Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge this project into SwiftyStoreKit #1

Closed
bizz84 opened this issue Aug 21, 2017 · 14 comments
Closed

Merge this project into SwiftyStoreKit #1

bizz84 opened this issue Aug 21, 2017 · 14 comments

Comments

@bizz84
Copy link

bizz84 commented Aug 21, 2017
edited
Loading

Hi Andrew,

I'm the author of SwiftyStoreKit, which a widely used and very popular library in the iOS community.

One of the missing features in SwiftyStoreKit is local receipt validation, and I feel that your project would be a great addition.

I feel the iOS community as a whole would benefit if we could incorporate your implementation into SwiftyStoreKit, and would make local receipt validation immediately available to all the developers that are already using it.

What do you think?

Best,

Andrea
@MKGitHub
Copy link

Traffic is only available to you privately not public ;-)

@andrewcbancroft
Copy link
Owner

I'm definitely not opposed, Andrea! Thanks for opening this issue -- let's talk about the best way to incorporate it.

When I put this repo up, I was aware of SwiftyStoreKit, but I wasn't sure how to integrate the local receipt validation code. There are a couple of non-intuitive things to be aware of:

  • "Hacky" requirements around OpenSSL that I wasn't sure about. Bitcode, and a few bridging header requirements and such...
  • Users of the code are also expected
  • Then of course, there's the "hey, you should really obfuscate the code if you're really wanting to thwart thieves".

There may be more, but I think of those right off the bat. Do we do more with the code, itself? Or do we document the requirements around it within the SwiftyStoreKit documentation?

Let's discuss and figure out how to move forward!

@MKGitHub
Copy link

Please keep SwiftyLocalReceiptValidator separated from SwiftyStoreKit! I.e. don't kill this repo...

@andrewcbancroft
Copy link
Owner

Would you see any value in donating this code as a "starting point" to SwiftyStoreKit? But also keeping this here, just in case someone didn't want to bring in the whole kit? Help me understand the downside if you can, @MKGitHub.

@MKGitHub
Copy link

MKGitHub commented Aug 22, 2017
edited
Loading

No I would not see any value as I don't use SwiftyStoreKit. And so if you were to move over to SwiftyStoreKit then you would be forcing people to also move over or abandon. I think the best solution should be to have a SwiftyStoreKit extension for this repo i.e. it should be a choice to use this repo in SwiftyStoreKit while both are seperate and go on doing their own business without being dependent (except the extension).

@bizz84
Copy link
Author

bizz84 commented Aug 23, 2017

Thank you @MKGitHub for your insight. Your viewpoint as a user is quite valuable to better inform which route we should take.

@andrewcbancroft you raise some very valid points. Local receipt validation has been tackled before as part of the RMStore project, and in that case they settled for having an optional reference implementation.

Some considerations

  • Perhaps local receipt validation should actually be treated as reference implementation.
  • People have been asking to add local receipt verification to SwiftyStoreKit.
  • I agree that this repo can and should exist its own right, independently of SwiftyStoreKit. This way users are not forced to a one-size-fits-all solution.
  • We could make this project easily pluggable into SwiftyStoreKit at an API level.
  • In the documentation we could encourage users to implement their own security logic as desired (you already do that in your disclaimer).

Possible integration steps - code level

In its current form, SwiftyStoreKit can load the local receipt (or refresh it if it's missing) and produce the encrypted receipt contents as Data or String. This functionality is similar to what your ReceiptLoader does.

Within SwiftyLocalReceiptValidator, ReceiptLoader is just the first step of the validateReceipt() method.

We could define an API contract so that users could just create a ReceiptValidator if desired and give it to SwiftyStoreKit. We can talk more in detail about what the API could look like and what changes we could make to both projects to enable this. I included a proposal for this below.

Possible integration steps - project level

I can see various ways in which we could integrate the two projects. Here I try to list them and evaluate pros and cons.

In all cases, we would need to agree on an API that allows SwiftyLocalReceiptValidator to be used within SwiftyStoreKit.

1. Copy SwiftyLocalReceiptValidator into the main SwiftyStoreKit repo.

Pros

  • Easier setup for users that want to use functionality from both projects.

Cons

  • Users that are not interested in local receipt verification could see this as code bloat on SwiftyStoreKit.
  • Maintenance effort would be duplicated if the code lives in two places.

2. Make SwiftyLocalReceiptValidator a submodule of SwiftyStoreKit.

Pros

  • Less maintenance on your side, compared to keeping two similar but not identical copies of your code
  • Any issues pertinent to this project can live within this repo (however, users may still end up opening issues on SwiftyStoreKit if they originally came from there).

Cons

  • Extra dependency for SwiftyStoreKit.
  • Not everyone necessarily wants to use submodules.

3. Keep the two projects separate and let users pick and choose in the Podfile or Cartfile

Pros

  • Most flexible approach - you only use what you need.

Cons

  • As the two projects would be independent, some lightweight wrapper may be needed to make ReceiptValidator available in SwiftyStoreKit.

Summary

Personally, I like option 3. Maybe SwiftyStoreKit could define a protocol that defines an abstract public interface for ReceiptValidator. The same interface could be implemented by other custom verifiers (for example, this AppleReceiptValidator class).

Sample code:

import SwiftyStoreKit
import SwiftyLocalReceiptValidator

// SwiftyStoreKit already defines a ReceiptValidator protocol.
// In this example, your class is renamed to LocalReceiptValidator.
extension LocalReceiptValidator: ReceiptValidator { }

let localReceiptValidator = LocalReceiptValidator()
SwiftyStoreKit.verifyReceipt(using: localReceiptValidator) { result in
    switch result {
    case .success(let receipt):
        print("Verify receipt Success: \(receipt)")
    case .error(let error):
        print("Verify receipt Failed: \(error)")
    }
}

Would be good to get your opinion on the above. Then, we can see how to best more forward.

@MKGitHub
Copy link

option 3 seems like a good start

@bizz84 bizz84 mentioned this issue Aug 24, 2017
Open
@andrewcbancroft
Copy link
Owner

I am SOOO so sorry for the crazy late reply on this thread. Forgive me if you would.

I agree with you and @MKGitHub - Option #3 seems like a good start.

How would that ReceiptValidator protocol be shared across repositories?

@PaulWagener PaulWagener mentioned this issue Oct 6, 2017
Closed
@bizz84
Copy link
Author

bizz84 commented Oct 11, 2017

@andrewcbancroft no worries, things have been quite busy on my side as well :)

I have an idea about how to make this work, however I'm currently unable to compile your code (also see #2).

Would you be able to fix this?

Then I could code up a quick demo that uses both projects.

@PaulWagener
Copy link

@bizz84 I've posted a fix on issue #2 hopefully you'll be able to use it to make the demo

@andrewcbancroft
Copy link
Owner

@PaulWagener, @bizz84 -- I updated README.md with additional prerequisite information based on #2's resolution.

I also added a demo project under Demo that compiles with Xcode 9. I don't know that this particular demo project should be used for the proof of concept you're talking about, Andrea, but I hope it adds value to others attempting to get up and running on their own with this stuff.

@PaulWagener - thank you again for your diligence to remind me of the bridging header and C Union Accessor files.

We should be able to move forward with Andrea's demo that uses both projects at this point. crosses fingers

@aaru
Copy link

aaru commented Feb 17, 2018

@bizz84 any update on this implementation?

@andrewcbancroft
Copy link
Owner

Hey @bizz84 - Hope you're well!

It's been some time since we touched base on trying to move forward with making something like SwiftyLocalReceiptValidator compatible with SwiftyStoreKit.

Last October you mentioned that you had an idea, but you were having build issues with my project. I think I've gotten those fixed.

If now's not the time or you're no longer interested in this (ie, we can just keep the projects separate and developers can grab the code they need from here for local receipt validation if they want to), I may close out this issue. We can pick it back up again in the future if it interests you. What do you think?

@bizz84
Copy link
Author

bizz84 commented Jul 24, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bizz84 @MKGitHub @aaru @PaulWagener @andrewcbancroft