Merge pull request #43 from cyl3x/fix/iap/silence-jwt-token-exceptions

fix(iap): silence jwt token exceptions

Author: lernhart

src/Context/ContextResolver.php

@@ -37,8 +37,9 @@
  */
 class ContextResolver
 {
-    public function __construct(private readonly InAppPurchaseProvider $inAppPurchaseProvider)
-    {
+    public function __construct(
+        private readonly ?InAppPurchaseProvider $inAppPurchaseProvider = null
+    ) {
     }
 
     /**
@@ -95,7 +96,7 @@ public function assembleModule(RequestInterface $request, ShopInterface $shop):
         if (!empty($params['in-app-purchases'])) {
             /** @var non-empty-string $inAppPurchaseString */
             $inAppPurchaseString = $params['in-app-purchases'];
-            $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($inAppPurchaseString, $shop);
+            $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($inAppPurchaseString, $shop);
         }
 
         return new ModuleAction(
@@ -260,7 +261,7 @@ public function assembleStorefrontRequest(RequestInterface $request, ShopInterfa
                 throw new MalformedWebhookBodyException();
             }
 
-            $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($claims['inAppPurchases'], $shop);
+            $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($claims['inAppPurchases'], $shop);
         }
 
         return new StorefrontAction(
@@ -341,7 +342,7 @@ private function parseSource(array $source, ShopInterface $shop): ActionSource
                 throw new MalformedWebhookBodyException();
             }
 
-            $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($source['inAppPurchases'], $shop);
+            $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($source['inAppPurchases'], $shop);
         }
 
 

src/Context/InAppPurchase/HasMatchingDomain.php

@@ -12,6 +12,8 @@
 
 /**
  * @phpstan-import-type InAppPurchaseArray from InAppPurchaseProvider
+ *
+ * @deprecated Will be removed with version 5.0.0, as no licence domain can be provided for validation
  */
 class HasMatchingDomain implements Constraint
 {

src/Context/InAppPurchase/HasValidRSAJWKSignature.php

@@ -11,9 +11,8 @@
 use Lcobucci\JWT\Signer\Rsa\Sha384;
 use Lcobucci\JWT\Signer\Rsa\Sha512;
 use Lcobucci\JWT\Token;
-use Lcobucci\JWT\UnencryptedToken;
 use Lcobucci\JWT\Validation\Constraint;
-use Lcobucci\JWT\Validation\ConstraintViolation;
+use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use Strobotti\JWK\Key\KeyInterface;
 use Strobotti\JWK\Key\Rsa as RsaKey;
 use Strobotti\JWK\KeyConverter;
@@ -27,12 +26,11 @@ public function __construct(private readonly KeySet $keys)
     {
     }
 
+    /**
+     * {@inheritDoc}
+     */
     public function assert(Token $token): void
     {
-        if (!$token instanceof UnencryptedToken) {
-            throw new \Exception('Token must be a plain JWT');
-        }
-
         $this->validateAlgorithm($token);
 
         $key = $this->getValidKey($token);
@@ -45,9 +43,7 @@ public function assert(Token $token): void
 
         $signer = $this->getSigner($alg);
 
-        if (!$signer->verify($token->signature()->hash(), $token->payload(), InMemory::plainText($pem))) {
-            throw ConstraintViolation::error('Token signature mismatch', $this);
-        }
+        (new SignedWith($signer, InMemory::plainText($pem)))->assert($token);
     }
 
     private function validateAlgorithm(Token $token): void

src/Context/InAppPurchase/InAppPurchaseProvider.php

@@ -14,7 +14,7 @@
 use Shopware\App\SDK\Shop\ShopInterface;
 
 /**
- * @phpstan-type InAppPurchaseArray=array{identifier: string, quantity: int, nextBookingDate?: string, sub: string}
+ * @phpstan-type InAppPurchaseArray array{identifier: string, quantity: int, nextBookingDate?: string, sub: string}
  */
 class InAppPurchaseProvider
 {
@@ -27,21 +27,19 @@ public function __construct(
     /**
      * @param non-empty-string $encodedPurchases
      * @return Collection<InAppPurchase>
-     * @throws \Exception
      */
     public function decodePurchases(string $encodedPurchases, ShopInterface $shop, bool $retried = false): Collection
     {
         try {
             $keys = $this->keyFetcher->getKey($retried);
             $signatureValidator = new HasValidRSAJWKSignature($keys);
-            $domainValidator = new HasMatchingDomain($shop);
 
             $parser = new Parser(new JoseEncoder());
             /** @var Token\Plain $token */
             $token = $parser->parse($encodedPurchases);
 
             $validator = new Validator();
-            $validator->assert($token, $signatureValidator, $domainValidator);
+            $validator->assert($token, $signatureValidator);
 
             return $this->transformClaims($token);
         } catch (\Exception $e) {
@@ -51,7 +49,7 @@ public function decodePurchases(string $encodedPurchases, ShopInterface $shop, b
 
             $this->logger->error('Failed to decode in-app purchases: ' . $e->getMessage());
 
-            throw $e;
+            return new Collection();
         }
     }
 

tests/Context/InAppPurchase/HasValidRSAJWKSignatureTest.php

@@ -112,7 +112,10 @@ public function testAssertWithWrongTokenType(): void
         $token = new class () implements Token {
             public function headers(): DataSet
             {
-                return new DataSet([], '');
+                return new DataSet([
+                    'alg' => 'RS256',
+                    'kid' => JWKSHelper::getStaticKid(),
+                ], '');
             }
 
             public function isPermittedFor(string $audience): bool
@@ -157,9 +160,9 @@ public function toString(): string
         };
 
         static::expectException(\Exception::class);
-        static::expectExceptionMessage('Token must be a plain JWT');
+        static::expectExceptionMessage('You should pass a plain token');
 
-        $constraint = new HasValidRSAJWKSignature(new KeySet());
+        $constraint = new HasValidRSAJWKSignature($this->jwks);
         $constraint->assert($token);
     }
 }

tests/Context/InAppPurchase/InAppPurchaseProviderTest.php

@@ -4,7 +4,6 @@
 
 namespace Shopware\App\SDK\Tests\Context\InAppPurchase;
 
-use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
 use PHPUnit\Framework\Attributes\CoversClass;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\LoggerInterface;
@@ -122,9 +121,9 @@ public function testDecodePurchaseRetryFails(): void
                 (new KeySetFactory())->createFromJSON('{"keys": [{"kty": "RSA","n": "yHenasOsOl-Vv2BmpayS1R8l5L-JN99FwaRRKXFssGTjJDwbYdbe3CqTSKqtOfdqZLzE6-bN2-Q1xqZZsgs0_zHNx7EROXNG_uQs1uuGkS6bgGhnq_2d7wzFvCsyI00CDXZxRlGjKAEhvcXormomF1jpUW08Y5tPeUvMSdEZbZxW1ydir-UrMm1RUSgJgSP-sUqLG7kTIJ6SG7cLtF8c8cHcVXFljMyiYLQHYOECj1oklwvfrfaoT3OKdKGumi39rDthXtFa0Aq1OS_P9qfZJ-yXiQlpf2RxRr3Q5EQJ8E9iqrlOndbkSq7eXne2DvvgsiNdyzRWFvxWSPSd9GZXkw","e": "AQAB","kid": "-1xljHNcPM59Qx9OcULA9LS219bsmKCZueVXhdF0N0k","use": "sig","alg": "RS256"}]}'),
             );
 
-        static::expectException(RequiredConstraintsViolated::class);
-
         $provider = new InAppPurchaseProvider($fetcher, $logger);
-        $provider->decodePurchases($token->toString(), $shop, true);
+        $decoded = $provider->decodePurchases($token->toString(), $shop, true);
+
+        static::assertEmpty($decoded);
     }
 }