Apple apparently requires .txt extension

Created on 21 October 2024, 2 months ago

Problem/Motivation

Apple has provided a file with a .txt extension, and they apparently expect to read the file as provided - with the .txt extension. Consequently, we are not able to verify our domain using the apple_pay_verification module.

Steps to reproduce

The file loads correctly at /.well-known/apple-developer-merchantid-domain-association. It does not load at /.well-known/apple-developer-merchantid-domain-association.txt.

Proposed resolution

Perhaps the module could accept any extension, or make the .txt extension optional?

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States bmelvin1

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @bmelvin1
  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY

    Hi @bmelvin1!

    This does not match my experience with Apple's APIs, did they recently change? The way I am used to setting this up is via Stripe, and the path has never required an extension in the past, and the file I have downloaded from apple has never had an extension. Can you do the following for me:

    1. Provide more information about what you are actually seeing. Do you have an explicit error message?
    2. Can you find a reference to the requirement for the txt extension anywhere in Apple's documentation that you can link me?
    3. Provide details about the process you are taking. For instance does the file download with a .txt, or did it get a .txt after opening it on your computer? Where are you downloading it from? Are you using Stripe, Apple directly, something else?

    There is an existing open issue on the repo about file extensions that is sort of the opposite problem of what you are reporting here. It would seem adding verification around properties/details on the file upload would be good in general, but I am seeing incosistent reports of what issues folks are having, and none of them match what I am seeing on a regular old PHP VPS run through Forge.

    Let me know what else you can find out, I'd love to be able to reproduce this issue so I can work through fixing if needed.

  • πŸ‡ΊπŸ‡ΈUnited States bmelvin1

    Hi & thanks for the quick response! I am the monkey in the middle on this issue. My role is to maintain the berklee.edu domain. One of the Berklee departments uses a service called iDonate to accept charitable contributions for Berklee. iDonate is interfacing with Apple. They say:

    "The file location is provided by Apple when we generate the domain verification file, and it does include the .txt extension. Can your IT rep host the file at the following location? https://www.berklee.edu/.well-known/apple-developer-merchantid-domain-as..."

    The verification step is failing. As you can see from the enclosed screenshot, Apple is expecting it to have the .txt extension. So, naturally, it isn't finding it at https://www.berklee.edu/.well-known/apple-developer-merchantid-domain-as...

    Granted, Apple's documentation never mentions .txt. The documentation suggests that there should be no extension. I've been assuming that iDonate is doing something wrong, but there's information out there to suggest that the .txt extension is common and might even be a new standard!?

  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY

    I'd definitely want to see those references out in the wild, I just checked on my personal site that is wired up via Stripe and it is still validated with Apple Pay using the module as is. I'd double check some other things like:

    I imagine that swapping iDonate to testing with something like Stripe is probably not an available option for you. I just tried to look up iDonate and I don't see their documentation anywhere.

    A possible non-destructive change might be to change the controller route to accept both the bare route and the route with a .txt file, and if we can conclusively document that the .txt file is a real Apple thing now, I'd be inclined to go that way, and move forward with stripping out the extension check alltogether in favor of some other file validation techniques.

  • πŸ‡ΊπŸ‡ΈUnited States bmelvin1

    Google this: "apple merchant domain verification file extension" -- you will find many folks out there who believe that the verification file has a .txt extension. In some cases, they provide a file with a txt extension. In other cases, there is no extension. People naturally assume Apple would be consistent (why wouldn't they be!!?), but the evidence suggests they are not.

  • πŸ‡ΊπŸ‡ΈUnited States bmelvin1

    Here's a good one: https://forums.developer.apple.com/forums/thread/744311
    Reasonable people would expect Apple's tech to work as described in their documentation. Reasonable people could be wrong. :-/

  • πŸ‡ΊπŸ‡ΈUnited States bmelvin1

    Whoa - the smoking gun! I found official Apple documentation that contradicts their other official documentation. Check it out: https://developer.apple.com/documentation/technotes/tn3103-apple-pay-on-...

    Domain verification
    Once your domain is configured in the Merchant ID Configuration page for example.com, you will be asked to verify your domain with a apple-developer-merchantid-domain-association.txt file. On your server, download the file and place it in the .well-known location:

    https://example.com/.well-known/apple-developer-merchantid-domain-associ...

  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY

    Okay those references are enough to convince me that we need to support .txt extensions both in the upload and in the display. When I have the space to work on this, I certainly can, or I would accept a merge-request/patch that provides that functionality while still supporting the extensionless version.

  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY

    We could also perhaps just have a text box and store the value in the state system....hmmm

  • πŸ‡ΊπŸ‡ΈUnited States bmelvin1

    You mentioned "change the controller route to accept both the bare route and the route with a .txt file." I read the documentation for Drupal routes β†’ as well as the page on parameters in the url β†’ , but don't see how to make the ".txt" optional. Although path: '/.well-known/{file_name}' should direct all requests to the module, it might cause a problem with other files that are expected to be in the .well-known folder.

  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY

    We'd have to hardcode the routes, not parameterize them, and just ensure both routes load the same controller method. I don't know if route paths can be kind if "regex-d" so they respond to a pattern, but we'd be very specific to these two cases and not answer any other requests. If we can't sort of regex it, we could probably just do two route entries that both point the same controller method. Then the only other side of this is to make sure the upload form works for both extensionless and txt extension files.

  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY

    Okay looking into this and it looks like we can make the route vary so it accepts both the bare and .txt versions, working on that now

  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY

    @bmelvin1 I've created a fix for this, you can pull the dev version to check it out, I'll be releasing it soon.

  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY
  • πŸ‡ΊπŸ‡ΈUnited States dustinleblanc Ithaca, NY
Production build 0.71.5 2024