No password in status update notifications

Hi,
We'd like to use status update notifications, We have configured our server and added proper url to Subscription Status URL in our account. Now we test it in Sandbox environment and we get some notifications from Apple that look like this:


{
'auto_renew_product_id': 'SOMETHING',
'users': 'SOMETHING',
'auto_renew_status': 'SOMETHING',
'environment': 'SOMETHING',
'latest_receipt': 'SOMETHING',
'latest_receipt_info': {
       'transaction_id': 'SOMETHING',
       'bid': 'SOMETHING',
       'expires_date_formatted_pst': 'SOMETHING',
       'expires_date': 'SOMETHING',
       'unique_vendor_identifier': 'SOMETHING',
       'original_purchase_date': 'SOMETHING',
       'purchase_date_pst': 'SOMETHING',
       'unique_identifier': 'SOMETHING',
       'original_transaction_id': 'SOMETHING',
       'purchase_date_ms': 'SOMETHING',
       'web_order_line_item_id': 'SOMETHING',
       'is_trial_period': 'SOMETHING',
       'is_in_intro_offer_period': 'SOMETHING',
       'product_id': 'SOMETHING',
       'original_purchase_date_ms': 'SOMETHING',
       'original_purchase_date_pst': 'SOMETHING',
       'expires_date_formatted': 'SOMETHING',
       'item_id': 'SOMETHING',
       'purchase_date': 'SOMETHING',
       'bvrs': 'SOMETHING',
       'quantity': 'SOMETHING'
       },
'notification_type': 'SOMETHING',
}

But unfortunately there is no password field. Does anybody know why and how to fix it?
According to: https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/StoreKitGuide/Chapters/Subscriptions.html
there should be password field.


Please help!

Up vote post of maciej3031 Down vote post of maciej3031
1.7k views
Posted by
maciej3031
Reply
Add a Comment

Accepted Reply

This looks like a documentation issue - a bug report. The field description is - "This value is the same as the shared secret you POST when validating receipts. See Validating Receipts With the App Store.". For security, the shared-secret used to validate your appStoreReceipts should not be included in such a server-to-server notification. If you have forgotten the shared secret, go to your iTunesConnect account, access the app details and there is a button for displaying the shared secret.


rich kubota - rkubota@apple.com

developer technical support CoreOS/Hardware/MFI

Posted by
rich
Up vote reply of rich Down vote reply of rich
Post marked as solved
Add a Comment

Replies

This looks like a documentation issue - a bug report. The field description is - "This value is the same as the shared secret you POST when validating receipts. See Validating Receipts With the App Store.". For security, the shared-secret used to validate your appStoreReceipts should not be included in such a server-to-server notification. If you have forgotten the shared secret, go to your iTunesConnect account, access the app details and there is a button for displaying the shared secret.


rich kubota - rkubota@apple.com

developer technical support CoreOS/Hardware/MFI

Posted by
rich
Up vote reply of rich Down vote reply of rich
Post marked as solved
Add a Comment

I hope that this remains a bug in the documents and that they don’t add the password to an unencrypted receipt. Please don’t request that the field be added.

Posted by
PBK
Up vote reply of PBK Down vote reply of PBK
Add a Comment

Thanks!

Posted by
maciej3031
Up vote reply of maciej3031 Down vote reply of maciej3031
Add a Comment

Hi Rich,


So just to confirm, there will be no password sent on Status Notifications, correct? Because the documentation still lists so.


And this post https://forums.developer.apple.com/message/252548#252548

seems to suggest that a user does receive a password field in the notifications..


If there is a password, however, is the password encrypted in any form? And if there is no password, what are some ways the listener server to the notification can verify if the notification is from a legitimate source?

Posted by
ytdev
Up vote reply of ytdev Down vote reply of ytdev
Add a Comment

ytdev,


The documentation indicates that the "password" field is included in the notification, but findings reported by others indicate otherwise. However, the posting referenced, indicates otherwise. I've submitted a bug report to get this question answered officially. The documentation makes not mention that the password field is encrypted. There is no reason for the password to be included.


As for verifying the authenticity of the notification, your process should validate the associated appStoreReceipt. The contents of the appStoreReceipt are signed by Apple and the contents of the in_app array and the latest_receipt_info will indicate the in-app purchase history as recorded by the App Store.


rich kubota - rkubota@apple.com


developer technical support CoreOS/Hardware/MFI

Posted by
rich
Up vote reply of rich Down vote reply of rich
Add a Comment

Hi Rich,


Has there been any updates from bug report since?
Thanks

Posted by
kimkdanny
Up vote reply of kimkdanny Down vote reply of kimkdanny
Add a Comment