Initial commit 🎉

.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

.github/workflows/deploy.yml

@@ -0,0 +1,21 @@
+name: Deploy Worker
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  repository_dispatch:
+jobs:
+  deploy:
+    environment: main
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build & Deploy Worker
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

.gitignore

@@ -0,0 +1,172 @@
+# Logs
+
+logs
+_.log
+npm-debug.log_
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+
+report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
+
+# Runtime data
+
+pids
+_.pid
+_.seed
+\*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+
+lib-cov
+
+# Coverage directory used by tools like istanbul
+
+coverage
+\*.lcov
+
+# nyc test coverage
+
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+
+bower_components
+
+# node-waf configuration
+
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+
+build/Release
+
+# Dependency directories
+
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+
+web_modules/
+
+# TypeScript cache
+
+\*.tsbuildinfo
+
+# Optional npm cache directory
+
+.npm
+
+# Optional eslint cache
+
+.eslintcache
+
+# Optional stylelint cache
+
+.stylelintcache
+
+# Microbundle cache
+
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+
+.node_repl_history
+
+# Output of 'npm pack'
+
+\*.tgz
+
+# Yarn Integrity file
+
+.yarn-integrity
+
+# dotenv environment variable files
+
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+
+.cache
+.parcel-cache
+
+# Next.js build output
+
+.next
+out
+
+# Nuxt.js build / generate output
+
+.nuxt
+dist
+
+# Gatsby files
+
+.cache/
+
+# Comment in the public line in if your project uses Gatsby and not Next.js
+
+# https://nextjs.org/blog/next-9-1#public-directory-support
+
+# public
+
+# vuepress build output
+
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+
+.temp
+.cache
+
+# Docusaurus cache and generated files
+
+.docusaurus
+
+# Serverless directories
+
+.serverless/
+
+# FuseBox cache
+
+.fusebox/
+
+# DynamoDB Local files
+
+.dynamodb/
+
+# TernJS port file
+
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+
+.vscode-test
+
+# yarn v2
+
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.\*
+
+# wrangler project
+
+.dev.vars
+.wrangler/

.prettierrc

@@ -0,0 +1,6 @@
+{
+	"printWidth": 140,
+	"singleQuote": true,
+	"semi": true,
+	"useTabs": true
+}

.vscode/launch.json

@@ -0,0 +1,15 @@
+{
+	"configurations": [
+		{
+			"name": "Wrangler",
+			"type": "node",
+			"request": "attach",
+			"port": 9229,
+			"cwd": "/",
+			"resolveSourceMapLocations": null,
+			"attachExistingChildren": false,
+			"autoAttachChildProcesses": false,
+			"sourceMaps": true // works with or without this line
+		}
+	]
+}

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Jonathan Bennett
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,95 @@
+# Gamecenter server-side player signature validation on Cloudflare Workers ☀️
+
+[![Deploy to Cloudflare Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/jonathanbennett/gamekit-signature-validation-worker)
+
+## Overview
+
+This project implements the server-side player signature validation for Game Center as a Cloudflare Workers, as described in the Apple documentation [^1]. It provides a secure and efficient way to authenticate Game Center users on your server-side applications at minimal cost and latency.
+
+The project uses Cloudflare Workers [^2], a serverless platform that allows you to run custom code at the edge of the network, to validate the signature of Game Center users. This approach provides several benefits, including:
+
+* Improved security: By validating the signature on the server-side, you can ensure that the user data is authentic and has not been tampered with.
+* Better performance: Cloudflare Workers can handle the validation process at the edge of the network, reducing the latency and improving the overall user experience.
+* Scalability: Cloudflare Workers can handle a large volume of requests without affecting the performance of your server-side application.
+
+## Development
+
+* Prerequesites: You need to have the cloudflare CLI installed to run any local development commands. Please install that first. [^4]
+
+To set up this project for development, follow these steps:
+
+1. Clone the repository and navigate to the project directory.
+2. Install the dependencies by running `npm install` or `yarn install`.
+3. Go into `wrangler.toml` and set the `[var]` called "BUNDLE_ID" to your bundle ID.
+4. Run `yarn dev` to start the development server.
+5. To deploy the worker to production, run `wrangler publish`.
+
+## Environment Variables
+
+The project uses the following environment variables:
+
+* `BUNDLE_ID`: Your App Bundle ID.
+* `ROOT_CA_URL`: The URL of the root CA certificate which signed Apple's Public Key (defaults to `https://knowledge.digicert.com/content/dam/kb/attachments/general/certificates/root/digicert-trusted-root-g4.cer`).
+* `ICA_URL`: The URL of the intermediate CA certificate for the root CA (defaults to `https://knowledge.digicert.com/content/dam/kb/attachments/general/certificates/ica/digicert-trusted-g4-code-signing-rsa4096-sha384-2021-ca1.cer`).
+
+Note: The `ROOT_CA_URL` and `ICA_URL` environment variables are provided in case the certificates change suddenly, and a redeploy will fix the issue with the correct URLs (as long as the newly issued certificates also generate the public key). The defaults were taken as per the notice available on Apple's last announcement about the certificate change[^3].
+
+## Security Implementations
+
+The project implements the following security measures:
+
+1. Timestamp validation: The project checks if the timestamp is within 60 seconds of the current time to prevent replay attacks.
+2. Certificate validation: The project validates the public key downloaded from the message against Apple's Root CA (Digicert) from their original sources and rejects any certificate that doesn't validate on the chain. For scalability, as per documentations, all certificates are cached for either their max-age header when retrieved, or 300 seconds if no max-header is present (as currently in the case of Digicert's cert).
+
+## Usage
+
+To use this project, you need to send the following parameters in the request:
+
+* `timestamp`: The timestamp of the request.
+* `publicKeyUrl`: The URL of the public key.
+* `signature`: The base64-encoded signature.
+* `salt`: The base64-encoded salt.
+* `playerId`: The ID of the Game Center player.
+
+```json
+Content-type: application/json
+
+{
+  "timestamp": 1633036800,
+  "publicKeyUrl": "https://example.com/publicKey.cer",
+  "signature": "dGVzdFNpZ25hdHVyZQ==",
+  "salt": "dGVzdFNhbHQ=",
+  "playerId": "G123456789"
+}
+```
+
+The project will validate the signature and return a `200 OK` response if the authentication is successful, or a `400 Bad Request` response if the authentication fails.
+
+## Why is this needed?
+
+This project implements the server-side player signature validation for Game Center as described in the Apple documentation. It uses Cloudflare Workers to validate the signature at the edge of the network, providing a secure and efficient way to authenticate Game Center users. When trying to find an implementation to reference to make sure it was correct, it was surprisingly hard to find a focussed project to a) learn from or b) deploy.
+
+The project follows the guidelines outlined in the Apple documentation, including:
+
+* Validating the timestamp to prevent replay attacks.
+* Fetching and importing the public key from the provided URL.
+* Decoding the base64-encoded signature and salt.
+* Building the payload by concatenating the player ID, bundle ID, timestamp, and salt.
+* Verifying the signature using the fetched public key.
+
+The project also implements additional security measures, such as validating the certificate chain to ensure it's signed by Apple's recognized CA.
+
+## Conclusion
+
+This project provides a secure and efficient way to authenticate Game Center users on your server-side applications using Cloudflare Workers. It follows the guidelines outlined in the Apple documentation and implements additional security measures to ensure the integrity of the authentication process.
+
+## References
+
+[^1]: [GameKit LocalPlayer Fetch Items Documentation with Server Side Development Instructions](https://developer.apple.com/documentation/gamekit/gklocalplayer/3516283-fetchitems)
+[^2]: [Cloudflare Workers Documentation](https://developers.cloudflare.com/workers/)
+[^3]: [Apple Developer News Article - Get ready for a new Game Center authentication certificate - July 30, 2021](https://developer.apple.com/news/?id=stttq465)
+[^4]: [Getting Started with Cloudflare Workers using Wrangler CLI](https://developers.cloudflare.com/workers/get-started/guide/#2-develop-with-wrangler-cli)
+
+## Todo
+
+[] Write tests

package.json

@@ -0,0 +1,30 @@
+{
+  "name": "gamekit-signature-validator-worker",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "deploy": "wrangler deploy",
+    "dev": "wrangler dev",
+    "start": "wrangler dev",
+    "test": "vitest",
+    "cf-typegen": "wrangler types"
+  },
+  "devDependencies": {
+    "@cloudflare/vitest-pool-workers": "^0.1.0",
+    "@cloudflare/workers-types": "^4.20240502.0",
+    "typescript": "^5.0.4",
+    "vitest": "1.3.0",
+    "wrangler": "^3.55.0"
+  },
+  "dependencies": {
+    "asn1js": "^3.0.5",
+    "jose": "^5.2.4",
+    "pkijs": "^3.0.16"
+  },
+  "overrides": {
+    "@types/node": "20.8.3"
+  },
+  "resolutions": {
+    "@types/node": "20.8.3"
+  }
+}