in-app-purchase icon indicating copy to clipboard operation
in-app-purchase copied to clipboard

Published 20 hours ago verified publisher icon voltrue2

[Bug] Check parsed JSON receipt if it contains the purchaseToken field for Google Play

Open emersonhsieh opened this issue 4 years ago • 5 comments

Currently, to determine if the platform type of the receipt is Google Play, there are two cases:

  • If the receipt passed into iap.validate is an object, then the code checks if receipt.signature or receipt.purchaseToken exists.
  • If the receipt passed into iap.validate is a string, then the code first parses the receipt into an object (called parsed), then it is supposed to check if parsed.signature or parsed.purchaseToken exists.

However, for the second condition the code never checks parsed.purchaseToken, instead checking whether receipt.purchaseToken exists twice.

As a result, when a Google Play receipt string that uses service account for validation is passed into iap.validate, the package interprets it as an Amazon receipt since the receipt will not contain parsed.signature. It only contains parsed.purchaseToken, which is never checked.

emersonhsieh avatar Jun 15 '20 22:06 emersonhsieh

Also ran into this, please consider merging

nwparker avatar Oct 16 '20 06:10 nwparker

I also ran into this, please merge!

dylangolow avatar Nov 27 '20 00:11 dylangolow

Hello, I used google play service to validate receipt, but I got the following error. https://appstore-sdk.amazon.com/version/2.0/verify/developer/%7BdeveloperSecret%7D/user/ undefined /purchaseToken/ undefined

{"error":{},"status":498,"message":"Invalid Purchase Token"} the code I did is the below. const receipt = { "purchaseToken":"...", "packageName":"...", "subscription":false, "productId":"..." } const item: any = await iap.validate(JSON.stringify(receipt)); I got the receipt from google, it's weird, why I got invalid purchase token, plz help me. Thanks and best regards

timeisgolden avatar Dec 11 '20 03:12 timeisgolden

Just so anyone following this sees, I was able to get around this by using the client email and private key option for google instead without any errors. Of course, it would still be nice to use a public key instead of this option, and the docs don't necessarily guide anyone to do this, but it works!

dylangolow avatar Dec 11 '20 04:12 dylangolow

Just so anyone following this sees, I was able to get around this by using the client email and private key option for google instead without any errors. Of course, it would still be nice to use a public key instead of this option, and the docs don't necessarily guide anyone to do this, but it works!

Thanks for your reply, I solved the problem by removing JSON.stringify(). this was my fault to add JSON.stringify() in iap.validate(). That worked for now. Best Regards

timeisgolden avatar Dec 11 '20 04:12 timeisgolden