fix(iap): silence jwt token exceptions

cyl3x · cyl3x · commit 03dbc3c890df · 2025-05-30T12:06:06.000+02:00
diff --git a/src/Context/ContextResolver.php b/src/Context/ContextResolver.php
@@ -36,8 +36,9 @@
  */
 class ContextResolver
 {
-    public function __construct(private readonly InAppPurchaseProvider $inAppPurchaseProvider)
-    {
+    public function __construct(
+        private readonly ?InAppPurchaseProvider $inAppPurchaseProvider = null
+    ) {
     }
 
     /**
@@ -94,7 +95,7 @@ public function assembleModule(RequestInterface $request, ShopInterface $shop):
         if (!empty($params['in-app-purchases'])) {
             /** @var non-empty-string $inAppPurchaseString */
             $inAppPurchaseString = $params['in-app-purchases'];
-            $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($inAppPurchaseString, $shop);
+            $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($inAppPurchaseString, $shop);
         }
 
         return new ModuleAction(
@@ -259,7 +260,7 @@ public function assembleStorefrontRequest(RequestInterface $request, ShopInterfa
                 throw new MalformedWebhookBodyException();
             }
 
-            $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($claims['inAppPurchases'], $shop);
+            $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($claims['inAppPurchases'], $shop);
         }
 
         return new StorefrontAction(
@@ -322,7 +323,7 @@ private function parseSource(array $source, ShopInterface $shop): ActionSource
                 throw new MalformedWebhookBodyException();
             }
 
-            $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($source['inAppPurchases'], $shop);
+            $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($source['inAppPurchases'], $shop);
         }
 
 
diff --git a/src/Context/InAppPurchase/HasMatchingDomain.php b/src/Context/InAppPurchase/HasMatchingDomain.php
@@ -12,6 +12,8 @@
 
 /**
  * @phpstan-import-type InAppPurchaseArray from InAppPurchaseProvider
+ * 
+ * @deprecated Will be removed with version 5.0.0, as no licence domain can be provided for validation
  */
 class HasMatchingDomain implements Constraint
 {
diff --git a/src/Context/InAppPurchase/HasValidRSAJWKSignature.php b/src/Context/InAppPurchase/HasValidRSAJWKSignature.php
@@ -11,9 +11,8 @@
 use Lcobucci\JWT\Signer\Rsa\Sha384;
 use Lcobucci\JWT\Signer\Rsa\Sha512;
 use Lcobucci\JWT\Token;
-use Lcobucci\JWT\UnencryptedToken;
 use Lcobucci\JWT\Validation\Constraint;
-use Lcobucci\JWT\Validation\ConstraintViolation;
+use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use Strobotti\JWK\Key\KeyInterface;
 use Strobotti\JWK\Key\Rsa as RsaKey;
 use Strobotti\JWK\KeyConverter;
@@ -27,27 +26,21 @@ public function __construct(private readonly KeySet $keys)
     {
     }
 
+    /**
+     * {@inheritDoc}
+     */
     public function assert(Token $token): void
     {
-        if (!$token instanceof UnencryptedToken) {
-            throw new \Exception('Token must be a plain JWT');
-        }
-
         $this->validateAlgorithm($token);
 
         $key = $this->getValidKey($token);
 
         /** @var non-empty-string $pem */
         $pem = $this->convertToPem($key);
 
-        /** @var string $alg */
-        $alg = $token->headers()->get('alg');
-
-        $signer = $this->getSigner($alg);
+        $signer = $this->getSigner($token->headers()->get('alg'));
 
-        if (!$signer->verify($token->signature()->hash(), $token->payload(), InMemory::plainText($pem))) {
-            throw ConstraintViolation::error('Token signature mismatch', $this);
-        }
+        (new SignedWith($signer, InMemory::plainText($pem)))->assert($token);
     }
 
     private function validateAlgorithm(Token $token): void
diff --git a/src/Context/InAppPurchase/InAppPurchaseProvider.php b/src/Context/InAppPurchase/InAppPurchaseProvider.php
@@ -14,7 +14,7 @@
 use Shopware\App\SDK\Shop\ShopInterface;
 
 /**
- * @phpstan-type InAppPurchaseArray=array{identifier: string, quantity: int, nextBookingDate?: string, sub: string}
+ * @phpstan-type InAppPurchaseArray array{identifier: string, quantity: int, nextBookingDate?: string, sub: string}
  */
 class InAppPurchaseProvider
 {
@@ -27,21 +27,19 @@ public function __construct(
     /**
      * @param non-empty-string $encodedPurchases
      * @return Collection<InAppPurchase>
-     * @throws \Exception
      */
     public function decodePurchases(string $encodedPurchases, ShopInterface $shop, bool $retried = false): Collection
     {
         try {
             $keys = $this->keyFetcher->getKey($retried);
             $signatureValidator = new HasValidRSAJWKSignature($keys);
-            $domainValidator = new HasMatchingDomain($shop);
 
             $parser = new Parser(new JoseEncoder());
             /** @var Token\Plain $token */
             $token = $parser->parse($encodedPurchases);
 
             $validator = new Validator();
-            $validator->assert($token, $signatureValidator, $domainValidator);
+            $validator->assert($token, $signatureValidator);
 
             return $this->transformClaims($token);
         } catch (\Exception $e) {
@@ -50,8 +48,8 @@ public function decodePurchases(string $encodedPurchases, ShopInterface $shop, b
             }
 
             $this->logger->error('Failed to decode in-app purchases: ' . $e->getMessage());
-
-            throw $e;
+            
+            return new Collection();
         }
     }
 
diff --git a/tests/Context/InAppPurchase/InAppPurchaseProviderTest.php b/tests/Context/InAppPurchase/InAppPurchaseProviderTest.php
@@ -122,9 +122,9 @@ public function testDecodePurchaseRetryFails(): void
                 (new KeySetFactory())->createFromJSON('{"keys": [{"kty": "RSA","n": "yHenasOsOl-Vv2BmpayS1R8l5L-JN99FwaRRKXFssGTjJDwbYdbe3CqTSKqtOfdqZLzE6-bN2-Q1xqZZsgs0_zHNx7EROXNG_uQs1uuGkS6bgGhnq_2d7wzFvCsyI00CDXZxRlGjKAEhvcXormomF1jpUW08Y5tPeUvMSdEZbZxW1ydir-UrMm1RUSgJgSP-sUqLG7kTIJ6SG7cLtF8c8cHcVXFljMyiYLQHYOECj1oklwvfrfaoT3OKdKGumi39rDthXtFa0Aq1OS_P9qfZJ-yXiQlpf2RxRr3Q5EQJ8E9iqrlOndbkSq7eXne2DvvgsiNdyzRWFvxWSPSd9GZXkw","e": "AQAB","kid": "-1xljHNcPM59Qx9OcULA9LS219bsmKCZueVXhdF0N0k","use": "sig","alg": "RS256"}]}'),
             );
 
-        static::expectException(RequiredConstraintsViolated::class);
-
         $provider = new InAppPurchaseProvider($fetcher, $logger);
-        $provider->decodePurchases($token->toString(), $shop, true);
+        $decoded = $provider->decodePurchases($token->toString(), $shop, true);
+
+        static::assertEmpty($decoded);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -36,8 +36,9 @@`
`36`	`36`	`*/`
`37`	`37`	`class ContextResolver`
`38`	`38`	`{`
`39`		`- public function __construct(private readonly InAppPurchaseProvider $inAppPurchaseProvider)`
`40`		`- {`
	`39`	`+ public function __construct(`
	`40`	`+ private readonly ?InAppPurchaseProvider $inAppPurchaseProvider = null`
	`41`	`+ ) {`
`41`	`42`	`}`
`42`	`43`
`43`	`44`	`/**`
`@@ -94,7 +95,7 @@ public function assembleModule(RequestInterface $request, ShopInterface $shop):`
`94`	`95`	`if (!empty($params['in-app-purchases'])) {`
`95`	`96`	`/** @var non-empty-string $inAppPurchaseString */`
`96`	`97`	`$inAppPurchaseString = $params['in-app-purchases'];`
`97`		`- $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($inAppPurchaseString, $shop);`
	`98`	`+ $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($inAppPurchaseString, $shop);`
`98`	`99`	`}`
`99`	`100`
`100`	`101`	`return new ModuleAction(`
`@@ -259,7 +260,7 @@ public function assembleStorefrontRequest(RequestInterface $request, ShopInterfa`
`259`	`260`	`throw new MalformedWebhookBodyException();`
`260`	`261`	`}`
`261`	`262`
`262`		`- $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($claims['inAppPurchases'], $shop);`
	`263`	`+ $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($claims['inAppPurchases'], $shop);`
`263`	`264`	`}`
`264`	`265`
`265`	`266`	`return new StorefrontAction(`
`@@ -322,7 +323,7 @@ private function parseSource(array $source, ShopInterface $shop): ActionSource`
`322`	`323`	`throw new MalformedWebhookBodyException();`
`323`	`324`	`}`
`324`	`325`
`325`		`- $inAppPurchases = $this->inAppPurchaseProvider->decodePurchases($source['inAppPurchases'], $shop);`
	`326`	`+ $inAppPurchases = $this->inAppPurchaseProvider?->decodePurchases($source['inAppPurchases'], $shop);`
`326`	`327`	`}`
`327`	`328`
`328`	`329`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,8 @@`
`12`	`12`
`13`	`13`	`/**`
`14`	`14`	`* @phpstan-import-type InAppPurchaseArray from InAppPurchaseProvider`
	`15`	`+ *`
	`16`	`+ * @deprecated Will be removed with version 5.0.0, as no licence domain can be provided for validation`
`15`	`17`	`*/`
`16`	`18`	`class HasMatchingDomain implements Constraint`
`17`	`19`	`{`
Original file line number	Diff line number	Diff line change
`@@ -122,9 +122,9 @@ public function testDecodePurchaseRetryFails(): void`
`122`	`122`	(new KeySetFactory())->createFromJSON('{"keys": [{"kty": "RSA","n": "yHenasOsOl-Vv2BmpayS1R8l5L-JN99FwaRRKXFssGTjJDwbYdbe3CqTSKqtOfdqZLzE6-bN2-Q1xqZZsgs0_zHNx7EROXNG_uQs1uuGkS6bgGhnq_2d7wzFvCsyI00CDXZxRlGjKAEhvcXormomF1jpUW08Y5tPeUvMSdEZbZxW1ydir-UrMm1RUSgJgSP-sUqLG7kTIJ6SG7cLtF8c8cHcVXFljMyiYLQHYOECj1oklwvfrfaoT3OKdKGumi39rDthXtFa0Aq1OS_P9qfZJ-yXiQlpf2RxRr3Q5EQJ8E9iqrlOndbkSq7eXne2DvvgsiNdyzRWFvxWSPSd9GZXkw","e": "AQAB","kid": "-1xljHNcPM59Qx9OcULA9LS219bsmKCZueVXhdF0N0k","use": "sig","alg": "RS256"}]}'),
`123`	`123`	`);`
`124`	`124`
`125`		`- static::expectException(RequiredConstraintsViolated::class);`
`126`		`-`
`127`	`125`	`$provider = new InAppPurchaseProvider($fetcher, $logger);`
`128`		`- $provider->decodePurchases($token->toString(), $shop, true);`
	`126`	`+ $decoded = $provider->decodePurchases($token->toString(), $shop, true);`
	`127`	`+`
	`128`	`+ static::assertEmpty($decoded);`
`129`	`129`	`}`
`130`	`130`	`}`