Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to authenticate Ios Server-to-Server Notifications

When we configure Server-to-Server Notifications, we Specify our secure server's URL in App Store Connect and the apple server communicates on that URL. but is there a way to authenticate this request?

It is not safe to keep url open without authentication

in case of PlayStore we can use GOOGLE_DEVELOPER_API_KEYFILE_JSON for authentication, but how to do this for iOS server-server notification?

like image 623
Anuja Joshi Avatar asked Nov 06 '22 08:11

Anuja Joshi


1 Answers

As the comments have already clarified that there is no built in way.

So, here is my work around of this problem.

Apple sends password in the notification which is App secret key which ideal should only be known by API and Apple.

And to verify receipts coming from the App this password must already be stored somewhere (configuration?) in the API.

So I suggest to check whether the password in request matches with the one stored in our API?

If yes then this is a valid request.

If not then it may be sent by a hacker.

My only concern is that does this App shared secret key aka password change? by Apple or developer? If not than this is the solution.

like image 153
Kishan Vaishnav Avatar answered Nov 14 '22 21:11

Kishan Vaishnav