#1070 is very tricky. When the device boots, StoreKit operations seem to
be severely affected by on-demand VPN profiles. Slowdowns are huge and
unpredictable, as per my [report on the Apple
forums](https://developer.apple.com/forums/thread/773723). I found no
easy way to work around the chicken-and-egg situation where the VPN
requires StoreKit validation to start, but StoreKit requires network
access.
On the other hand, without StoreKit validations, the on-demand tunnel
starts on boot just fine, and so does the app. No eternal activity
indicators. StoreKit is clearly the culprit here.
Therefore, below is the strategy that this PR implements for a decent
trade-off:
- Configure a graceful period for the VPN to start without limitations.
This is initially set to 2 minutes in production, and 10 minutes in
TestFlight. Postpone StoreKit validation until then.
- After the graceful period, StoreKit validation is more likely to
complete fast
- At this point, paying users have their receipts validated and the
connection will silently keep going
- Non-paying users, instead, will see their connection hit the "Purchase
required" message
On the UI side, adjust the app accordingly:
- Drop the "Purchase required" icon from the list/grid of profiles
- The paywall informs that the connection will start, but it will
disconnect after the graceful period if the receipt is not valid
- Add a note that receipt validation may take a while if the device has
just started
This PR also introduces changes in TestFlight behavior:
- Profiles can be saved without limitations
- Profiles using free features work as usual
- Profiles using paid features work for 10 minutes
- Eligibility based on local receipt is ignored (deprecated in iOS 18)
Beta users may therefore test all paid features on iOS/macOS/tvOS for 10
minutes. Until now, paid features were only available to paying iOS
users and unavailable on macOS/tvOS. The tvOS beta was, in fact,
completely useless.
The downside is that paying iOS users will see beta builds restricted
like anybody else. I'll see if I can find a better solution later.
Assume OpenVPN to be interactive if credentials are empty but required
(--auth-user-pass).
For this change, change paywall restriction to OTP only. Allow
interactive login similar to OpenVPN Connect "Save username/password".
- Move availableLogs() / purgeLogs() to library
- Append and rotate logs by size (500k)
- Add marker between app/tunnel launches
- Purge logs on each save (3 days)
- Unify debug log content view across platforms
- macOS: Table + inspect full line
- iOS/tvOS: Use List
- Scroll to bottom onLoad()
Eligibility is ensured on iOS/macOS "remote" apps and profiles are not editable on TV. The day they can be edited, this will need a rework, but today it should be fine.
Regression due to BuildProducts not being credited on Apple TV.
Simplify development and maintenance immensely by making this a
monorepository:
- Convert PassepartoutKit and VPN bindings to local packages
- OpenVPN/OpenSSL
- WireGuard/Go
- Make PassepartoutKit available via
- Source submodule for production (private)
- [Binary XCFramework for
development](https://github.com/passepartoutvpn/passepartoutkit)
- Add PassepartoutKit Demo in root
- Deploy package later
