Skip to content

HTTPRequest.Path.health: don't cache using ETagManager#2278

Merged
NachoSoto merged 5 commits into
mainfrom
health-not-cached
Feb 13, 2023
Merged

HTTPRequest.Path.health: don't cache using ETagManager#2278
NachoSoto merged 5 commits into
mainfrom
health-not-cached

Conversation

@NachoSoto

@NachoSoto NachoSoto commented Feb 10, 2023
edited
Loading

Copy link
Copy Markdown
Contributor

This breaks signature validation in #2267 because PurchasesDiagnostics uses that endpoint with and without signature validation, so the first time it makes a request, it stores the cached response without a validated signature.

The best solution is to simply not send etags for this endpoint, since it's used precisely to make sure that requests can be made with no errors, and we wouldn't want false positives.

@NachoSoto NachoSoto requested a review from a team February 10, 2023 00:12
@NachoSoto NachoSoto marked this pull request as ready for review February 10, 2023 00:12
@codecov

codecov Bot commented Feb 10, 2023
edited
Loading

Copy link
Copy Markdown

Codecov Report

Merging #2278 (da614e7) into main (45709e3) will decrease coverage by 0.01%.
The diff coverage is 96.00%.

❗ Current head da614e7 differs from pull request most recent head 93e78c4. Consider uploading reports for the commit 93e78c4 to get more accurate results

@@            Coverage Diff             @@
##             main    #2278      +/-   ##
==========================================
- Coverage   86.19%   86.19%   -0.01%     
==========================================
  Files         186      186              
  Lines       12285    12303      +18     
==========================================
+ Hits        10589    10604      +15     
- Misses       1696     1699       +3
Impacted Files Coverage Δ
Sources/Networking/HTTPClient/HTTPClient.swift 97.99% <88.88%> (-0.31%) ⬇️
Sources/Networking/HTTPClient/HTTPRequest.swift 100.00% <100.00%> (ø)
...chasing/StoreKitAbstractions/SK1StoreProduct.swift 92.30% <0.00%> (-5.77%) ⬇️
...s/LocalReceiptParsing/Helpers/ReceiptStrings.swift 79.71% <0.00%> (-4.35%) ⬇️
...king/Operations/GetIntroEligibilityOperation.swift 98.41% <0.00%> (-1.59%) ⬇️
Sources/Misc/SandboxEnvironmentDetector.swift 93.75% <0.00%> (-1.49%) ⬇️
...s/Purchasing/Purchases/PurchasesOrchestrator.swift 85.92% <0.00%> (-0.12%) ⬇️
Sources/Misc/SystemInfo.swift 98.29% <0.00%> (+0.02%) ⬆️
Sources/Support/ManageSubscriptionsHelper.swift 70.10% <0.00%> (+2.06%) ⬆️
...s/Purchasing/StoreKitAbstractions/Storefront.swift 62.50% <0.00%> (+5.35%) ⬆️
... and 1 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

NachoSoto
NachoSoto commented Feb 10, 2023
View reviewed changes
Comment thread Tests/UnitTests/Networking/HTTPClientTests.swift
expect(result?.value?.statusCode) == .success
}

func testCachedRequestsIncludeETagHeader() {

@NachoSoto NachoSoto Feb 10, 2023

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out we didn't have tests for this!

@aboedo aboedo Feb 13, 2023

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops

@NachoSoto NachoSoto mentioned this pull request Feb 10, 2023
Merged
tonidero
tonidero approved these changes Feb 13, 2023
View reviewed changes

@tonidero tonidero left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this makes sense though I do wonder if we should rate limit this API request if we are not caching it... If we rate limit it from the backend, I imagine it will fail for a bunch of people, but if they use it correctly, I expect it not to be an issue so I think this should be ok. CC @aboedo in case you have any thoughts.

Comment thread Tests/UnitTests/Networking/HTTPClientTests.swift Outdated
@NachoSoto

NachoSoto commented Feb 13, 2023

Copy link
Copy Markdown
Contributor Author

Good point we have to be careful with that. One thing to note however is that the SDK will never make requests to this endpoint by itself. The only public API for it is PurchasesDiagnostics, which is only meant for debugging purposes anyway.

aboedo
aboedo approved these changes Feb 13, 2023
View reviewed changes
Comment thread Tests/UnitTests/Networking/HTTPClientTests.swift
expect(result?.value?.statusCode) == .success
}

func testCachedRequestsIncludeETagHeader() {

@aboedo aboedo Feb 13, 2023

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops

Comment thread Sources/Networking/HTTPClient/HTTPRequest.swift Outdated
@NachoSoto
HTTPRequest.Path.health: don't cache using ETagManager
6bfa91d 
This breaks signature validation in #2267 because `PurchasesDiagnostics` uses that endpoint with and without signature validation, so the first time it makes a request, it stores the cached response without a validated signature.
The best solution is to simply not cache this endpoint, since it's used precisely to make sure that requests can be made with no errors, and we wouldn't want false positives.
@NachoSoto
Added tests
4e248e0
@NachoSoto
Renamed
8595f7d
@NachoSoto NachoSoto enabled auto-merge (squash) February 13, 2023 14:53
@NachoSoto NachoSoto merged commit 1b2f405 into main Feb 13, 2023
@NachoSoto NachoSoto deleted the health-not-cached branch February 13, 2023 15:02
@RCGitBot RCGitBot mentioned this pull request Feb 15, 2023
Merged
NachoSoto pushed a commit that referenced this pull request Feb 15, 2023
@RCGitBot
[AUTOMATIC] Release/4.17.6 (#2287)
df6a0e3 
**This is an automatic release.**

### Bugfixes
* `PurchaseOrchestrator`: always refresh receipt purchasing in sandbox
(#2280) via NachoSoto (@NachoSoto)
* `BundleSandboxEnvironmentDetector`: always return `true` when running
on simulator (#2276) via NachoSoto (@NachoSoto)
* `OfferingsManager`: ensure underlying
`OfferingsManager.Error.configurationError` is logged (#2266) via
NachoSoto (@NachoSoto)
### Other Changes
* `UserDefaultsDefaultTests`: fixed flaky failures (#2284) via NachoSoto
(@NachoSoto)
* `BaseBackendTest`: improved test failure message (#2285) via NachoSoto
(@NachoSoto)
* Updated targets and schemes for Xcode 14.2 (#2282) via NachoSoto
(@NachoSoto)
* `HTTPRequest.Path.health`: don't cache using `ETagManager` (#2278) via
NachoSoto (@NachoSoto)
* `EntitlementInfos.all`: fixed docstring (#2279) via NachoSoto
(@NachoSoto)
* `StoreKit2StorefrontListener`: added tests to fix flaky code coverage
(#2265) via NachoSoto (@NachoSoto)
* `NetworkError`: added underlying error to description (#2263) via
NachoSoto (@NachoSoto)
* Created `Signing.verify(message:hasValidSignature:with:)` (#2216) via
NachoSoto (@NachoSoto)
NachoSoto added a commit that referenced this pull request Feb 16, 2023
@NachoSoto
Signing: updated to use production public key (#2274)
61501dd 
Depends on #2272 and #2278.
Depends on https://github.com/RevenueCat/khepri/pull/5232.
@NachoSoto NachoSoto mentioned this pull request Mar 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonidero tonidero tonidero approved these changes

@aboedo aboedo aboedo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NachoSoto @tonidero @aboedo