Merge pull request #7 from GoodNotes/arturo/isi-jwt

arturogutierrez · web-flow · commit 794ec1f6adde · 2025-08-13T11:51:16.000+02:00
[iOS] Support for ISI JWT
diff --git a/Sources/Error Handling/BackendError.swift b/Sources/Error Handling/BackendError.swift
@@ -29,6 +29,7 @@ enum BackendError: Error, Equatable {
     case invalidWebRedemptionToken
     case purchaseBelongsToOtherUser
     case expiredWebRedemptionToken(obfuscatedEmail: String)
+    case unableToRefreshJWT
 
 }
 
@@ -142,6 +143,10 @@ extension BackendError: PurchasesErrorConvertible {
                                            extraUserInfo: [
                                             .obfuscatedEmail: obfuscatedEmail
                                            ])
+        case .unableToRefreshJWT:
+            let code = BackendErrorCode.unableToRefreshJWT
+            return ErrorUtils.backendError(withBackendCode: code,
+                                           originalBackendErrorCode: code.rawValue)
 
         }
     }
@@ -182,7 +187,8 @@ extension BackendError {
              .unexpectedBackendResponse,
              .invalidWebRedemptionToken,
              .purchaseBelongsToOtherUser,
-             .expiredWebRedemptionToken:
+             .expiredWebRedemptionToken,
+             .unableToRefreshJWT:
             return nil
         }
     }
@@ -204,7 +210,8 @@ extension BackendError {
                 .missingCachedCustomerInfo,
                 .invalidWebRedemptionToken,
                 .purchaseBelongsToOtherUser,
-                .expiredWebRedemptionToken:
+                .expiredWebRedemptionToken,
+                .unableToRefreshJWT:
             return nil
 
         case let .unexpectedBackendResponse(error, _, _):
diff --git a/Sources/Error Handling/BackendErrorCode.swift b/Sources/Error Handling/BackendErrorCode.swift
@@ -50,6 +50,7 @@ enum BackendErrorCode: Int, Error {
     case invalidWebRedemptionToken = 7849
     case purchaseBelongsToOtherUser = 7852
     case expiredWebRedemptionToken = 7853
+    case unableToRefreshJWT = 6000
 
     /**
      * - Parameter code: Generally comes from the backend in json. This may be a String, or an Int, or nothing.
@@ -137,6 +138,8 @@ extension BackendErrorCode {
             return .purchaseBelongsToOtherUser
         case .expiredWebRedemptionToken:
             return .expiredWebPurchaseToken
+        case .unableToRefreshJWT:
+            return .unableToRefreshJWT
         case .unknownError:
             return .unknownError
         }
diff --git a/Sources/Error Handling/ErrorCode.swift b/Sources/Error Handling/ErrorCode.swift
@@ -64,6 +64,7 @@ import Foundation
     @objc(RCInvalidWebPurchaseToken) case invalidWebPurchaseToken = 39
     @objc(RCPurchaseBelongsToOtherUser) case purchaseBelongsToOtherUser = 40
     @objc(RCExpiredWebPurchaseToken) case expiredWebPurchaseToken = 41
+    @objc(RCUnableToRefreshJWT) case unableToRefreshJWT = 1001
 
     // swiftlint:enable missing_docs
 
diff --git a/Sources/Logging/Strings/JWTStrings.swift b/Sources/Logging/Strings/JWTStrings.swift
@@ -0,0 +1,34 @@
+//
+//  JWTStrings.swift
+//  Goodnotes
+//
+//  Created by Arturo Gutiérrez on 6/8/25.
+//
+
+import Foundation
+
+// swiftlint:disable identifier_name
+
+enum JWTStrings {
+    case clearing_cache
+    case storing_jwt(String)
+    case using_jwt(String)
+    case refreshing_jwt
+    case unable_to_refresh_jwt
+    case jwt_refreshed
+}
+
+extension JWTStrings: LogMessage {
+    var description: String {
+        switch self {
+        case .clearing_cache: return "Clearing JWT cache"
+        case let .storing_jwt(jwt): return "Storing JWT in cache: '\(jwt)'..."
+        case let .using_jwt(jwt): return "Using JWT: '\(jwt)'"
+        case .refreshing_jwt: return "Refreshing JWT calling to CustomerInfo..."
+        case .unable_to_refresh_jwt: return "Unable to refresh JWT"
+        case .jwt_refreshed: return "JWT refreshed"
+        }
+    }
+
+    var category: String { return "jwt" }
+}
diff --git a/Sources/Logging/Strings/Strings.swift b/Sources/Logging/Strings/Strings.swift
@@ -32,6 +32,7 @@ enum Strings {
     static let receipt = ReceiptStrings.self
     static let signing = SigningStrings.self
     static let storeKit = StoreKitStrings.self
+    static let jwt = JWTStrings.self
 
 }
 
diff --git a/Sources/Networking/Backend.swift b/Sources/Networking/Backend.swift
@@ -22,6 +22,7 @@ class Backend {
     let internalAPI: InternalAPI
     let customerCenterConfig: CustomerCenterConfigAPI
     let redeemWebPurchaseAPI: RedeemWebPurchaseAPI
+    let jwtManager: JWTManager
 
     private let config: BackendConfiguration
 
@@ -30,6 +31,7 @@ class Backend {
         systemInfo: SystemInfo,
         httpClientTimeout: TimeInterval = Configuration.networkTimeoutDefault,
         eTagManager: ETagManager,
+        jwtManager: JWTManager,
         operationDispatcher: OperationDispatcher,
         attributionFetcher: AttributionFetcher,
         offlineCustomerInfoCreator: OfflineCustomerInfoCreator?,
@@ -39,6 +41,7 @@ class Backend {
         let httpClient = HTTPClient(apiKey: apiKey,
                                     systemInfo: systemInfo,
                                     eTagManager: eTagManager,
+                                    jwtManager: jwtManager,
                                     signing: Signing(apiKey: apiKey, clock: systemInfo.clock),
                                     diagnosticsTracker: diagnosticsTracker,
                                     requestTimeout: httpClientTimeout,
@@ -89,6 +92,7 @@ class Backend {
         self.internalAPI = internalAPI
         self.customerCenterConfig = customerCenterConfig
         self.redeemWebPurchaseAPI = redeemWebPurchaseAPI
+        self.jwtManager = backendConfig.httpClient.jwtManager
     }
 
     func clearHTTPClientCaches() {
@@ -143,6 +147,32 @@ class Backend {
         self.customer.post(subscriberAttributes: subscriberAttributes, appUserID: appUserID, completion: completion)
     }
 
+    func getJWTToken(appUserID: String) async throws -> String {
+        if let token = self.jwtManager.jwtToken() {
+            return token
+        }
+        
+        Logger.debug(JWTStrings.refreshing_jwt)
+
+        // Refresh
+        let _ = try await withUnsafeThrowingContinuation { continuation in
+            self.config.systemInfo.isApplicationBackgrounded { isAppBackgrounded in
+                self.getCustomerInfo(appUserID: appUserID, isAppBackgrounded: isAppBackgrounded) { result in
+                    continuation.resume(with: result)
+                }
+            }
+        }
+               
+        guard let token = self.jwtManager.jwtToken() else {
+            Logger.debug(JWTStrings.unable_to_refresh_jwt)
+
+            throw BackendError.unableToRefreshJWT
+        }
+        
+        Logger.debug(JWTStrings.jwt_refreshed)
+        
+        return token
+    }
 }
 
 extension Backend {
diff --git a/Sources/Networking/HTTPClient/HTTPClient.swift b/Sources/Networking/HTTPClient/HTTPClient.swift
@@ -25,6 +25,7 @@ class HTTPClient {
     let timeout: TimeInterval
     let apiKey: String
     let authHeaders: RequestHeaders
+    let jwtManager: JWTManager
 
     private let session: URLSession
     private let state: Atomic<State> = .init(.initial)
@@ -45,6 +46,7 @@ class HTTPClient {
     init(apiKey: String,
          systemInfo: SystemInfo,
          eTagManager: ETagManager,
+         jwtManager: JWTManager,
          signing: SigningType,
          diagnosticsTracker: DiagnosticsTrackerType?,
          dnsChecker: DNSCheckerType.Type = DNSChecker.self,
@@ -57,11 +59,13 @@ class HTTPClient {
         config.timeoutIntervalForRequest = requestTimeout
         config.timeoutIntervalForResource = requestTimeout
         config.urlCache = nil // We implement our own caching with `ETagManager`.
+        config.httpCookieStorage = nil // We implement our cookie caching with `JWTManager`
         self.session = URLSession(configuration: config,
                                   delegate: RedirectLoggerSessionDelegate(),
                                   delegateQueue: nil)
         self.systemInfo = systemInfo
         self.eTagManager = eTagManager
+        self.jwtManager = jwtManager
         self.signing = signing
         self.diagnosticsTracker = diagnosticsTracker
         self.dnsChecker = dnsChecker
@@ -106,6 +110,7 @@ class HTTPClient {
 
     func clearCaches() {
         self.eTagManager.clearCaches()
+        self.jwtManager.clearCaches()
     }
 
     var signatureVerificationEnabled: Bool {
@@ -432,6 +437,7 @@ private extension HTTPClient {
                 data: Data?,
                 error networkError: Error?,
                 requestStartTime: Date) {
+        
         RCTestAssertNotMainThread()
 
         let response = self.parse(
@@ -479,6 +485,9 @@ private extension HTTPClient {
             }
 
             if !requestRetryScheduled {
+                if let urlResponse = urlResponse {
+                    jwtManager.store(from: urlResponse)
+                }
                 request.completionHandler?(response)
             }
         } else {
@@ -561,9 +570,12 @@ private extension HTTPClient {
                 withSignatureVerification: request.verificationMode.isEnabled,
                 refreshETag: request.retried
             )
-            return request.headers.merging(eTagHeader)
+            return request.headers
+                .merging(eTagHeader)
+                .merging(jwtManager.jwtHeader())
         } else {
             return request.headers
+                .merging(jwtManager.jwtHeader())
         }
     }
 
diff --git a/Sources/Networking/HTTPClient/JWTManager.swift b/Sources/Networking/HTTPClient/JWTManager.swift
@@ -0,0 +1,124 @@
+//
+//  JWTManager.swift
+//  Goodnotes
+//
+//  Created by Arturo Gutiérrez on 6/8/25.
+//
+
+import Foundation
+
+class JWTManager {
+    private let userDefaults: SynchronizedUserDefaults
+
+    convenience init() {
+        self.init(
+            userDefaults: UserDefaults(suiteName: Self.suiteName) ?? UserDefaults.standard
+        )
+    }
+
+    init(userDefaults: UserDefaults) {
+        self.userDefaults = .init(userDefaults: userDefaults)
+    }
+
+    func store(from urlResponse: URLResponse) {
+        guard let httpUrlResponse = urlResponse as? HTTPURLResponse else { return }
+        guard let url = httpUrlResponse.url else { return }
+
+        let allHeaders = httpUrlResponse.allHeaderFields
+            .compactMapKeys { $0 as? String }
+            .compactMapValues { $0 as? String }
+
+        let cookies = HTTPCookie.cookies(withResponseHeaderFields: allHeaders, for: url)
+
+        guard let cookie = cookies.first(where: { $0.name == Self.jwtCookieHeaderName }) else { return }
+        let jwt = cookie.value
+
+        Logger.debug(JWTStrings.storing_jwt(jwt))
+
+        userDefaults.write {
+            $0.set(jwt, forKey: .jwtKey)
+        }
+    }
+
+    func jwtToken() -> String? {
+        guard let base64 = userDefaults.read({ return $0.object(forKey: .jwtKey) as? String }) else {
+            return nil
+        }
+
+        guard let jwt = JWTToken(tokenValue: base64) else { return nil }
+        guard isJWTValid(jwt) else {
+            userDefaults.write { $0.removeObject(forKey: .jwtKey) }
+            return nil
+        }
+
+        Logger.debug(JWTStrings.using_jwt(base64))
+        return base64
+    }
+
+    func jwtHeader() -> [String: String] {
+        guard let jwt = jwtToken() else { return [:] }
+        return ["Cookie": "\(Self.jwtCookieHeaderName)=\(jwt)"]
+    }
+
+    func clearCaches() {
+        Logger.debug(Strings.jwt.clearing_cache)
+
+        userDefaults.write {
+            $0.removePersistentDomain(forName: Self.suiteName)
+        }
+    }
+
+    private func isJWTValid(_ jwt: JWTToken) -> Bool {
+        // We consider a token as as expired for less than 2 minute of validity
+        // (using two minutes to play safe with the default timeouts of any network call).
+        return Double(jwt.expiresAt - 120) > Date().timeIntervalSince1970
+    }
+}
+
+struct JWTToken: Codable {
+    enum CodingKeys: String, CodingKey {
+        case expiresAt = "exp"
+    }
+
+    let expiresAt: Int64
+}
+
+extension JWTToken {
+    public init?(tokenValue: String?) {
+        guard let tokenValue else { return nil }
+        let jwtComponents = tokenValue.components(separatedBy: ".")
+        guard jwtComponents.count == 3 else { return nil }
+
+        var jwtPayload = jwtComponents[1]
+        // JWT uses base64url. Converting to standard base 64
+        jwtPayload = jwtPayload
+            .replacingOccurrences(of: "-", with: "+")
+            .replacingOccurrences(of: "_", with: "/")
+            // Padding payload to 4 multiple, otherwise base64 decode will fail
+            .padding(toLength: ((jwtPayload.count + 3) / 4) * 4, withPad: "=", startingAt: 0)
+
+        guard let decodedData = Data(base64Encoded: jwtPayload, options: []) else {
+            return nil
+        }
+        guard let jwtToken = try? JSONDecoder().decode(JWTToken.self, from: decodedData) else {
+            return nil
+        }
+        self.init(expiresAt: jwtToken.expiresAt)
+    }
+}
+
+extension String {
+    fileprivate static let jwtKey = "isi_jwt"
+}
+
+extension JWTManager {
+    fileprivate static let suiteNameBase: String = "revenuecat.jwt"
+    fileprivate static var suiteName: String {
+        guard let bundleID = Bundle.main.bundleIdentifier else {
+            return suiteNameBase
+        }
+        return bundleID + ".\(suiteNameBase)"
+    }
+
+    fileprivate static let jwtCookieHeaderName: String = "isi_token"
+}
diff --git a/Sources/Purchasing/Purchases/Purchases.swift b/Sources/Purchasing/Purchases/Purchases.swift
@@ -300,6 +300,7 @@ public typealias StartPurchaseBlock = (@escaping PurchaseCompletedBlock) -> Void
 
         let receiptFetcher = ReceiptFetcher(requestFetcher: fetcher, systemInfo: systemInfo)
         let eTagManager = ETagManager()
+        let jwtManager = JWTManager()
         let attributionTypeFactory = AttributionTypeFactory()
         let attributionFetcher = AttributionFetcher(attributionFactory: attributionTypeFactory, systemInfo: systemInfo)
         let userDefaults = userDefaults ?? UserDefaults.computeDefault()
@@ -329,6 +330,7 @@ public typealias StartPurchaseBlock = (@escaping PurchaseCompletedBlock) -> Void
             systemInfo: systemInfo,
             httpClientTimeout: networkTimeout,
             eTagManager: eTagManager,
+            jwtManager: jwtManager,
             operationDispatcher: operationDispatcher,
             attributionFetcher: attributionFetcher,
             offlineCustomerInfoCreator: .createIfAvailable(
@@ -1256,6 +1258,13 @@ public extension Purchases {
     }
 }
 
+// MARK: ISI JWT
+public extension Purchases {
+    func getJWTToken() async throws -> String {
+        return try await self.backend.getJWTToken(appUserID: self.appUserID)
+    }
+}
+
 // swiftlint:enable missing_docs
 
 // MARK: - Paywalls & Customer Center

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ enum Strings {`
`32`	`32`	`static let receipt = ReceiptStrings.self`
`33`	`33`	`static let signing = SigningStrings.self`
`34`	`34`	`static let storeKit = StoreKitStrings.self`
	`35`	`+ static let jwt = JWTStrings.self`
`35`	`36`
`36`	`37`	`}`
`37`	`38`