agisboye / app-store-server-api

A Node.js client for the App Store Server API
MIT License
218 stars 36 forks source link

The token always is invalid #2

Closed yuanpli closed 2 years ago

yuanpli commented 2 years ago

Hello,

Happy to see there is a client lib to communicate with app store server API. Thanks for your contribution.

Today, I have tried with this library, but I always got the 401 error. The code I tested is

const KEY = `-----BEGIN PRIVATE KEY-----
xxxxxxx
-----END PRIVATE KEY-----`

const KEY_ID = "xxx";
const ISSUER_ID = "xxxx";
const APP_BUNDLE_ID = "xxx";

const ServerApi = new AppStoreServerAPI(
  KEY, KEY_ID, ISSUER_ID, APP_BUNDLE_ID, Environment.Sandbox
);
let results = await ServerApi.getTransactionHistory(1000000944298944);

I have debugged the code, it seems that the jwt lib jose return an invalid token. After replace with jsonwebtoken, the token is valid.

Could you kindly help double-check if this is an existing issue? Thanks! And hope there will be a correction. Thanks!

agisboye commented 2 years ago

Hi,

I'm not sure what you mean by an invalid token. Could you point to where in the code this happens and provide an example of what an invalid token looks like?

yuanpli commented 2 years ago

Hi,

The invalid token that I mentioned is in the response got from App Store Server when invoking an API method(like api.getTransactionHistory()). And the HTTP status is 401

The request is unauthorized; the JSON Web Token (JWT) is invalid.
agisboye commented 2 years ago

There is currently a bug in the API. If the purchase belongs to an Apple ID that has been deleted, the API will return the error that you've encountered (HTTP 401) when it should be returning AccountNotFoundError.

I've reported this to Apple and they're working on a fix. Could this be the issue that you're encountering?

yuanpli commented 2 years ago

I am afraid it is not the root cause. I tested in postman. The API is working well with a token that generated with jsonwebtoken manually. But it is not working with a token that generated with jose. In my opinion, it could be an issue in jose when it signs the token with the private key.

agisboye commented 2 years ago

Could you try inspecting the token that the library generates? See getToken

Also, is there a possibility that you somehow have an older version of jose installed? You could try deleting your node_modules and reinstalling.

yuanpli commented 2 years ago

I have tried with some old versions jose@4.x.x. Unfortunately, all failed. I have raised an issue to Jose. See https://github.com/panva/jose/issues/346

agisboye commented 2 years ago

I'll gladly look into any issue but you're going to have to make an effort and help me figure things out. As far is I know you're the only one seeing this. I use this library in production on multiple projects and haven't encountered the problem you've described.

Opening issues all across GitHub is not going to allow people to solve this issue for you.

yuanpli commented 2 years ago

Upgrade node version. The issue is resolved. Thanks for your support!

turbobuilt commented 2 years ago

Same issue. The tokens are just invalid when I paste them into jwt.io. I don't know why, but I am just saying I had the issue. If I have more information I will try to share it. Will debug now.

turbobuilt commented 2 years ago

Ok on my end I had an in-app-purchase token instead of an app store connect api token

adriancable commented 1 year ago

@yuanpli - jose generates mangled signatures for ES256 (used for the App Store Server API) on Node 12.15 and prior, because it uses a feature only added in Node 12.16, without checking it's available. You can switch to jsonwebtoken instead, which works correctly on Node 12.15.

agisboye commented 1 year ago

Node 15.6.0 was chosen as the minimum required version because it introduces X509Certificate, which this package uses. Node 12 never was (and never will be) supported.

adriancable commented 1 year ago

@agisboye - my apologies! My comment (albeit true) is therefore not relevant here.