alexanderjordanbaker
commented
10 months ago Generally we recommend the device to send the signed JWS from StoreKit 2 (https://developer.apple.com/documentation/storekit/verificationresult/3868429-jwsrepresentation), which can be directly validated using this library as part of the SignedDataVerifier. If there are devices that have not yet been upgraded to StoreKit 2, this library allows extracting the transaction id and then calling the history endpoint to support those installs.
CallumAtCarter
The App Store developer documentation describes validating receipts with the App Store as deprecated, and recommends performing the validation on the server locally:
- https://developer.apple.com/documentation/storekit/in-app_purchase/original_api_for_in-app_purchase/validating_receipts_with_the_app_store
- https://developer.apple.com/documentation/appstorereceipts/validating_receipts_on_the_device
The README describes using
ReceiptUtility.extract_transaction_id_from_app_receipt, but this only gets the transaction ID, and does not perform any validation:The example goes on to use
AppStoreServerAPIClient.get_transaction_history, which seems to contradict the advice of performing the validation locally, and makes the receipt signing entirely redundant.Does this library provide any way of performing this validation and extracting the fields of the receipt locally?
Also, given a receipt from a customer device, can I safely call
AppStoreServerAPIClient.get_transaction_historywhen no validation of the receipt has taken place? Could the transaction ID in this case not have been spoofed?Perhaps there's a different library I need. Any help on this is greatly appreciated.