Skip to content

Reject signed non-authorizing receipt statuses #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
manuelsampedro1 wants to merge 2 commits into
base: main
Choose a base branch
from
+96 −13
Open

Reject signed non-authorizing receipt statuses #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dbbdb3f
Reject signed non-authorizing receipt statuses
manuelsampedro1 May 19, 2026
0268a80
Reject noncanonical receipt statuses before verification
manuelsampedro1 May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 50 additions & 13 deletions src/verify.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,42 @@ export type VerifyOptions = {
now?: Date;
};

type ReceiptStatus = 'valid' | 'revoked';

function isObject(value: unknown): value is Record<string, unknown> {
return typeof value === 'object' && value !== null;
}

function parseReceiptStatus(receipt: Record<string, unknown>): { ok: true; status: ReceiptStatus } | { ok: false; result: VerifyResult } {
if (typeof receipt.status !== 'string') {
return {
ok: false,
result: {
verified: false,
exitCode: 3,
errorCode: 'MALFORMED_RECEIPT',
errorMessage: 'receipt status must be a canonical string',
receiptId: receipt.id as string,
},
};
}

if (receipt.status !== 'valid' && receipt.status !== 'revoked') {
return {
ok: false,
result: {
verified: false,
exitCode: 3,
errorCode: 'MALFORMED_RECEIPT',
errorMessage: `unsupported receipt status: ${receipt.status}`,
receiptId: receipt.id as string,
},
};
}

return { ok: true, status: receipt.status };
}

export async function verifyReceipt(receipt: unknown, options: VerifyOptions): Promise<VerifyResult> {
if (!isObject(receipt)) {
return {
Expand Down Expand Up @@ -115,6 +147,24 @@ export async function verifyReceipt(receipt: unknown, options: VerifyOptions): P
};
}

const statusResult = parseReceiptStatus(receipt);
if (!statusResult.ok) {
return statusResult.result;
}
const { status } = statusResult;

const now = options.now ?? new Date();
const expiresAt = new Date(receipt.expiresAt as string);
if (Number.isNaN(expiresAt.getTime())) {
return {
verified: false,
exitCode: 3,
errorCode: 'MALFORMED_RECEIPT',
errorMessage: 'expiresAt is not a valid ISO timestamp',
receiptId: receipt.id as string,
};
}

const keyResult = await resolvePublicKey({
keyFile: options.keyFile,
keyUrl: options.keyUrl,
Expand Down Expand Up @@ -147,19 +197,6 @@ export async function verifyReceipt(receipt: unknown, options: VerifyOptions): P
};
}

const now = options.now ?? new Date();
const expiresAt = new Date(receipt.expiresAt as string);
if (Number.isNaN(expiresAt.getTime())) {
return {
verified: false,
exitCode: 3,
errorCode: 'MALFORMED_RECEIPT',
errorMessage: 'expiresAt is not a valid ISO timestamp',
receiptId: receipt.id as string,
};
}

const status = String(receipt.status);
if (expiresAt.getTime() <= now.getTime() || status === 'revoked') {
return {
verified: false,
Expand Down
46 changes: 46 additions & 0 deletions tests/verify.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,17 @@
import { readFile } from 'node:fs/promises';
import { sign as signSignature } from 'node:crypto';
import { resolve } from 'node:path';
import { describe, expect, it } from 'vitest';
import { verifyReceipt } from '../src/verify.js';
import { canonicalizeReceiptBytes } from '../src/canonicalize.js';

async function loadJson(name: string): Promise<unknown> {
const path = resolve(process.cwd(), 'tests/fixtures', name);
return JSON.parse(await readFile(path, 'utf8'));
}

const keyFile = resolve(process.cwd(), 'tests/fixtures/public-key.pem');
const privateKeyFile = resolve(process.cwd(), 'tests/fixtures/private-key.pem');

describe('verifyReceipt', () => {
it('verifies a valid receipt', async () => {
Expand All @@ -30,6 +33,49 @@ describe('verifyReceipt', () => {
}
});

it('rejects a signed receipt with a non-authorizing status', async () => {
const receipt = (await loadJson('valid.json')) as Record<string, unknown>;
receipt.status = 'DENIED';
receipt.signatureValue = signSignature(
null,
canonicalizeReceiptBytes(receipt),
await readFile(privateKeyFile, 'utf8'),
).toString('base64');

const result = await verifyReceipt(receipt, { keyFile, noNetwork: true });
expect(result.verified).toBe(false);
if (!result.verified) {
expect(result.exitCode).toBe(3);
expect(result.errorCode).toBe('MALFORMED_RECEIPT');
}
});

it('rejects non-canonical status values at the schema boundary', async () => {
const receipt = (await loadJson('valid.json')) as Record<string, unknown>;
receipt.status = 'valid ';

const result = await verifyReceipt(receipt, { keyFile, noNetwork: true });
expect(result.verified).toBe(false);
if (!result.verified) {
expect(result.exitCode).toBe(3);
expect(result.errorCode).toBe('MALFORMED_RECEIPT');
expect(result.errorMessage).toBe('unsupported receipt status: valid ');
}
});

it('rejects non-string status values at the schema boundary', async () => {
const receipt = (await loadJson('valid.json')) as Record<string, unknown>;
receipt.status = true;

const result = await verifyReceipt(receipt, { keyFile, noNetwork: true });
expect(result.verified).toBe(false);
if (!result.verified) {
expect(result.exitCode).toBe(3);
expect(result.errorCode).toBe('MALFORMED_RECEIPT');
expect(result.errorMessage).toBe('receipt status must be a canonical string');
}
});

it('returns malformed for malformed receipt', async () => {
const receipt = await loadJson('malformed.json');
const result = await verifyReceipt(receipt, { keyFile, noNetwork: true });
Expand Down