Closed 12343954 closed 6 years ago
@12343954 receipt string will be used to validate from app store. you can read the article here. Also search for in app purchase validation. You can still use it without validating but it will be more secure to validate your purchase from app store to protect your service from hacking.
thank you ! you answered very fast !
you did not provide the "Receipt validation" api, you means it's the development server must do it for safe ?
@12343954 Usually, validating receipt was done in own backend server like the image you pasted. However, I also found out that it can also be done locally. It is actually your taste in which you feel more safe and reliable. Also, validating in app purchase locally isn't implemented yet in our module. We are also looking for the contributor.
It would be great if we could decode the receipt locally (to get the contents like expiry date). I couldn't find a JS code/lib to do it, only some in Ruby and Java, like this one: https://gist.github.com/lxcid/4441003
The receipt is Base64 encoded.. but the payload is not plain JSON and I couldn't find a way to parse it.
@rikur
We will look into this one. We actually didn't bother about retrieving data from receipt string. We were thinking of just validating it to prevent from hacking (All of you will know that it is dangerous when someone finds out your backend API
where you will update data after the purchase has occurred). Receipt string for android is JSON but for ios it is BASE64 encoded. Actually we referred to in-app-purchase
repository for using node.js server.
@dooboolab yeah I'm using a serverless architecture and in-app-purchase
to verify the receipt for now. I'm granting the user premium right away if the response has a receipt and update it once more when vefification is done by the BE.
@rikur Today, I've been working on in-app validation locally and felt like this one, you can just implement by yourself with network api like fetch
or axios
.
For android - READ For ios - READ
P.S. I think I need more time on this because each needs different params for calling apis. You can workout yourself for now with above link. Also will be happy to get PR for this one too.
Does this mean there's no way to get information on the purchase, such as the actual price the user paid for the item?
@lunchbag We were talking about the validation receipt. With this, you are able to authenticate once more from playstore
orappstore
that this purchase is correctly transferred. What you are concerning would be fine when using one of our method getPurchaseHistory
. Also during the purchase, you can receive the localizedPrice
too.
@dooboolab Thanks for the reply! The result of buyProduct only returns me: { transactionId, transactionDate, transactionReceipt, productId }. If I call getPurchaseHistory or getAvailablePurchases, it returns nothing .... however I am using Sandbox user. If it's regular user, would I see a different output maybe?
Nevertheless you are right, I can use the localizedPrice from getProducts in any case :)
I guess not. In consumable products, you get the receipt when you purchase it. You need to verify the receipt then, and apply to user's asset. That's it. You can get non-consumable products when you call getPurchaseHistory.
@12343954 I've just implemented validateReceiptIos
and validateReceiptAndroid
methods. However, serverless validation only works in ios
which is validateReceiptIos
. The reason for this is written in readme. Could you try these with react-native-iap@0.3.18
? It only supports RN >= 0.54
though.
I've just changed above methods to support RN version below 54 in react-native-iap@0.3.19
. You can just pass the version of react-native at the last parameter. Please refer to readme.
thank you for your job !
I've already implemented the IAP with server backend!
but one problem is , in purchase, app can get the the receipt(the receipt stored in DB), and call the server to validate the receipt, but failed occasionally ! it's so bad the user experience !
i always think that, using your sdk, app get the receipt(and write in the DB) , it's means purchase is succeed. i let app to post the receipt to my DB server to check exists or not. Because receipt must be exist in the APPLE server! why i validate again in my server backend ?!
Only one possibility is, your sdk was hacked , change the receipt!
@12343954 This might apply to a "premium" purchase or subscription only, but here's what I do: Immediately after receiving the receipt, I give the user a premium status for 48 hours. When the receipt has been validated by the BE, I update the premium status to either be permanent or valid until the end of the subscription.
Gives a relatively nice UX and works flawlessly most of the time. A hacker could keep on doing a MITM attack to create fake receipts every 48 hours.. but that's a risk I'm willing to take to have a smoother UX.
Thank you, @dooboolab @rikur , I will think about it !
Version of react-native-iap
: "^0.2.14"
following the steps, i can get the
receipt
, it's means "Purchase Successful!" ?and how can i use the "receipt.data" ? send it to the apple iap server to check the order ?
thank you very much !