apple.com';
+const API_HOST_SANDBOX = 'https://api.storekit-sandbox.apple.com';
+const JWT_TTL_SECONDS = 300; // 5 min — matches the evicted apple lib (expiresIn:'5m'); Apple's ceiling is 60 min.
+
+/** Strip a PEM armor + whitespace to the raw DER bytes (for an `.p8` PKCS#8 key). */
+function pemToDer(pem: string): Buffer {
+  const body = pem
+    .replace(/-----BEGIN [^-]+-----/g, '')
+    .replace(/-----END [^-]+-----/g, '')
+    .replace(/\s+/g, '');
+  if (!body) {
+    throw new Error('AppStore API: private_key_pem is empty or not PEM-armored');
+  }
+  return Buffer.from(body, 'base64');
+}
+
+/** Sign an ES256 JWT bearer for the App Store Server API. */
+async function signBearerJwt(creds: AppStoreApiCredentials): Promise<string> {
+  const header = { alg: 'ES256', kid: creds.keyId, typ: 'JWT' };
+  // Date.now() is fine here (request scope, not global scope) — this is a live
+  // API token timestamp, unrelated to the offline cert-validity effectiveDate.
+  const iat = Math.floor(Date.now() / 1000);
+  const payload = {
+    iss: creds.issuerId,
+    iat,
+    exp: iat + JWT_TTL_SECONDS,
+    aud: 'appstoreconnect-v1',
+    bid: creds.bundleId,
+  };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const signingInput = `${headerB64}.${payloadB64}`;
+
+  let key: CryptoKey;
+  try {
+    key = await crypto.subtle.importKey(
+      'pkcs8',
+      pemToDer(creds.privateKeyPem) as unknown as ArrayBuffer,
+      { name: 'ECDSA', namedCurve: 'P-256' },
+      false,
+      ['sign']
+    );
+  } catch {
+    // Surface as a clear import failure — never a silent unsigned request.
+    throw new Error('AppStore API: private_key_pem is not a valid EC P-256 PKCS#8 key');
+  }
+  const signature = await crypto.subtle.sign(
+    { name: 'ECDSA', hash: 'SHA-256' },
+    key,
+    Buffer.from(signingInput, 'ascii')
+  );
+  return `${signingInput}.${Buffer.from(signature).toString('base64url')}`;
+}
+
+/**
+ * Fetch all subscription statuses for an originalTransactionId via the App Store
+ * Server API. Returns Apple's StatusResponse (whose signedTransactionInfo JWS the
+ * caller re-verifies). A 404 / not-found yields an empty response (parity with
+ * the apple lib path → caller returns null + warns, never drops a pending reconcile).
+ */
+export async function nativeGetAllSubscriptionStatuses(
+  originalTransactionId: string,
+  creds: AppStoreApiCredentials
+): Promise<StatusResponse> {
+  if (!creds.issuerId || !creds.keyId || !creds.privateKeyPem) {
+    throw new Error('AppStore API: issuer_id/key_id/private_key_pem are required');
+  }
+
+  const host = creds.environment === 'production' ? API_HOST_PRODUCTION : API_HOST_SANDBOX;
+  // encodeURIComponent keeps a crafted id confined to ONE path segment — it can
+  // never redirect the host or climb the path (SSRF guard).
+  const url = `${host}/inApps/v1/subscriptions/${encodeURIComponent(originalTransactionId)}`;
+  const jwt = await signBearerJwt(creds);
+
+  const response = await fetch(url, {
+    method: 'GET',
+    headers: { Authorization: `Bearer ${jwt}`, Accept: 'application/json' },
+  });
+
+  // 404 = no subscription for this id — treat as empty, do not throw (parity).
+  if (response.status === 404) {
+    return { data: [] };
+  }
+  if (!response.ok) {
+    // Surface the status only — never the bearer JWT or the .p8 key.
+    throw new Error(`AppStore API: getAllSubscriptionStatuses failed with HTTP ${response.status}`);
+  }
+  return (await response.json()) as StatusResponse;
+}

package/api/src/integrations/app-store/native-asn1.ts

@@ -0,0 +1,49 @@
+// Minimal, dependency-free ASN.1 helper for Apple extension-OID presence checks.
+//
+// Apple's IAP signing chain marks the intermediate and leaf certs with custom
+// extension OIDs (intermediate `1.2.840.113635.100.6.2.1`, leaf
+// `1.2.840.113635.100.6.11.1`). node's / workerd's `X509Certificate` exposes NO
+// generic extension-by-OID accessor (proven in the x509 probe, design §4), so we
+// DER-encode the OID and scan the cert's raw DER for it.
+//
+// HARDENING (design §4/§5.5): we match the FULL DER OID tag `[0x06, len, ...content]`
+// — STRICTER than scanning for the bare content octets — to shrink false-positive
+// odds. This OID check is DEFENSE IN DEPTH, never the trust anchor: the real anchor
+// is the chain-to-pinned-Apple-root (native-jws.ts §5.3–5.4). A spoofed cert could
+// embed these public OID bytes, but it cannot forge the chain signature.
+
+import type { X509Certificate } from 'node:crypto';
+
+/**
+ * Encode an OID to its full DER tag-length-value form `[0x06, len, ...content]`.
+ * Only handles the single-byte definite-length form (len < 128), which covers
+ * every Apple OID (their content is ~9 bytes). Throws on a sub-identifier or
+ * total length that would need multi-byte length encoding — we never expect one.
+ */
+export function oidToDerTag(oid: string): Buffer {
+  const parts = oid.split('.').map((p) => Number.parseInt(p, 10));
+  if (parts.length < 2 || parts.some((n) => !Number.isInteger(n) || n < 0)) {
+    throw new Error(`oidToDerTag: invalid OID "${oid}"`);
+  }
+  // First two arcs collapse into a single byte: 40*X + Y.
+  const content = [40 * parts[0]! + parts[1]!];
+  for (let i = 2; i < parts.length; i++) {
+    let v = parts[i]!;
+    const sevenBitGroups = [v & 0x7f];
+    v = Math.floor(v / 128);
+    while (v > 0) {
+      sevenBitGroups.unshift((v & 0x7f) | 0x80); // continuation bit on all but the last
+      v = Math.floor(v / 128);
+    }
+    content.push(...sevenBitGroups);
+  }
+  if (content.length > 127) {
+    throw new Error(`oidToDerTag: OID "${oid}" content too long for single-byte length`);
+  }
+  return Buffer.from([0x06, content.length, ...content]);
+}
+
+/** True if the cert's raw DER contains the full DER-encoded OID tag. */
+export function certHasOid(cert: X509Certificate, oid: string): boolean {
+  return Buffer.from(cert.raw).includes(oidToDerTag(oid));
+}

package/api/src/integrations/app-store/native-jws.ts

@@ -0,0 +1,222 @@
+// Native Apple JWS verifier — reproduces Apple's `jws_verification.ts` using
+// runtime built-ins only (`node:crypto` X509Certificate + `crypto.subtle`), so
+// the `@apple/app-store-server-library` + `jsrsasign` cluster can be evicted from
+// both payment-core bundles (design §1, §5). NO new dependency, NO OCSP.
+//
+// This is a TRUST BOUNDARY (CWE-347). The checks below are NOT optional and must
+// not be "simplified" — read design §5 + §8 before touching them. The trust
+// anchor is the chain-to-pinned-Apple-root (steps 3–4); the Apple extension-OID
+// check (step 5) is defense in depth.
+//
+// Cross-runtime: the same source compiles into dist/index.js (node) and
+// dist/cf.js (workerd). Approach S (subtle for the signature) is the only
+// cross-runtime-safe path — workerd rejects node's KeyObject in createVerify
+// (probe P2b). Proven green under workerd in cloudflare/tests/x509-probe.mjs.
+
+import { X509Certificate } from 'node:crypto';
+
+import { APPLE_ROOT_CERTS } from './apple-root-certs';
+import { certHasOid } from './native-asn1';
+
+const APPLE_LEAF_OID = '1.2.840.113635.100.6.11.1';
+const APPLE_INTERMEDIATE_OID = '1.2.840.113635.100.6.2.1';
+const MAX_SKEW_MS = 60_000; // ±60s clock skew, matching Apple's lib
+
+/** JWS protected header (only the fields we trust + need). */
+export interface JwsHeader {
+  alg: string;
+  /** base64 (NOT base64url) DER certs: [leaf, intermediate, root]. */
+  x5c: string[];
+}
+
+/** Decoded StoreKit 2 `signedTransactionInfo` payload — fields consumed by client.ts. */
+export interface JwsTransactionPayload {
+  transactionId: string;
+  originalTransactionId?: string;
+  productId: string;
+  purchaseDate?: number;
+  expiresDate?: number;
+  appAccountToken?: string;
+  environment?: 'Production' | 'Sandbox' | string;
+  signedDate?: number;
+  bundleId?: string;
+  type?: string;
+  webOrderLineItemId?: string;
+  revocationDate?: number;
+  revocationReason?: number;
+}
+
+/** Decoded App Store Server Notification V2 `signedPayload` — fields consumed by client.ts. */
+export interface JwsNotificationPayload {
+  notificationType: string;
+  notificationUUID: string;
+  subtype?: string;
+  version?: string;
+  signedDate?: number;
+  data?: {
+    appAppleId?: number;
+    bundleId?: string;
+    bundleVersion?: string;
+    environment?: 'Production' | 'Sandbox' | string;
+    signedTransactionInfo?: string;
+    signedRenewalInfo?: string;
+    status?: 1 | 2 | 3 | 4 | 5;
+  };
+}
+
+export interface VerifyAppleJwsOptions {
+  /** Trust anchors (default: vendored APPLE_ROOT_CERTS). Tests inject a synthetic root. */
+  trustedRoots?: Buffer[];
+  /** Override the effectiveDate for cert validity. Default: the payload's `signedDate`. */
+  signedDate?: number;
+}
+
+/** Named, non-secret-bearing failure for a JWS verification step (CWE-347 audit trail). */
+export class AppleJwsVerifyError extends Error {
+  public readonly code: string;
+
+  constructor(code: string, detail?: string) {
+    super(detail ? `AppStore JWS verify failed [${code}]: ${detail}` : `AppStore JWS verify failed [${code}]`);
+    this.name = 'AppleJwsVerifyError';
+    this.code = code;
+  }
+}
+
+function base64UrlToJson(segment: string, code: string): Record<string, unknown> {
+  let text: string;
+  try {
+    text = Buffer.from(segment, 'base64url').toString('utf8');
+  } catch {
+    throw new AppleJwsVerifyError(code, 'segment is not valid base64url');
+  }
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    throw new AppleJwsVerifyError(code, 'segment is not valid JSON');
+  }
+  if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new AppleJwsVerifyError(code, 'segment is not a JSON object');
+  }
+  // Strip an own `__proto__`/`constructor`/`prototype` key so a hostile payload
+  // can never reach Object.prototype downstream (defensive; JSON.parse already
+  // makes `__proto__` an own prop rather than a prototype mutation).
+  const out = parsed as Record<string, unknown>;
+  for (const key of ['__proto__', 'constructor', 'prototype']) {
+    if (Object.prototype.hasOwnProperty.call(out, key)) {
+      delete out[key];
+    }
+  }
+  return out;
+}
+
+function buildCert(b64: string, label: string): X509Certificate {
+  try {
+    return new X509Certificate(Buffer.from(b64, 'base64'));
+  } catch {
+    throw new AppleJwsVerifyError('MALFORMED_CERT', `${label} cert is not valid DER`);
+  }
+}
+
+/** Reject if the cert's validity window does not cover `effectiveDate` (±MAX_SKEW). */
+function assertCertValid(cert: X509Certificate, effectiveDate: number, label: string): void {
+  const validFrom = Date.parse(cert.validFrom);
+  const validTo = Date.parse(cert.validTo);
+  if (Number.isNaN(validFrom) || Number.isNaN(validTo)) {
+    throw new AppleJwsVerifyError('CERT_VALIDITY', `${label} cert has unparseable validity dates`);
+  }
+  if (validFrom > effectiveDate + MAX_SKEW_MS) {
+    throw new AppleJwsVerifyError('CERT_NOT_YET_VALID', `${label} cert not valid until after signedDate`);
+  }
+  if (validTo < effectiveDate - MAX_SKEW_MS) {
+    throw new AppleJwsVerifyError('CERT_EXPIRED', `${label} cert expired before signedDate`);
+  }
+}
+
+/**
+ * Verify + decode an Apple JWS (StoreKit 2 transaction or notification) exactly
+ * per design §5. Throws AppleJwsVerifyError (named code, never echoes the raw
+ * JWS / cert material) on any failure. Stateless — safe for concurrent calls.
+ */
+export async function verifyAppleJws<T = JwsTransactionPayload | JwsNotificationPayload>(
+  jws: string,
+  opts: VerifyAppleJwsOptions = {}
+): Promise<T> {
+  const trustedRoots = opts.trustedRoots ?? APPLE_ROOT_CERTS;
+
+  // 1. Split + parse header.
+  const parts = jws.split('.');
+  if (parts.length !== 3) {
+    throw new AppleJwsVerifyError('FORMAT', 'expected 3 JWS segments');
+  }
+  const [headerSeg, payloadSeg, signatureSeg] = parts as [string, string, string];
+  const header = base64UrlToJson(headerSeg, 'HEADER') as unknown as JwsHeader;
+
+  // alg whitelist — never derive the algorithm from the token (design §8).
+  if (header.alg !== 'ES256') {
+    throw new AppleJwsVerifyError('ALG', 'only ES256 is accepted');
+  }
+  if (!Array.isArray(header.x5c) || header.x5c.length !== 3) {
+    throw new AppleJwsVerifyError('INVALID_CHAIN_LENGTH', 'x5c must contain exactly 3 certs');
+  }
+
+  // 2. Build certs (leaf, intermediate, rootFromJws).
+  const leaf = buildCert(header.x5c[0]!, 'leaf');
+  const intermediate = buildCert(header.x5c[1]!, 'intermediate');
+  const rootFromJws = buildCert(header.x5c[2]!, 'root');
+
+  // 3. Anchor the presented root to a vendored trusted Apple root (byte-equal DER).
+  const rootDer = Buffer.from(rootFromJws.raw);
+  const anchored = trustedRoots.some((trusted) => trusted.equals(rootDer));
+  if (!anchored) {
+    throw new AppleJwsVerifyError('ANCHOR', 'presented root is not a trusted Apple root');
+  }
+
+  // 4. Walk the chain: signature + issuer/subject equality at each hop.
+  if (!intermediate.verify(rootFromJws.publicKey) || intermediate.issuer !== rootFromJws.subject) {
+    throw new AppleJwsVerifyError('CHAIN', 'intermediate does not chain to root');
+  }
+  if (!leaf.verify(intermediate.publicKey) || leaf.issuer !== intermediate.subject) {
+    throw new AppleJwsVerifyError('CHAIN', 'leaf does not chain to intermediate');
+  }
+
+  // 5. CA flag + Apple extension OIDs (defense in depth).
+  if (intermediate.ca !== true || !certHasOid(intermediate, APPLE_INTERMEDIATE_OID)) {
+    throw new AppleJwsVerifyError('OID', 'intermediate missing CA flag or Apple OID');
+  }
+  if (!certHasOid(leaf, APPLE_LEAF_OID)) {
+    throw new AppleJwsVerifyError('OID', 'leaf missing Apple OID');
+  }
+
+  // Decode the payload now — its signedDate is the effectiveDate for validity.
+  const payload = base64UrlToJson(payloadSeg, 'PAYLOAD');
+  const effectiveDate = opts.signedDate ?? (typeof payload.signedDate === 'number' ? payload.signedDate : undefined);
+  if (typeof effectiveDate !== 'number') {
+    throw new AppleJwsVerifyError('NO_SIGNED_DATE', 'payload has no numeric signedDate to validate against');
+  }
+
+  // 6. Validity dates for all three certs (NO OCSP — design §5.7).
+  assertCertValid(leaf, effectiveDate, 'leaf');
+  assertCertValid(intermediate, effectiveDate, 'intermediate');
+  assertCertValid(rootFromJws, effectiveDate, 'root');
+
+  // 8. Verify the ES256 signature over `header.payload` with the leaf key
+  //    (Approach S: SPKI import + subtle verify of the raw P1363 sig).
+  const spki = leaf.publicKey.export({ type: 'spki', format: 'der' });
+  const key = await crypto.subtle.importKey(
+    'spki',
+    spki as unknown as ArrayBuffer,
+    { name: 'ECDSA', namedCurve: 'P-256' },
+    false,
+    ['verify']
+  );
+  const signature = Buffer.from(signatureSeg, 'base64url');
+  const signingInput = Buffer.from(`${headerSeg}.${payloadSeg}`, 'ascii');
+  const valid = await crypto.subtle.verify({ name: 'ECDSA', hash: 'SHA-256' }, key, signature, signingInput);
+  if (!valid) {
+    throw new AppleJwsVerifyError('SIGNATURE', 'ES256 signature does not verify against the leaf key');
+  }
+
+  // 9. Return the decoded payload.
+  return payload as unknown as T;
+}

package/api/src/integrations/app-store/native-receipt.ts

@@ -0,0 +1,105 @@
+// Native StoreKit 1 (legacy) receipt verification (Path C) — replaces
+// `node-apple-receipt-verify` with native `fetch`. The package does ZERO crypto:
+// it just POSTs the receipt to Apple's verifyReceipt endpoint and shape-maps the
+// JSON (design §3C). Evicting it also drops `async` + the proxy-agents (its only
+// importers). Feature-PRESERVING — output shape matches what client.ts consumes.
+//
+// NOTE the host is buy.itunes.apple.com (legacy verifyReceipt) — NOT the App
+// Store Server API host (native-api.ts). Do not conflate the two.
+
+const PRODUCTION_HOST = 'https://buy.itunes.apple.com/verifyReceipt';
+const SANDBOX_HOST = 'https://sandbox.itunes.apple.com/verifyReceipt';
+
+// Apple sends 21007 when a sandbox receipt hits production, 21002 for malformed —
+// node-apple-receipt-verify retries sandbox on BOTH (lib/apple.js:246), so we do
+// too: a sandbox receipt must not be surfaced as a hard failure.
+const RETRY_SANDBOX_STATUSES = new Set([21007, 21002]);
+
+/** Normalized receipt item — the shape client.ts:271-308 consumes (was produced by the old lib). */
+export interface RawReceiptItem {
+  productId: string;
+  transactionId: string;
+  originalTransactionId?: string;
+  /** unix ms (number, never the seconds form or a string) */
+  purchaseDate?: number;
+  /** unix ms (number) */
+  expirationDate?: number;
+  bundleId?: string;
+  webOrderLineItemId?: string;
+}
+
+interface AppleReceiptResponse {
+  status: number;
+  receipt?: { bundle_id?: string; in_app?: AppleRawItem[] };
+  latest_receipt_info?: AppleRawItem[];
+}
+
+interface AppleRawItem {
+  product_id?: string;
+  transaction_id?: string;
+  original_transaction_id?: string;
+  purchase_date_ms?: string | number;
+  expires_date_ms?: string | number;
+  web_order_line_item_id?: string;
+}
+
+function toMs(v: string | number | undefined): number | undefined {
+  if (v === undefined || v === null || v === '') return undefined;
+  const n = Number(v);
+  return Number.isNaN(n) ? undefined : n;
+}
+
+async function postReceipt(host: string, body: object): Promise<AppleReceiptResponse> {
+  const response = await fetch(host, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  });
+  if (!response.ok) {
+    throw new Error(`AppStore verifyReceipt: HTTP ${response.status}`);
+  }
+  return (await response.json()) as AppleReceiptResponse;
+}
+
+/**
+ * Verify a StoreKit 1 base64 receipt against Apple's verifyReceipt endpoint and
+ * return the normalized items. Tries production first; on a sandbox/malformed
+ * status (21007/21002) retries the sandbox host (parity). Throws on any other
+ * non-zero status with the code in the message — but never the shared secret.
+ */
+export async function verifyAppleReceiptNative({
+  receipt,
+  sharedSecret,
+}: {
+  receipt: string;
+  sharedSecret: string;
+}): Promise<RawReceiptItem[]> {
+  const body = {
+    'receipt-data': receipt,
+    password: sharedSecret,
+    // Deliberate, result-equivalent: client.ts reduces to the latest-expiry item
+    // anyway, so trimming old transactions here changes nothing downstream.
+    'exclude-old-transactions': true,
+  };
+
+  let data = await postReceipt(PRODUCTION_HOST, body);
+  if (RETRY_SANDBOX_STATUSES.has(data.status)) {
+    data = await postReceipt(SANDBOX_HOST, body);
+  }
+  if (data.status !== 0) {
+    // Status only — never echo the shared secret or the receipt blob.
+    throw new Error(`AppStore verifyReceipt: Apple returned status ${data.status}`);
+  }
+
+  const rawItems = data.latest_receipt_info ?? data.receipt?.in_app ?? [];
+  const bundleId = data.receipt?.bundle_id;
+  return rawItems.map((item) => ({
+    productId: item.product_id ?? '',
+    transactionId: item.transaction_id ?? '',
+    originalTransactionId: item.original_transaction_id,
+    purchaseDate: toMs(item.purchase_date_ms),
+    expirationDate: toMs(item.expires_date_ms),
+    bundleId,
+    webOrderLineItemId: item.web_order_line_item_id,
+  }));
+}