LiveOps - Server-Side Receipt Verification
Overview
In addition to the client-side receipt validation that you can do in the SDKBOX IAP plugin, you can also optionally enable server-side validation provided by SDKBOX LiveOps.
If enabled, whenever a purchase happens it will be automatically (and transparently) checked against Google or Apple servers for authenticity. Without any code change on the developers side, the purchase receipts will be safely authenticated. Same as the local validation, there are two public plugins interface methods: onSuccess()
and onFailure()
. They will be notified with the verification result.
If the remote verification request fails, the system will automatically fallback to local receipt verification, for example, when timeout or networking errors when communicating with SDKBOX LiveOps.
Note
It is important to note that this feature requires: 1. The app use the Remote Configuration with the IAP plugin. 2. Invoke sdkbox:IAP:enableUserSideVerification(false); api after sdkbox:IAP:init();
Remote verification flow
iOS
- Player makes a purchase (pays for an item)
- CompleteTransaction is called, and cyphered receipt info is obtained.
- If developer requested to do receipt validation [App has remote config or not]:
- onPayResult is called with PaymentTransactionNeedsVerification set as code. The Product notified on plugin's listener has cyphered payload info so the developer can launch his own purchase verification process.
- The purchase transaction is finished.
- If developer did not request to do receipt validation:
- if Application does not have remote configuration enabled:
- onPayResult is called with code: PaymentTransactionStatePurchased.
- The transaction is finished.
- if Application has remote configuration enabled: remote IAP validation, by calling checkAuthenticity method is started.This method does the remote verification of the purchase cyphered payload.
- A request to sdkbox.com server is sent for purchase payload verification.
- If timeout or error in request: onPayResult is called with code: kPaySuccessAndValidationError. These are error situations with the validation server.
- If request is aborted by user: onPayResult is called with code: kPaySuccessAndValidationError. (Same as before)
- The verification request processed normally, and a Json response is gotten as a result:
- Verification is not successful: onPayResult is called with code: kPaySuccessAndValidationNotAuthenticated.
- Verification is successful: onPayResult is called with code: kPaySuccessAndValidationAuthenticated.
- The transaction is always finished.
- if Application does not have remote configuration enabled:
Android IAP flow
- Player makes a purchase request, and pays for it.
- If the purchase is canceled, onPayResult is called with code PAYRESULT_CANCEL.
- If the purchase is errored, onPayResult is called with code PAYRESULT_FAIL.
- If the purchase is successful
- Receipt and cyphered payload info is obtained.
- If the developer requested to do receipt validation, onPayResult is called with PAYRESULT_NEEDS_VERIFICATION. The Product passed to the plugin listener has receipt and cyphered payload information, which is sufficient info to verify purchase authenticity.
- else
- If Application has not remote configuration set: local validation process is executed:
- Application's private key must be present in the sdkbox_config.json file.
- If verification succeeds: onPayResult is called with code PAYRESULT_SUCCESS.
- if verification fails: onPayResult is called with code PAYRESULT_FAIL.
- If Application has remote configuration set: a remote validation request is started.
- If the validation request is errored or timeout (both situations refer to our server or network status), the verification process falls back to local verification [4.3.1]
- If the validation request is is aborted, onPayResult is called with code PAYRESULT_FAIL.
- If the validation request executes normally:
- If validation is not successful, the verification process falls back to local verification [4.3.1]
- if validation is successful, onPayResult is called with code PAYRESULT_SUCCESS.
- If the purchase is a Consumable item the purchase will always be consumed.
Setup
For Android Play
- Make sure to enable Remote Configuration in your app.
- Create or select the configuration for Android, and add
Google Play IAP
plugin in Essentials. You need to fill-in the Google Play developer console's application private key. If the private key is not supplied, the local verification will always notifyonFail()
.
For Apple App Store
- TBD