从Firebase Functions调用Google Play开发人员API [英] Call Google Play Developer API from Firebase Functions

问题描述

我正在尝试以

I am trying to develop a server-side validation of my users' in-app purchases and subscriptions as recommended, and I want to use Firebase Functions for that. Basically it has to be an HTTP trigger function that receives a purchase token, calls the Play Developer API to verify the purchase, and then does something with the result.

但是，调用许多Google API(包括 Play开发人员API )需要非平凡的授权.这是我对所需设置的了解:

However, calling many of the Google APIs (including Play Developer API) requires non-trivial authorization. Here's how I understand the required setup:

1. 必须有一个启用了Google Play开发者API v2的GCP项目.
2. 这应该是一个单独的项目，因为在Google Play控制台中只有一个链接到Play商店.
3. 我的Firebase Functions项目必须以某种方式向该其他项目进行身份验证.我认为在这种服务器到服务器方案中，最适合使用服务帐户.
4. 最后，我的Firebase Functions代码必须以某种方式获取身份验证令牌(希望是JWT?)，并最终进行API调用以获取订阅状态.

问题在于，绝对没有人类可读的文档或指南.鉴于Firebase的入口流量已包含在免费计划中(因此，我认为他们鼓励使用Firebase Functions中的Google API)，这一事实令人非常失望.我设法在这里和那里找到了一些信息，但是对Google API的使用经验太少(其中大多数都只需要使用api键就可以了)，我需要将其组合在一起的帮助.

The problem is that absolutely no human-readable documentation or guidance on that is existent. Given that ingress traffic in Firebase is included in the free plan (so I assume they encourage using Google APIs from Firebase Functions), that fact is pretty disappointing. I've managed to find some bits of info here and there, but having too little experience with Google APIs (most of which required simply using an api key), I need help with putting it together.

这是我到目前为止所发现的:

Here's what I figured out so far:

1. 我有一个关联到Play商店并启用了API的GCP项目.但是由于某些原因，尝试在API Explorer中对其进行测试会导致错误用于调用Google Play开发者API的项目ID尚未在Google Play开发者控制台中链接".
2. 我创建了一个服务帐户，并导出了一个JSON密钥，其中包含用于生成JWT的密钥.
3. 我还在Play控制台中为该服务帐户设置了读取权限.
4. 我找到了用于Google API的 Node.JS客户端库.在Alpha中，并且文档非常稀疏(例如，没有关于如何通过JWT进行身份验证的明显文档，也没有关于如何调用android Publisher API的示例).目前，我正在为此而苦苦挣扎.不幸的是，我对阅读JS库代码并不感到特别不舒服，尤其是当编辑器无法提供跳转到突出显示的函数源的可能性时.

1. I got a GCP project linked to the Play Store and with the API enabled. For some reason though, trying to test it in APIs Explorer results in an error "The project id used to call the Google Play Developer API has not been linked in the Google Play Developer Console".
2. I made a Service Account and exported a JSON key, which contains the key to produce a JWT.
3. I also set up read permissions for that Service Account in Play Console.
4. I found a Node.JS client library for Google APIs, which is in alpha and has very sparse documentation (e.g. there's no obvious documentation on how to authenticate with JWT, and no samples on how to call the android publisher API). At the moment I'm struggling with that. Unfortunately I'm not super-comfortable with reading JS library code, especially when the editor doesn't provide the possibility to jump to highlighted functions' sources.

我很惊讶没有被问到或记录下来，因为从Firebase Functions验证应用内购买似乎是一项常见的任务.以前有人成功完成过此任务，还是Firebase团队会介入其中?

I'm pretty surprised this hasn't been asked or documented, because verifying in-app purchases from Firebase Functions seems like a common task. Has anyone successfully done it before, or maybe the Firebase team will step in to answer?

推荐答案

我自己弄清楚了.我还放弃了重量级的客户端库，只是手动编写了一些请求.

I figured it out myself. I also ditched the heavyweight client library and just coded those few requests manually.

注意:

• 这同样适用于任何Node.js服务器环境.您仍然需要一个单独的服务帐户的密钥文件来创建JWT，并需要两个步骤来调用API，Firebase也不例外.
• 这同样适用于其他需要身份验证的API-仅在JWT的scope字段中有所不同.
• 有一些API 不需要您交换用于访问令牌的JWT-您可以铸造JWT并直接在Authentication: Bearer中提供它，而无需往返于OAuth后端.

• The same applies to any Node.js server environment. You still need the key file of a separate service account to mint a JWT and the two steps to call the API, and Firebase is no different.
• The same applies to other APIs that require authentication as well — differing only in scope field of the JWT.
• There are a few APIs that don't need you to exchange the JWT for an access token — you can mint a JWT and provide it directly in Authentication: Bearer, without a round trip to OAuth backend.

获取具有链接到Play商店的服务帐户的私钥的JSON文件后，调用API的代码如下(根据您的需要).注意:我使用request-promise做为http.request的更好方法.

After you've got the JSON file with the private key for a Service Account that's linked to Play Store, the code to call the API is like this (adjust to your needs). Note: I used request-promise as a nicer way to do http.request.

const functions = require('firebase-functions');
const jwt = require('jsonwebtoken');
const keyData = require('./key.json');         // Path to your JSON key file
const request = require('request-promise');

/** 
 * Exchanges the private key file for a temporary access token,
 * which is valid for 1 hour and can be reused for multiple requests
 */
function getAccessToken(keyData) {
  // Create a JSON Web Token for the Service Account linked to Play Store
  const token = jwt.sign(
    { scope: 'https://www.googleapis.com/auth/androidpublisher' },
    keyData.private_key,
    {
      algorithm: 'RS256',
      expiresIn: '1h',
      issuer: keyData.client_email,
      subject: keyData.client_email,
      audience: 'https://www.googleapis.com/oauth2/v4/token'
    }
  );

  // Make a request to Google APIs OAuth backend to exchange it for an access token
  // Returns a promise
  return request.post({
    uri: 'https://www.googleapis.com/oauth2/v4/token',
    form: {
      'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
      'assertion': token
    },
    transform: body => JSON.parse(body).access_token
  });
}

/**
 * Makes a GET request to given URL with the access token
 */
function makeApiRequest(url, accessToken) {
  return request.get({
    url: url,
    auth: {
      bearer: accessToken
    },
    transform: body => JSON.parse(body)
  });
}

// Our test function
exports.testApi = functions.https.onRequest((req, res) => {
  // TODO: process the request, extract parameters, authenticate the user etc

  // The API url to call - edit this
  const url = `https://www.googleapis.com/androidpublisher/v2/applications/${packageName}/purchases/subscriptions/${subscriptionId}/tokens/${token}`;

  getAccessToken(keyData)
    .then(token => {
      return makeApiRequest(url, token);
    })
    .then(response => {
      // TODO: process the response, e.g. validate the purchase, set access claims to the user etc.
      res.send(response);
      return;
    })
    .catch(err => {
      res.status(500).send(err);
    });
});

这些是我关注的文档.

这篇关于从Firebase Functions调用Google Play开发人员API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！