The token always is invalid

[yuanpli]

Hello,

Happy to see there is a client lib to communicate with app store server API. Thanks for your contribution.

Today, I have tried with this library, but I always got the 401 error. The code I tested is

const KEY = `-----BEGIN PRIVATE KEY-----
xxxxxxx
-----END PRIVATE KEY-----`

const KEY_ID = "xxx";
const ISSUER_ID = "xxxx";
const APP_BUNDLE_ID = "xxx";

const ServerApi = new AppStoreServerAPI(
  KEY, KEY_ID, ISSUER_ID, APP_BUNDLE_ID, Environment.Sandbox
);
let results = await ServerApi.getTransactionHistory(1000000944298944);

I have debugged the code, it seems that the jwt lib jose return an invalid token. After replace with jsonwebtoken, the token is valid.

Could you kindly help double-check if this is an existing issue? Thanks! And hope there will be a correction. Thanks!

[agisboye]

Hi,

I'm not sure what you mean by an invalid token. Could you point to where in the code this happens and provide an example of what an invalid token looks like?

[yuanpli]

Hi,

The invalid token that I mentioned is in the response got from App Store Server when invoking an API method(like api.getTransactionHistory()). And the HTTP status is 401

The request is unauthorized; the JSON Web Token (JWT) is invalid.

[agisboye]

There is currently a bug in the API. If the purchase belongs to an Apple ID that has been deleted, the API will return the error that you've encountered (HTTP 401) when it should be returning AccountNotFoundError.

I've reported this to Apple and they're working on a fix. Could this be the issue that you're encountering?

[yuanpli]

I am afraid it is not the root cause. I tested in postman. The API is working well with a token that generated with jsonwebtoken manually. But it is not working with a token that generated with jose. In my opinion, it could be an issue in jose when it signs the token with the private key.

[agisboye]

Could you try inspecting the token that the library generates? See getToken

Also, is there a possibility that you somehow have an older version of jose installed? You could try deleting your node_modules and reinstalling.

[yuanpli]

I have tried with some old versions jose@4.x.x. Unfortunately, all failed. I have raised an issue to Jose. See https://github.com/panva/jose/issues/346

[agisboye]

I'll gladly look into any issue but you're going to have to make an effort and help me figure things out. As far is I know you're the only one seeing this. I use this library in production on multiple projects and haven't encountered the problem you've described.

Opening issues all across GitHub is not going to allow people to solve this issue for you.

[yuanpli]

Upgrade node version. The issue is resolved. Thanks for your support!

[turbobuilt]

Same issue. The tokens are just invalid when I paste them into jwt.io. I don't know why, but I am just saying I had the issue. If I have more information I will try to share it. Will debug now.

[turbobuilt]

Ok on my end I had an in-app-purchase token instead of an app store connect api token

[adriancable]

@yuanpli - jose generates mangled signatures for ES256 (used for the App Store Server API) on Node 12.15 and prior, because it uses a feature only added in Node 12.16, without checking it's available. You can switch to jsonwebtoken instead, which works correctly on Node 12.15.

[agisboye]

Node 15.6.0 was chosen as the minimum required version because it introduces X509Certificate, which this package uses. Node 12 never was (and never will be) supported.

[adriancable]

@agisboye - my apologies! My comment (albeit true) is therefore not relevant here.