Overview
- Why do you need to validate in a server?
- IOS implementation
- Android implementation
Why do you need to validate in a server?
When I first searched for flutter implementation of in app purchase, I found this post in Korean, basically saying that some of the user hacked the app and used paid service with out actually paying. So, I decided to add extra validation on my server to make sure payment system is safe.
IOS implementation
First, you need to know how to implement in-app purchase in frontend side. When purchase is completed, the frontend side will be able to provide a string call 'receipt'.
In IOS, there're two version of purchase, sandbox(development test) version and production(real purchase) version. They have different end point for validation.
First is for sandbox and second is for real purchase. You need to make a POST request to one of these end point with body data like below.
{
'password': SHARED_SECRET,
'receipt-data': RECEIPT_FROM_FRONT,
'exclude-old-transactions': true,
}When 'exclude-old-transaction' is true, apple server response only contains latest transaction, and is useful when the purchase is subscription.
'receipt-data' is a string type receipt that front handed over to server.
'password' is a string key that you made in App Store Connect. You can make it on in-app purchase section at your app page. This post has a screenshot of it in English.
if response.data.status is equal to 0, it means purchase is valid.
Android implementation
For Android implementation, I found a really good answer from stackoverflow . This explaination is very detailed and working properly, so I won't go in details, please read that answer.
If I could add a little more information on this, I needed to use 'https://www.googleapis.com/auth/androidpublisher' in order to get a right access token with proper permission.'
Like the answer from stackoverflow mentioned, response of this api call contains 'expiryTimeMillis' field. As long as this timestamp is bigger than the current, the purchase is valid.