Flatpak is currently experimenting with support for purchases of apps. To make it easier to test this during development we set up a server that you can use for easy testing.

Note: This is early work, and may break or change over time.

All commands in this page require at least flatpak 1.5.1.

The server is running flat-manager master, and my simple rest api implementation. In addition you need a local dbus service flatpak-sample-authenticator that works with this.

Normally the authenticator would be installed and dbus activated, but to avoid installation complexities when testing it's easiest to just build it and manually run it from the tree like this:

$ ./flatpak-sample-authenticator --replace --no-idle-exit

Then you can configure flatpak to use it and install a protected app like this:

$ flatpak remote-add --user --no-gpg-verify --authenticator-name=org.flatpak.Authenticator.Sample --authenticator-option=url="http:https://flatauth.mooo.com:6043" test-auth http:https://flatauth.mooo.com:6042/repo/testauth
$ flatpak install --user test-auth org.gnome.eog

This will twice ask you to interact via the browser, once (only the first time) to log in using google (no data saved, just your google id) and the second to "buy" the app (just click the link to buy it).

To get a feeling for how the server is set up, you can use the existing API server, but with a local repo. To do this you need flat-manager from git master. Then you configure it as per README.md, but add this line to the example repo config here:

"require-auth-for-token-types": [2],

This will make flat-manager require a token matching the ref for all commits with token-type 2.

Now, build something we want to test, I'm using eye of gnome as an example here:

$ flatpak-builder --repo build-repo builddir org.gnome.eog.yml

Then import and publish the build into flat-manager with a token type of 2:

$ export REPO_TOKEN=$(echo -n "secret" | base64 | cargo run --bin gentoken -- --base64 --secret-file - --name test)
$ flat-manager-client push --publish --wait-update --token-type=2 $(flat-manager-client create http:https://127.0.0.1:8080 stable) build-repo

We can verify that this commit gets a 403 error: (replace with your commit ids)

$ cat repo/refs/heads/app/org.gnome.eog/x86_64/master
32820032f58cb1229edffdc66dc829b29a8cce9f8b6d9f36342d76a004b61d01
$ curl http:https://127.0.0.1:8080/repo/stable/objects/32/820032f58cb1229edffdc66dc829b29a8cce9f8b6d9f36342d76a004b61d01.commit
{"error-type":"token-insufficient","message":"Not enough permissions: No token specified","status":403}

At this point we can add a remote to this repo so we can test with flatpak:

$ flatpak remote-add --user --no-gpg-verify --authenticator-name=org.flatpak.Authenticator.Sample --authenticator-option=url="http:https://flatauth.mooo.com:6043"  local-test-auth http:https://127.0.0.1:8080/repo/stable
$ flatpak install --user local-test-auth org.gnome.eog

This is a bit more complex, because you need to create google OAuth app and point it at your server. However, the actual server setup is pretty simple.

First check out https://github.com/alexlarsson/flat-auth/, then create a file called authconfig.py containing something like:

api_secret="this is top sekrit"
repo_secret="secret"
googleClientID = ... here goes the google app id
googleClientSecret = ... here goes the google app secret

And then run it with:

$ FLASK_APP=auth.py flask-3 run --host=0.0.0.0 --port=6043

Obviously you need to change the base url to wherever you server runs. You also need to tweak the flatpak remote setup to use this uri instead of the old one.