in_app_purchase plugin _verifyPurchase
398 views
Skip to first unread message
Jeff Jorczak
Apr 27, 2020, 2:02:03 PM4/27/20
to Flutter Development (flutter-dev)
The official Flutter in app purchase plugin example has this method:
Future<bool> _verifyPurchase(PurchaseDetails purchaseDetails) {
// IMPORTANT!! Always verify a purchase before delivering the product.
// For the purpose of an example, we directly return true.
return Future<bool>.value(true);
}Can anyone explain what we are supposed to do to "verify?" The store is already telling us by this point that the purchase happened, or we can query it to see that the product is owned. What else would we do for validation?
Example is here: https://pub.dev/packages/in_app_purchase#-example-tab-
Ralph Bergmann
Apr 27, 2020, 2:25:00 PM4/27/20
to Flutter Development (flutter-dev), Jeff Jorczak
In a perfect world you use your own backend to verify the purchase.
--
You received this message because you are subscribed to the Google Groups "Flutter Development (flutter-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to flutter-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/flutter-dev/7db40345-0074-494f-9e1d-69d7c76675c7%40googlegroups.com.
Jeff Jorczak
Apr 27, 2020, 2:38:53 PM4/27/20
to Flutter Development (flutter-dev)
Is this a nomenclature thing where "verify" means "persist that the user owns the product?"
Otherwise, if the Store is telling me a purchase was made, it's the source of authority. I have no data at that point to verify against, taking the word "verify" literally.
Ralph Bergmann
Apr 27, 2020, 2:45:25 PM4/27/20
to Flutter Development (flutter-dev), Jeff Jorczak
This verification on your own backend is the recommended way.
On the user's phone, you should get some purchase receipt, send this receipt to your backend. Your backend sends it to Google/Apple for verification.
Depending on the verification result, you send a free or a purchased data set.
Is this a nomenclature thing where "verify" means "persist that the user owns the product?"Otherwise, if the Store is telling me a purchase was made, it's the source of authority. I have no data at that point to verify against, taking the word "verify" literally.
--
You received this message because you are subscribed to the Google Groups "Flutter Development (flutter-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to flutter-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/flutter-dev/40dd9945-f136-47b3-b517-6c9f2b171b00%40googlegroups.com.
Jeff Jorczak
Apr 27, 2020, 2:51:04 PM4/27/20
to Flutter Development (flutter-dev)
Got it. Similar to an authentication token we don't explicitly trust the store response to the actual device. I'm assuming this is a value vs. risk decision since the normal user isn't going to know how to intercept the store message and spoof a purchase. But a certain small number of hackers could get your product for free. I can see for a consumable that affects the balance of game, this extra step is important.
Thank you for the clarification.
Reply all
Reply to author
Forward
0 new messages