[Bug] Check parsed JSON receipt if it contains the purchaseToken field for Google Play

voltrue2 / in-app-purchase

A Node.js module for in-App-Purchase for iOS, Android, Amazon and Windows.

http://iap.gracenode.org

Other

1.05k stars 289 forks source link

[Bug] Check parsed JSON receipt if it contains the purchaseToken field for Google Play #319

Open emersonhsieh opened 4 years ago

emersonhsieh commented 4 years ago

Currently, to determine if the platform type of the receipt is Google Play, there are two cases:

If the receipt passed into iap.validate is an object, then the code checks if receipt.signature or receipt.purchaseToken exists.
If the receipt passed into iap.validate is a string, then the code first parses the receipt into an object (called parsed), then it is supposed to check if parsed.signature or parsed.purchaseToken exists.

However, for the second condition the code never checks parsed.purchaseToken, instead checking whether receipt.purchaseToken exists twice.

As a result, when a Google Play receipt string that uses service account for validation is passed into iap.validate, the package interprets it as an Amazon receipt since the receipt will not contain parsed.signature. It only contains parsed.purchaseToken, which is never checked.

nwparker commented 3 years ago

Also ran into this, please consider merging

dylangolow commented 3 years ago

I also ran into this, please merge!

timeisgolden commented 3 years ago

Hello, I used google play service to validate receipt, but I got the following error. https://appstore-sdk.amazon.com/version/2.0/verify/developer/%7BdeveloperSecret%7D/user/ undefined /purchaseToken/ undefined

{\"error\":{},\"status\":498,\"message\":\"Invalid Purchase Token\"} the code I did is the below. const receipt = { "purchaseToken":"...", "packageName":"...", "subscription":false, "productId":"..." } const item: any = await iap.validate(JSON.stringify(receipt)); I got the receipt from google, it's weird, why I got invalid purchase token, plz help me. Thanks and best regards

dylangolow commented 3 years ago

Just so anyone following this sees, I was able to get around this by using the client email and private key option for google instead without any errors. Of course, it would still be nice to use a public key instead of this option, and the docs don't necessarily guide anyone to do this, but it works!

timeisgolden commented 3 years ago

Just so anyone following this sees, I was able to get around this by using the client email and private key option for google instead without any errors. Of course, it would still be nice to use a public key instead of this option, and the docs don't necessarily guide anyone to do this, but it works!

Thanks for your reply, I solved the problem by removing JSON.stringify(). this was my fault to add JSON.stringify() in iap.validate(). That worked for now. Best Regards