react-native-instantpay-code-push 1.1.0

package/android/src/main/java/com/instantpaycodepush/ReactIntegrationManager.kt

@@ -0,0 +1,141 @@
+package com.instantpaycodepush
+
+import android.content.Context
+import android.util.Log
+import com.facebook.react.ReactApplication
+import com.facebook.react.ReactHost
+import com.facebook.react.ReactInstanceEventListener
+import com.facebook.react.bridge.JSBundleLoader
+import com.facebook.react.bridge.ReactContext
+import com.facebook.react.common.LifecycleState
+import kotlinx.coroutines.suspendCancellableCoroutine
+import java.lang.reflect.Field
+import kotlin.coroutines.resume
+
+class ReactIntegrationManager(
+    context: Context,
+) : ReactIntegrationManagerBase(context) {
+
+    companion object {
+        private const val CLASS_TAG = "*ReactIntegrationManager"
+    }
+
+    public fun setJSBundle(
+        application: ReactApplication,
+        bundleURL: String,
+    ) {
+        try {
+            val reactHost = application.reactHost
+            check(reactHost != null)
+
+            // Try both Java and Kotlin field names for compatibility
+            val reactHostDelegateField =
+                try {
+                    reactHost::class.java.getDeclaredField("mReactHostDelegate")
+                } catch (e: NoSuchFieldException) {
+                    try {
+                        reactHost::class.java.getDeclaredField("reactHostDelegate")
+                    } catch (e2: NoSuchFieldException) {
+                        throw RuntimeException("Neither mReactHostDelegate nor reactHostDelegate field found", e2)
+                    }
+                }
+
+            reactHostDelegateField.isAccessible = true
+            val reactHostDelegate =
+                reactHostDelegateField.get(
+                    reactHost,
+                )
+            val jsBundleLoaderField = reactHostDelegate::class.java.getDeclaredField("jsBundleLoader")
+            jsBundleLoaderField.isAccessible = true
+            jsBundleLoaderField.set(reactHostDelegate, getJSBundlerLoader(bundleURL))
+        } catch (e: Exception) {
+            try {
+                // Fallback to old architecture if ReactHost is not available
+                @Suppress("DEPRECATION")
+                val instanceManager = application.reactNativeHost.reactInstanceManager
+                val bundleLoader: JSBundleLoader? = this.getJSBundlerLoader(bundleURL)
+                val bundleLoaderField: Field =
+                    instanceManager::class.java.getDeclaredField("mBundleLoader")
+                bundleLoaderField.isAccessible = true
+
+                if (bundleLoader != null) {
+                    bundleLoaderField.set(instanceManager, bundleLoader)
+                } else {
+                    bundleLoaderField.set(instanceManager, null)
+                }
+            } catch (e: Exception) {
+                CommonHelper.logPrint(CLASS_TAG, "Failed to setJSBundle (fallback): ${e.message}")
+            }
+            CommonHelper.logPrint(CLASS_TAG, "Failed to setJSBundle: ${e.message}")
+        }
+    }
+
+    /**
+     * Reload the React Native application, ensuring ReactContext is initialized first.
+     * Caller should run this on main thread.
+     */
+    public suspend fun reload(application: ReactApplication) {
+        try {
+            val reactHost = application.reactHost
+            if (reactHost != null) {
+                // Ensure initialized; if not, start and wait
+                waitForReactContextInitialized(reactHost)
+
+                val activity = reactHost.currentReactContext?.currentActivity
+                if (reactHost.lifecycleState != LifecycleState.RESUMED && activity != null) {
+                    reactHost.onHostResume(activity)
+                }
+                reactHost.reload("Requested by IpayCodePush")
+            } else {
+                // Fallback to old architecture if ReactHost is not available
+                @Suppress("DEPRECATION")
+                val reactNativeHost = application.reactNativeHost
+                try {
+                    reactNativeHost.reactInstanceManager.recreateReactContextInBackground()
+                } catch (e: Exception) {
+                    val currentActivity = reactNativeHost.reactInstanceManager.currentReactContext?.currentActivity
+                    if (currentActivity == null) {
+                        return
+                    }
+
+                    currentActivity.runOnUiThread {
+                        currentActivity.recreate()
+                    }
+                } catch (e: Exception) {
+                    CommonHelper.logPrint(CLASS_TAG, "Failed to reload: ${e.message}")
+                }
+            }
+        } catch (e: Exception) {
+            CommonHelper.logPrint(CLASS_TAG, "Failed to reloads: ${e.message}")
+        }
+    }
+
+    /**
+     * Waits until ReactContext is initialized.
+     * @return true if ReactContext was already initialized; false if we waited for it.
+     */
+    suspend fun waitForReactContextInitialized(reactHost: ReactHost): Boolean {
+        return try {
+            // If already initialized, return immediately
+            if (reactHost.currentReactContext != null) return true
+
+            // Wait for initialization; MainApplication handles starting the host
+            suspendCancellableCoroutine { continuation ->
+                val listener =
+                    object : ReactInstanceEventListener {
+                        override fun onReactContextInitialized(context: ReactContext) {
+                            reactHost.removeReactInstanceEventListener(this)
+                            if (continuation.isActive) continuation.resume(Unit)
+                        }
+                    }
+
+                reactHost.addReactInstanceEventListener(listener)
+                continuation.invokeOnCancellation { reactHost.removeReactInstanceEventListener(listener) }
+            }
+            false
+        } catch (e: Exception) {
+            CommonHelper.logPrint(CLASS_TAG, "waitForReactContextInitialized failed: ${e.message}")
+            true
+        }
+    }
+}

package/android/src/main/java/com/instantpaycodepush/ReactIntegrationManagerBase.kt

@@ -0,0 +1,35 @@
+package com.instantpaycodepush
+
+import android.app.Application
+import android.content.Context
+import com.facebook.react.ReactApplication
+import com.facebook.react.bridge.JSBundleLoader
+
+open class ReactIntegrationManagerBase(
+    private val context: Context,
+) {
+
+    fun getJSBundlerLoader(bundleFileUrl: String): JSBundleLoader? {
+        val bundleLoader: JSBundleLoader?
+
+        if (bundleFileUrl.lowercase().startsWith("assets://")) {
+            bundleLoader =
+                JSBundleLoader.createAssetLoader(
+                    context,
+                    bundleFileUrl,
+                    false,
+                )
+        } else {
+            bundleLoader = JSBundleLoader.createFileLoader(bundleFileUrl)
+        }
+        return bundleLoader
+    }
+
+    public fun getReactApplication(application: Application?): ReactApplication {
+        if (application is ReactApplication) {
+            return application
+        } else {
+            throw IllegalArgumentException("Application does not implement ReactApplication")
+        }
+    }
+}

package/android/src/main/java/com/instantpaycodepush/SignatureVerifier.kt

@@ -0,0 +1,354 @@
+package com.instantpaycodepush
+
+import android.content.Context
+import android.util.Base64
+import android.util.Log
+import java.io.File
+import java.security.KeyFactory
+import java.security.PublicKey
+import java.security.Signature
+import java.security.spec.X509EncodedKeySpec
+
+/**
+ * Prefix for signed file hash format.
+ */
+private const val SIGNED_HASH_PREFIX = "sig:"
+
+/**
+ * Custom exceptions for signature verification errors.
+ *
+ * **IMPORTANT**: The error messages in these exceptions are used by the JavaScript layer
+ * (`packages/react-native/src/types.ts`) to detect signature verification failures.
+ * If you change these messages, update `isSignatureVerificationError()` in types.ts accordingly.
+ */
+
+sealed class SignatureVerificationException(
+    message: String,
+) : Exception(message) {
+    class PublicKeyNotConfigured :
+        SignatureVerificationException(
+            "Public key not configured for signature verification. " +
+                "Add 'ipay_code_push_public_key' to res/values/strings.xml",
+        )
+
+    class InvalidPublicKeyFormat :
+        SignatureVerificationException(
+            "Public key format is invalid. Ensure the public key is in PEM format (BEGIN PUBLIC KEY)",
+        )
+
+    class MissingFileHash :
+        SignatureVerificationException(
+            "File hash is missing or empty. Ensure the bundle update includes a valid file hash",
+        )
+
+    class InvalidSignatureFormat :
+        SignatureVerificationException(
+            "Signature format is invalid or corrupted. The signature data is malformed or cannot be decoded",
+        )
+
+    class SignatureVerificationFailed :
+        SignatureVerificationException(
+            "Bundle signature verification failed. The bundle may be corrupted or tampered with",
+        )
+
+    class FileHashMismatch :
+        SignatureVerificationException(
+            "File hash verification failed. The bundle file hash does not match the expected value. File may be corrupted",
+        )
+
+    class FileReadFailed :
+        SignatureVerificationException(
+            "Failed to read file for verification. Could not read file for hash verification",
+        )
+
+    class UnsignedNotAllowed :
+        SignatureVerificationException(
+            "Unsigned bundle not allowed when signing is enabled. " +
+                "Public key is configured but bundle is not signed. Rejecting update",
+        )
+
+    class SecurityFrameworkError(
+        cause: Throwable,
+    ) : SignatureVerificationException(
+        "Security framework error during verification: ${cause.message}",
+    )
+}
+
+
+/**
+ * Service for verifying bundle integrity through hash or RSA-SHA256 signature verification.
+ * Uses Java Signature API for cryptographic operations.
+ *
+ * fileHash format:
+ * - Signed: `sig:<base64_signature>` - Verify signature (implicitly verifies hash)
+ * - Unsigned: `<hex_hash>` - Verify SHA256 hash only
+ *
+ * Security rules:
+ * - null/empty fileHash → REJECT
+ * - sig:... + public key configured → verify signature → Install/REJECT
+ * - sig:... + public key NOT configured → REJECT (can't verify)
+ * - <hash> + public key configured → REJECT (unsigned not allowed)
+ * - <hash> + public key NOT configured → verify hash → Install/REJECT
+ */
+object SignatureVerifier {
+    private const val CLASS_TAG = "*SignatureVerifier"
+
+    /**
+     * Reads public key from Android string resources.
+     * @param context Application context
+     * @return Public key PEM string or null if not configured
+     */
+    private fun getPublicKeyFromConfig(context: Context): String? {
+        val resourceId =
+            context.resources.getIdentifier(
+                "ipay_code_push_public_key",
+                "string",
+                context.packageName,
+            )
+
+        if (resourceId == 0) {
+            CommonHelper.logPrint(CLASS_TAG, "ipay_code_push_public_key not found in strings.xml")
+            return null
+        }
+
+        val publicKeyPEM = context.getString(resourceId)
+        if (publicKeyPEM.isEmpty()) {
+            CommonHelper.logPrint(CLASS_TAG, "ipay_code_push_public_key is empty")
+            return null
+        }
+
+        return publicKeyPEM
+    }
+
+    /**
+     * Checks if signing is enabled (public key is configured).
+     * @param context Application context
+     * @return true if public key is configured
+     */
+    fun isSigningEnabled(context: Context): Boolean = getPublicKeyFromConfig(context) != null
+
+    /**
+     * Checks if fileHash is in signed format (starts with "sig:").
+     * @param fileHash The file hash string to check
+     * @return true if signed format
+     */
+    fun isSignedFormat(fileHash: String?): Boolean = fileHash?.startsWith(SIGNED_HASH_PREFIX) == true
+
+    /**
+     * Extracts signature from signed format fileHash.
+     * @param fileHash The signed file hash (sig:<signature>)
+     * @return Base64-encoded signature or null if not signed format
+     */
+    fun extractSignature(fileHash: String?): String? {
+        if (!isSignedFormat(fileHash)) return null
+        return fileHash?.removePrefix(SIGNED_HASH_PREFIX)
+    }
+
+    /**
+     * Verifies bundle integrity based on fileHash format.
+     * Determines verification mode by checking for "sig:" prefix.
+     *
+     * @param context Application context
+     * @param bundleFile The bundle file to verify
+     * @param fileHash Combined hash string (sig:<signature> or <hex_hash>)
+     * @throws SignatureVerificationException if verification fails
+     */
+    fun verifyBundle(
+        context: Context,
+        bundleFile: File,
+        fileHash: String?,
+    ) {
+        val signingEnabled = isSigningEnabled(context)
+
+        // Rule: null/empty fileHash → REJECT
+        if (fileHash.isNullOrEmpty()) {
+            CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "fileHash is null or empty. Rejecting update.")
+            throw SignatureVerificationException.MissingFileHash()
+        }
+
+        if (isSignedFormat(fileHash)) {
+            // Signed format: sig:<signature>
+            val signature = extractSignature(fileHash)
+            if (signature.isNullOrEmpty()) {
+                CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Failed to extract signature from fileHash")
+                throw SignatureVerificationException.InvalidSignatureFormat()
+            }
+
+            // Rule: sig:... + public key NOT configured → REJECT
+            if (!signingEnabled) {
+                CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Signed bundle but public key not configured. Cannot verify.")
+                throw SignatureVerificationException.PublicKeyNotConfigured()
+            }
+
+            // Rule: sig:... + public key configured → verify signature
+            verifySignature(context, bundleFile, signature)
+        } else {
+            // Unsigned format: <hex_hash>
+
+            // Rule: <hash> + public key configured → REJECT
+            if (signingEnabled) {
+                CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Unsigned bundle not allowed when signing is enabled. Rejecting.")
+                throw SignatureVerificationException.UnsignedNotAllowed()
+            }
+
+            // Rule: <hash> + public key NOT configured → verify hash
+            verifyHash(bundleFile, fileHash)
+        }
+    }
+
+    /**
+     * Verifies SHA256 hash of a file.
+     * @param bundleFile The file to verify
+     * @param expectedHash Expected SHA256 hash (hex string)
+     * @throws SignatureVerificationException.FileHashMismatch if verification fails
+     */
+    fun verifyHash(
+        bundleFile: File,
+        expectedHash: String,
+    ) {
+        CommonHelper.logPrint(CLASS_TAG, "Verifying hash for file: ${bundleFile.name}")
+
+        if (!HashUtils.verifyHash(bundleFile, expectedHash)) {
+            CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Hash mismatch!")
+            throw SignatureVerificationException.FileHashMismatch()
+        }
+
+        CommonHelper.logPrint(CLASS_TAG, "✅ Hash verified successfully")
+    }
+
+    /**
+     * Verifies RSA-SHA256 signature of a file.
+     * Calculates the file hash internally and verifies the signature.
+     *
+     * @param context Application context
+     * @param bundleFile The file to verify
+     * @param signatureBase64 Base64-encoded RSA-SHA256 signature
+     * @throws SignatureVerificationException if verification fails
+     */
+    fun verifySignature(
+        context: Context,
+        bundleFile: File,
+        signatureBase64: String,
+    ) {
+        CommonHelper.logPrint(CLASS_TAG, "Verifying signature for file: ${bundleFile.name}")
+
+        // Get public key from config
+        val publicKeyPEM =
+            getPublicKeyFromConfig(context)
+                ?: run {
+                    CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Cannot verify signature: public key not configured in strings.xml")
+                    throw SignatureVerificationException.PublicKeyNotConfigured()
+                }
+
+        try {
+            // Convert PEM to PublicKey
+            val publicKey = createPublicKey(publicKeyPEM)
+
+            // Calculate file hash
+            val fileHashHex =
+                HashUtils.calculateSHA256(bundleFile)
+                    ?: run {
+                        CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Failed to calculate file hash")
+                        throw SignatureVerificationException.FileReadFailed()
+                    }
+
+            CommonHelper.logPrint(CLASS_TAG, "Calculated file hash: $fileHashHex")
+
+            // Decode signature from base64
+            val signatureBytes =
+                try {
+                    Base64.decode(signatureBase64, Base64.DEFAULT)
+                } catch (e: Exception) {
+                    CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Failed to decode signature from base64 $e")
+                    throw SignatureVerificationException.InvalidSignatureFormat()
+                }
+
+            // Convert hex fileHash to bytes
+            val fileHashBytes = hexToByteArray(fileHashHex)
+
+            // Verify signature using RSA-SHA256
+            val verifier = Signature.getInstance("SHA256withRSA")
+            verifier.initVerify(publicKey)
+            verifier.update(fileHashBytes)
+            val isValid = verifier.verify(signatureBytes)
+
+            if (isValid) {
+                CommonHelper.logPrint(CLASS_TAG, "✅ Signature verified successfully")
+            } else {
+                CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "❌ Signature verification failed")
+                throw SignatureVerificationException.SignatureVerificationFailed()
+            }
+        } catch (e: SignatureVerificationException) {
+            CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "SignatureVerificationException : Signature verification error $e")
+            throw e
+        } catch (e: Exception) {
+            CommonHelper.logPrint(CommonHelper.ERROR_LOG,CLASS_TAG, "Signature verification error $e")
+            throw SignatureVerificationException.SecurityFrameworkError(e)
+        }
+    }
+
+    /**
+     * Converts PEM-formatted public key to PublicKey.
+     * @param publicKeyPEM Public key in PEM format
+     * @return PublicKey instance
+     * @throws SignatureVerificationException.InvalidPublicKeyFormat if conversion fails
+     */
+    private fun createPublicKey(publicKeyPEM: String): PublicKey {
+        try {
+            // Remove PEM headers/footers and whitespace
+            val publicKeyBase64 =
+                publicKeyPEM
+                    .replace("-----BEGIN PUBLIC KEY-----", "")
+                    .replace("-----END PUBLIC KEY-----", "")
+                    .replace("\\n", "")
+                    .replace("\n", "")
+                    .replace("\r", "")
+                    .replace(" ", "")
+                    .trim()
+
+            // Decode base64
+            val keyBytes = Base64.decode(publicKeyBase64, Base64.DEFAULT)
+
+            // Create PublicKey from X.509 format (SubjectPublicKeyInfo)
+            val spec = X509EncodedKeySpec(keyBytes)
+            val keyFactory = KeyFactory.getInstance("RSA")
+            val publicKey = keyFactory.generatePublic(spec)
+
+            CommonHelper.logPrint(CLASS_TAG, "Public key loaded successfully")
+            return publicKey
+        } catch (e: Exception) {
+            CommonHelper.logPrint(CommonHelper.ERROR_LOG, CLASS_TAG, "Failed to create public key $e")
+            throw SignatureVerificationException.InvalidPublicKeyFormat()
+        }
+    }
+
+    /**
+     * Converts hex string to ByteArray.
+     * @param hexString Hex-encoded string
+     * @return ByteArray
+     * @throws SignatureVerificationException.SignatureVerificationFailed if conversion fails
+     */
+    private fun hexToByteArray(hexString: String): ByteArray {
+        try {
+            val len = hexString.length
+            if (len % 2 != 0) {
+                throw SignatureVerificationException.InvalidSignatureFormat()
+            }
+
+            val data = ByteArray(len / 2)
+            var i = 0
+            while (i < len) {
+                data[i / 2] =
+                    (
+                        (Character.digit(hexString[i], 16) shl 4) +
+                            Character.digit(hexString[i + 1], 16)
+                        ).toByte()
+                i += 2
+            }
+            return data
+        } catch (e: Exception) {
+            CommonHelper.logPrint(CommonHelper.ERROR_LOG, CLASS_TAG, "Failed to convert hex to byte array $e")
+            throw SignatureVerificationException.InvalidSignatureFormat()
+        }
+    }
+}

package/android/src/main/java/com/instantpaycodepush/VersionedPreferencesService.kt

@@ -0,0 +1,70 @@
+package com.instantpaycodepush
+
+import android.content.Context
+import android.content.SharedPreferences
+import java.io.File
+
+/**
+ * Interface for preference storage operations
+ */
+interface PreferencesService {
+    /**
+     * Gets a stored preference value
+     * @param key The key to retrieve
+     * @return The stored value or null if not found
+     */
+    fun getItem(key: String): String?
+
+    /**
+     * Sets a preference value
+     * @param key The key to store under
+     * @param value The value to store (or null to remove)
+     */
+    fun setItem(
+        key: String,
+        value: String?,
+    )
+}
+
+/**
+ * Implementation of PreferencesService using SharedPreferences
+ * Modified from original HotUpdaterPrefs to follow the service pattern
+ */
+
+class VersionedPreferencesService(
+    private val context: Context,
+    private val isolationKey: String,
+) : PreferencesService {
+
+    private val prefs: SharedPreferences
+
+    init {
+
+        val sharedPrefsDir = File(context.applicationInfo.dataDir, "shared_prefs")
+        if (sharedPrefsDir.exists() && sharedPrefsDir.isDirectory) {
+            sharedPrefsDir.listFiles()?.forEach { file ->
+                if (file.name.startsWith("IpayCodePushPrefs_") && file.name != "$isolationKey.xml") {
+                    file.delete()
+                }
+            }
+        }
+
+        prefs = context.getSharedPreferences(isolationKey, Context.MODE_PRIVATE)
+    }
+
+    override fun getItem(key: String): String? = prefs.getString(key, null)
+
+    override fun setItem(
+        key: String,
+        value: String?,
+    ) {
+        prefs.edit().apply {
+            if (value == null) {
+                remove(key)
+            } else {
+                putString(key, value)
+            }
+            apply()
+        }
+    }
+}