fix: improve and simplify android receipt verification (#2545)

* fix: improve and simplify android receipt verification

* test: cover validateGoogleTime

* chore: trigger CI

Author: pavelbrm

services/skus/controllers.go

@@ -997,7 +997,6 @@ func WebhookRouter(svc *Service) chi.Router {
 	return r
 }
 
-// HandleAndroidWebhook is the handler for the Google Playstore webhooks
 func HandleAndroidWebhook(service *Service) handlers.AppHandler {
 	return func(w http.ResponseWriter, r *http.Request) *handlers.AppError {
 		ctx := r.Context()
@@ -1664,16 +1663,17 @@ func handleReceiptErr(err error) *handlers.AppError {
 	}
 
 	switch {
-	case errors.Is(err, errPurchaseFailed):
-		result.ErrorCode = purchaseFailedErrCode
-	case errors.Is(err, errPurchasePending):
-		result.ErrorCode = purchasePendingErrCode
-	case errors.Is(err, errPurchaseDeferred):
-		result.ErrorCode = purchaseDeferredErrCode
-	case errors.Is(err, errPurchaseStatusUnknown):
-		result.ErrorCode = purchaseStatusUnknownErrCode
+	case errors.Is(err, errIOSPurchaseNotFound):
+		result.ErrorCode = "purchase_not_found"
+
+	case errors.Is(err, errExpiredGPSSubPurchase):
+		result.ErrorCode = "purchase_expired"
+
+	case errors.Is(err, errPendingGPSSubPurchase):
+		result.ErrorCode = "purchase_pending"
+
 	default:
-		result.ErrorCode = purchaseValidationErrCode
+		result.ErrorCode = "validation_failed"
 	}
 
 	return result

services/skus/controllers_noint_test.go

@@ -160,66 +160,53 @@ func TestHandleReceiptErr(t *testing.T) {
 		},
 
 		{
-			name:  "errPurchaseFailed",
-			given: errPurchaseFailed,
+			name:  "errIOSPurchaseNotFound",
+			given: errIOSPurchaseNotFound,
 			exp: &handlers.AppError{
-				Message:   "Error " + errPurchaseFailed.Error(),
+				Message:   "Error " + errIOSPurchaseNotFound.Error(),
 				Code:      http.StatusBadRequest,
-				ErrorCode: purchaseFailedErrCode,
+				ErrorCode: "purchase_not_found",
 				Data: map[string]interface{}{
-					"validationErrors": map[string]interface{}{"receiptErrors": errPurchaseFailed.Error()},
+					"validationErrors": map[string]interface{}{"receiptErrors": errIOSPurchaseNotFound.Error()},
 				},
 			},
 		},
 
 		{
-			name:  "errPurchasePending",
-			given: errPurchasePending,
+			name:  "errExpiredGPSSubPurchase",
+			given: errExpiredGPSSubPurchase,
 			exp: &handlers.AppError{
-				Message:   "Error " + errPurchasePending.Error(),
+				Message:   "Error " + errExpiredGPSSubPurchase.Error(),
 				Code:      http.StatusBadRequest,
-				ErrorCode: purchasePendingErrCode,
+				ErrorCode: "purchase_expired",
 				Data: map[string]interface{}{
-					"validationErrors": map[string]interface{}{"receiptErrors": errPurchasePending.Error()},
+					"validationErrors": map[string]interface{}{"receiptErrors": errExpiredGPSSubPurchase.Error()},
 				},
 			},
 		},
 
 		{
-			name:  "errPurchaseDeferred",
-			given: errPurchaseDeferred,
+			name:  "errPendingGPSSubPurchase",
+			given: errPendingGPSSubPurchase,
 			exp: &handlers.AppError{
-				Message:   "Error " + errPurchaseDeferred.Error(),
+				Message:   "Error " + errPendingGPSSubPurchase.Error(),
 				Code:      http.StatusBadRequest,
-				ErrorCode: purchaseDeferredErrCode,
+				ErrorCode: "purchase_pending",
 				Data: map[string]interface{}{
-					"validationErrors": map[string]interface{}{"receiptErrors": errPurchaseDeferred.Error()},
-				},
-			},
-		},
-
-		{
-			name:  "errPurchaseStatusUnknown",
-			given: errPurchaseStatusUnknown,
-			exp: &handlers.AppError{
-				Message:   "Error " + errPurchaseStatusUnknown.Error(),
-				Code:      http.StatusBadRequest,
-				ErrorCode: purchaseStatusUnknownErrCode,
-				Data: map[string]interface{}{
-					"validationErrors": map[string]interface{}{"receiptErrors": errPurchaseStatusUnknown.Error()},
+					"validationErrors": map[string]interface{}{"receiptErrors": errPendingGPSSubPurchase.Error()},
 				},
 			},
 		},
 
 		{
 			name:  "errSomethingElse",
-			given: model.Error("something else"),
+			given: model.Error("something_else"),
 			exp: &handlers.AppError{
-				Message:   "Error something else",
+				Message:   "Error something_else",
 				Code:      http.StatusBadRequest,
-				ErrorCode: purchaseValidationErrCode,
+				ErrorCode: "validation_failed",
 				Data: map[string]interface{}{
-					"validationErrors": map[string]interface{}{"receiptErrors": "something else"},
+					"validationErrors": map[string]interface{}{"receiptErrors": "something_else"},
 				},
 			},
 		},

services/skus/playstore.go

@@ -0,0 +1,33 @@
+package skus
+
+import (
+	"time"
+
+	"google.golang.org/api/androidpublisher/v3"
+
+	"github.com/brave-intl/bat-go/services/skus/model"
+)
+
+const (
+	errExpiredGPSSubPurchase = model.Error("playstore: subscription purchase expired")
+	errPendingGPSSubPurchase = model.Error("playstore: subscription purchase pending")
+)
+
+type playStoreSubPurchase androidpublisher.SubscriptionPurchase
+
+func (x *playStoreSubPurchase) hasExpired(now time.Time) bool {
+	return x.ExpiryTimeMillis < now.UnixMilli()
+}
+
+func (x *playStoreSubPurchase) isPending() bool {
+	// The payment state is not present for canceled or expired subscriptions.
+	if x.PaymentState == nil {
+		return false
+	}
+
+	const pending, pendingDef = int64(0), int64(3)
+
+	state := *x.PaymentState
+
+	return state == pending || state == pendingDef
+}

services/skus/playstore_test.go

@@ -0,0 +1,105 @@
+package skus
+
+import (
+	"testing"
+	"time"
+
+	should "github.com/stretchr/testify/assert"
+)
+
+func TestPlayStoreSubPurchase_hasExpired(t *testing.T) {
+	type tcGiven struct {
+		sub *playStoreSubPurchase
+		now time.Time
+	}
+
+	type testCase struct {
+		name  string
+		given tcGiven
+		exp   bool
+	}
+
+	tests := []testCase{
+		{
+			name: "zero_expired",
+			given: tcGiven{
+				sub: &playStoreSubPurchase{},
+				now: time.Date(2024, time.January, 1, 0, 0, 1, 0, time.UTC),
+			},
+			exp: true,
+		},
+
+		{
+			name: "not_expired",
+			given: tcGiven{
+				sub: &playStoreSubPurchase{
+					ExpiryTimeMillis: time.Date(2024, time.January, 1, 0, 0, 1, 0, time.UTC).UnixMilli(),
+				},
+
+				now: time.Date(2024, time.January, 2, 0, 0, 1, 0, time.UTC),
+			},
+			exp: true,
+		},
+
+		{
+			name: "not_expired_equal",
+			given: tcGiven{
+				sub: &playStoreSubPurchase{
+					ExpiryTimeMillis: time.Date(2024, time.January, 1, 0, 0, 1, 0, time.UTC).UnixMilli(),
+				},
+
+				now: time.Date(2024, time.January, 1, 0, 0, 1, 0, time.UTC),
+			},
+		},
+	}
+
+	for i := range tests {
+		tc := tests[i]
+
+		t.Run(tc.name, func(t *testing.T) {
+			actual := tc.given.sub.hasExpired(tc.given.now)
+			should.Equal(t, tc.exp, actual)
+		})
+	}
+}
+
+func TestPlayStoreSubPurchase_isPending(t *testing.T) {
+	type testCase struct {
+		name  string
+		given *playStoreSubPurchase
+		exp   bool
+	}
+
+	tests := []testCase{
+		{
+			name:  "not_pending_no_payment",
+			given: &playStoreSubPurchase{},
+		},
+
+		{
+			name:  "not_pending_paid",
+			given: &playStoreSubPurchase{PaymentState: ptrTo(int64(1))},
+		},
+
+		{
+			name:  "pending",
+			given: &playStoreSubPurchase{PaymentState: ptrTo(int64(0))},
+			exp:   true,
+		},
+
+		{
+			name:  "pending_deferred",
+			given: &playStoreSubPurchase{PaymentState: ptrTo(int64(3))},
+			exp:   true,
+		},
+	}
+
+	for i := range tests {
+		tc := tests[i]
+
+		t.Run(tc.name, func(t *testing.T) {
+			actual := tc.given.isPending()
+			should.Equal(t, tc.exp, actual)
+		})
+	}
+}

services/skus/receipt.go

@@ -2,7 +2,6 @@ package skus
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httputil"
@@ -17,45 +16,11 @@ import (
 	"github.com/brave-intl/bat-go/services/skus/model"
 )
 
-const (
-	androidPaymentStatePending int64 = iota
-	androidPaymentStatePaid
-	androidPaymentStateTrial
-	androidPaymentStatePendingDeferred
-)
-
-const (
-	androidCancelReasonUser      int64 = 0
-	androidCancelReasonSystem    int64 = 1
-	androidCancelReasonReplaced  int64 = 2
-	androidCancelReasonDeveloper int64 = 3
-
-	purchasePendingErrCode       = "purchase_pending"
-	purchaseDeferredErrCode      = "purchase_deferred"
-	purchaseStatusUnknownErrCode = "purchase_status_unknown"
-	purchaseFailedErrCode        = "purchase_failed"
-	purchaseValidationErrCode    = "validation_failed"
-)
-
 const (
 	errNoInAppTx           model.Error = "no in app info in response"
 	errIOSPurchaseNotFound model.Error = "ios: purchase not found"
 )
 
-var (
-	errPurchaseUserCanceled      = errors.New("purchase is canceled by user")
-	errPurchaseSystemCanceled    = errors.New("purchase is canceled by google playstore")
-	errPurchaseReplacedCanceled  = errors.New("purchase is canceled and replaced")
-	errPurchaseDeveloperCanceled = errors.New("purchase is canceled by developer")
-
-	errPurchasePending       = errors.New("purchase is pending")
-	errPurchaseDeferred      = errors.New("purchase is deferred")
-	errPurchaseStatusUnknown = errors.New("purchase status is unknown")
-	errPurchaseFailed        = errors.New("purchase failed")
-
-	errPurchaseExpired = errors.New("purchase expired")
-)
-
 type dumpTransport struct{}
 
 func (dt *dumpTransport) RoundTrip(r *http.Request) (*http.Response, error) {
@@ -111,6 +76,8 @@ func newReceiptVerifier(cl *http.Client, asKey string, playKey []byte) (*receipt
 }
 
 // validateApple validates Apple App Store receipt.
+//
+// TODO(pavelb): Propagate expiry time for properly updating the order.
 func (v *receiptVerifier) validateApple(ctx context.Context, req model.ReceiptRequest) (string, error) {
 	asreq := appstore.IAPRequest{
 		Password:               v.asKey,
@@ -163,54 +130,29 @@ func (v *receiptVerifier) validateApple(ctx context.Context, req model.ReceiptRe
 	return item.OriginalTransactionID, nil
 }
 
-// validateGoogle validates Google Store receipt.
+// validateGoogle validates a Play Store receipt.
+//
+// TODO(pavelb): Propagate expiry time for properly updating the order.
 func (v *receiptVerifier) validateGoogle(ctx context.Context, req model.ReceiptRequest) (string, error) {
-	l := logging.Logger(ctx, "skus").With().Str("func", "validateReceiptGoogle").Logger()
-
-	l.Debug().Str("receipt", fmt.Sprintf("%+v", req)).Msg("about to verify subscription")
+	return v.validateGoogleTime(ctx, req, time.Now())
+}
 
-	resp, err := v.playStoreCl.VerifySubscription(ctx, req.Package, req.SubscriptionID, req.Blob)
+func (v *receiptVerifier) validateGoogleTime(ctx context.Context, req model.ReceiptRequest, now time.Time) (string, error) {
+	sub, err := v.playStoreCl.VerifySubscription(ctx, req.Package, req.SubscriptionID, req.Blob)
 	if err != nil {
-		l.Error().Err(err).Msg("failed to verify subscription")
-		return "", errPurchaseFailed
+		return "", fmt.Errorf("failed to fetch subscription purchase: %w", err)
 	}
 
-	// Check order expiration.
-	if time.Unix(0, resp.ExpiryTimeMillis*int64(time.Millisecond)).Before(time.Now()) {
-		return "", errPurchaseExpired
+	psub := (*playStoreSubPurchase)(sub)
+	if psub.hasExpired(now) {
+		return "", errExpiredGPSSubPurchase
 	}
 
-	l.Debug().Msgf("resp: %+v", resp)
-
-	if resp.PaymentState == nil {
-		l.Error().Err(err).Msg("failed to verify subscription: no payment state")
-		return "", errPurchaseFailed
+	if psub.isPending() {
+		return "", errPendingGPSSubPurchase
 	}
 
-	// Check that the order was paid.
-	switch *resp.PaymentState {
-	case androidPaymentStatePaid, androidPaymentStateTrial:
-		return req.Blob, nil
-
-	case androidPaymentStatePending:
-		// Check for cancel reason.
-		switch resp.CancelReason {
-		case androidCancelReasonUser:
-			return "", errPurchaseUserCanceled
-		case androidCancelReasonSystem:
-			return "", errPurchaseSystemCanceled
-		case androidCancelReasonReplaced:
-			return "", errPurchaseReplacedCanceled
-		case androidCancelReasonDeveloper:
-			return "", errPurchaseDeveloperCanceled
-		}
-		return "", errPurchasePending
-
-	case androidPaymentStatePendingDeferred:
-		return "", errPurchaseDeferred
-	default:
-		return "", errPurchaseStatusUnknown
-	}
+	return req.Blob, nil
 }
 
 func findInAppBySubID(iap []appstore.InApp, subID string) (*appstore.InApp, bool) {