rickwierenga / app-store-notifications-v2-validator Goto Github PK

Code is not picking apple root cert file path from param or default path if environment var is not None.

Supporting apple cert root file path in function param gives more flexibity in program.
Also can we upgrade cryptography to 40.0.2 and PyJWT to 2.7.0.

I suggest to comment #25 fn = os.path.expanduser(fn)
because sounds like force me to put apple cert in home dir, perhaps put full file path is good. Just a suggestion.
btw, the tool is so cool.

Reading the PyJWT docs, it is warned that:

Do not compute the algorithms parameter based on the alg from the token itself, or on any other data that an attacker may be able to influence, as that might expose you to various vulnerabilities (see RFC 8725 §2.1). Instead, either hard-code a fixed value for algorithms, or configure it in the same place you configure the key.

Which is what happens here instead:

I think you should hardcode ["ES256"] here.

Issue Description:
When calling the parse() method on a subscription renewal notification, an error occurs because _decode_jws() has received only one required argument.

Error Log:

File "/usr/local/lib/python3.10/site-packages/app_store_notifications_v2_validator/__init__.py", line 78, in parse
    signedRenewalInfo = _decode_jws(payload["data"]["signedRenewalInfo"])
TypeError: _decode_jws() missing 1 required positional argument: 'root_cert_path'"

Problem Cause:
This error may be caused by the fact that _decode_jws() requires two arguments (token and root_cert_path), but only one argument is passed in the parse() method for processing when signedRenewalInfo is included.

As a suggested fix, I suggest passing the second argument root_cert_path to _decode_jws() appropriately.

I've been using this software and find it incredibly helpful due to its simplicity and convenience. I'm truly grateful for your work. Thank you so much.