From 8bf263a871d69817854eb045d6d0f9f1d7909c3e Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Wed, 19 Mar 2025 18:01:14 +0800
Subject: [PATCH] :art: Support in-app purchase PRO Features and Subscription
 on iOS https://github.com/siyuan-note/siyuan/issues/14159

---
 kernel/mobile/kernel.go | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/kernel/mobile/kernel.go b/kernel/mobile/kernel.go
index 769a061af..62601c26e 100644
--- a/kernel/mobile/kernel.go
+++ b/kernel/mobile/kernel.go
@@ -60,6 +60,22 @@ func VerifyAppStoreTransaction(accountToken, transactionID string) (retCode int,
 	retCode = -2
 	retMsg = "unknown error"
 
+	accountToken = strings.TrimSpace(accountToken)
+	transactionID = strings.TrimSpace(transactionID)
+	if "" == accountToken || "" == transactionID {
+		retCode = -6
+		retMsg = "invalid parameters"
+		logging.LogErrorf(retMsg)
+		return
+	}
+
+	if 36 != len(accountToken) {
+		retCode = -6
+		retMsg = fmt.Sprintf("invalid accountToken [%s]", accountToken)
+		logging.LogErrorf(retMsg)
+		return
+	}
+
 	if util.ContainerIOS != util.Container {
 		retCode = -3
 		retMsg = fmt.Sprintf("invalid container [%s]", util.Container)
@@ -67,6 +83,14 @@ func VerifyAppStoreTransaction(accountToken, transactionID string) (retCode int,
 		return
 	}
 
+	user := model.Conf.GetUser()
+	if nil == user || "" == user.UserToken {
+		retCode = -4
+		retMsg = "account not logged in"
+		logging.LogErrorf(retMsg)
+		return
+	}
+
 	cloudRegionArg := accountToken[19:20]
 	if "0" != cloudRegionArg && "1" != cloudRegionArg {
 		retCode = -1
@@ -84,10 +108,17 @@ func VerifyAppStoreTransaction(accountToken, transactionID string) (retCode int,
 	}
 
 	userID := strings.ReplaceAll(accountToken[22:], "-", "")
+	if user.UserId != userID {
+		retCode = -5
+		retMsg = fmt.Sprintf("invalid user [userID=%s, accountToken=%s]", user.UserId, accountToken)
+		logging.LogErrorf(retMsg)
+		return
+	}
+
 	verifyURL := util.GetCloudServer() + "/apis/siyuan/verifyAppStoreTransaction"
 	result := gulu.Ret.NewResult()
 	request := httpclient.NewCloudRequest30s()
-	resp, reqErr := request.SetSuccessResult(result).SetCookies(&http.Cookie{Name: "symphony", Value: model.Conf.GetUser().UserToken}).
+	resp, reqErr := request.SetSuccessResult(result).SetCookies(&http.Cookie{Name: "symphony", Value: user.UserToken}).
 		SetBody(map[string]string{"transactionId": transactionID, "accountToken": accountToken, "userId": userID}).Post(verifyURL)
 	if nil != reqErr {
 		retCode = -2