diff --git a/packages/fxa-auth-server/lib/routes/subscriptions/apple.ts b/packages/fxa-auth-server/lib/routes/subscriptions/apple.ts index adcbbb45490..cdc4bdc1ef8 100644 --- a/packages/fxa-auth-server/lib/routes/subscriptions/apple.ts +++ b/packages/fxa-auth-server/lib/routes/subscriptions/apple.ts @@ -2,9 +2,10 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ import { ServerRoute } from '@hapi/hapi'; -import isA from 'joi'; import { DecodedNotificationPayload } from 'app-store-server-api'; import { OAUTH_SCOPE_SUBSCRIPTIONS_IAP } from 'fxa-shared/oauth/constants'; +import ScopeSet from 'fxa-shared/oauth/scopes'; +import isA from 'joi'; import { Container } from 'typedi'; import SUBSCRIPTIONS_DOCS from '../../../docs/swagger/subscriptions-api'; @@ -14,7 +15,6 @@ import { AppleIAP } from '../../payments/iap/apple-app-store/apple-iap'; import { PurchaseUpdateError } from '../../payments/iap/apple-app-store/types/errors'; import { IAPConfig } from '../../payments/iap/iap-config'; import { AuthLogger, AuthRequest } from '../../types'; -import { handleAuthScoped } from './utils'; export class AppleIapHandler { private log: AuthLogger; @@ -94,9 +94,18 @@ export class AppleIapHandler { */ public async registerOriginalTransactionId(request: AuthRequest) { this.log.begin('appleIap.registerOriginalTransactionId', request); - const { uid } = handleAuthScoped(request.auth, [ + const { auth } = request; + const scopes = [ OAUTH_SCOPE_SUBSCRIPTIONS_IAP, - ]); + // FIXME: Remove this scope and use `handleAuthScoped` instead of below logic + // once VPN migration is complete (FXA-5848). + 'profile:subscriptions', + ]; + const scope = ScopeSet.fromArray(auth.credentials.scope); + if (!scopes.some((requiredScope) => scope.contains(requiredScope))) { + throw error.invalidScopes(); + } + const { user: uid } = auth.credentials; const { appName } = request.params; const { originalTransactionId } = request.payload as any; @@ -110,7 +119,7 @@ export class AppleIapHandler { purchase = await this.appStore.purchaseManager.registerToUserAccount( bundleId, originalTransactionId, - uid + uid as string ); } catch (err) { switch (err.name) { @@ -128,7 +137,7 @@ export class AppleIapHandler { ); } } - await this.capabilityService.iapUpdate(uid, purchase); + await this.capabilityService.iapUpdate(uid as string, purchase); return { transactionIdValid: true }; } } diff --git a/packages/fxa-auth-server/test/local/routes/subscriptions/apple.js b/packages/fxa-auth-server/test/local/routes/subscriptions/apple.js index cda41fffd7d..aad1352a523 100644 --- a/packages/fxa-auth-server/test/local/routes/subscriptions/apple.js +++ b/packages/fxa-auth-server/test/local/routes/subscriptions/apple.js @@ -84,6 +84,15 @@ describe('AppleIapHandler', () => { assert.deepEqual(result, { transactionIdValid: true }); }); + it('accepts a "profile" scope for auth', async () => { + request.auth.credentials.scope = ['profile']; + appleIap.purchaseManager = { + registerToUserAccount: sinon.fake.resolves({}), + }; + iapConfig.getBundleId = sinon.fake.resolves('testPackage'); + await appleIapHandler.registerOriginalTransactionId(request); + }); + it('throws on invalid package', async () => { appleIap.purchaseManager = { registerToUserAccount: sinon.fake.resolves({}),