Skip to content

Use hardcoded JWT token in AppleAppStoreBridge #4803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Use hardcoded JWT token in AppleAppStoreBridge #4803

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c4439d9
Use hardcoded JWT token in AppleAppStoreBridge
NohamR Nov 4, 2025
6d90e7c
Refactor AppleAppStoreBridge to simplify token handling
NohamR Nov 5, 2025
fcb8be5
Split long JWT token string for readability
NohamR Nov 5, 2025
74d2f64
Fix long JWT token string concatenation style
NohamR Nov 5, 2025
90b1fba
Disable and re-enable PHPCS rule for token assignment
NohamR Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 15 additions & 28 deletions bridges/AppleAppStoreBridge.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,44 +114,31 @@ private function getHtml()
return getSimpleHTMLDOM($url);
}

private function getJWTToken()
private function getAppData()
{
$html = $this->getHtml();
$meta = $html->find('meta[name="web-experience-app/config/environment"]', 0);

if (!$meta || !isset($meta->content)) {
throw new \Exception('JWT token not found in page content');
}

$decoded_content = urldecode($meta->content);
$this->debugLog('Found meta tag content');

try {
$decoded_json = Json::decode($decoded_content);
} catch (\Exception $e) {
throw new \Exception(sprintf('Failed to parse JSON from meta tag: %s', $e->getMessage()));
}
// Spoof a call to get the HTML first to mimic browser behavior
$url = $this->makeHtmlUrl();
$content = getContents($url);

if (!isset($decoded_json['MEDIA_API']['token'])) {
throw new \Exception('Token field not found in JSON structure');
}
// The above method stopped working, using a hardcoded token for now, "exp": 1769466135 (~Jan 26 2026)
// This token is hardcoded in Apple's own JavaScript source code: https://apps.apple.com/assets/index~BDdsLoyyey.js

$token = $decoded_json['MEDIA_API']['token'];
$this->debugLog('Successfully extracted JWT token');
return $token;
}

private function getAppData()
{
$token = $this->getJWTToken();
// phpcs:disable Generic.Strings.UnnecessaryStringConcat.Found
$token = 'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlU4UlRZVjVaRFMifQ.'
. 'eyJpc3MiOiI3TktaMlZQNDhaIiwiaWF0IjoxNzYyMjA4NTM1LCJleHAiOjE3Njk0NjYxMzUsInJvb3RfaHR0cHNfb3JpZ2luIjpbImFwcGxlLmNvbSJdfQ.'
. 'WlzTtQi3vqVVcYUfRzXBSYEfvOMAFjcEhMuBPiS2gGqDEh5nPswnPkQ_H69FeXKjFsnCHahjSHVtojhNwNVU_g';
// phpcs:enable Generic.Strings.UnnecessaryStringConcat.Found

$url = $this->makeJsonUrl();
$this->debugLog(sprintf('Fetching data from API: %s', $url));

$headers = [
'accept: */*',
'Authorization: Bearer ' . $token,
'cache-control: no-cache',
'Origin: https://apps.apple.com',
'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
'Referer: https://apps.apple.com/',
'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36w',
];

$content = getContents($url, $headers);
Expand Down