通过促销代码进行的应用内购买会返回空的开发人员负载字符串 [英] In-app purchases made via promo codes return empty developer payload string
问题描述
我有一个应用程序已发布到Alpha渠道,并有一个应用程序内(未)管理的物品,价格为1美元。
当我正常购买时,即使用信用卡/借记卡Google会返回正确的开发人员有效负载字符串,但如果我选择赎回促销代码并输入所述代码,Google会返回一个空的开发人员负载字符串,从而在'onIabPurchaseFinished()'中验证失败。 p>
我应该提到,只有当我选择从应用的购买流程中兑换代码时,才会发生这种情况,并且如果我先打开Play商店,兑换代码,然后再运行回来并打开应用程序。
这是Google的一个漏洞吗?
编辑:Play商店事情是可以预料的,因为它无法知道你的有效载荷,而购买是在没有检查的情况下完成的。 问题在google的android-play-billing示例中打开 repo 。
看起来好像很长一段时间被忽略了,最终以此评论。总之,他们有以下建议。
我们回顾了我们的指南和内部API,并且由于developerPayload是不支持应用内结算API的所有功能(包括promocodes),我们将删除建议以将其用作安全检查。 >正如您在我们的文档中看到的,在页面实现应用内结算( https://developer.android.com/google/play/billing/billing_integrate.html )我们添加了一项建议:
注意:请勿将developerPayload字段用于安全验证目的。此字段在完成与应用内结算相关的任务时并不总是可用。有关安全最佳做法的更多信息,请参阅应用内结算安全和设计指南。
我们的建议是在您自己的后端进行验证,使用Play Developer API。I have an app published to the alpha channel, with an in-app (un)managed item that costs $1.
When I purchase normally, i.e, use a credit/debit card Google returns the correct developer payload string, but if I choose to "redeem" a promo code and enter said code, Google returns an empty developer payload string, and thus authentication fails in 'onIabPurchaseFinished()'.
I should mention that this only occurs if I choose to redeem a code from the app's purchase flow, and everything works flawlessly if I open Play Store first, redeem the code, and then come back and open the app.
Is this a bug on Google's part?
EDIT: The Play Store thing is expected, since it can't know your payload and the purchase is done without having to check for it.
This issue was opened on the google's android-play-billing samples repo. Looks like it was ignored for a long time and was eventually closed with this comment. In short, they have following suggestions.
We reviewed our guidelines and internal APIs, and since the developerPayload is not supported across all features on In-App Billing API (including promocodes), we are removing the recommendation to use it as a security check.
As you can see in our documentation, on the page Implementing In-app Billing (https://developer.android.com/google/play/billing/billing_integrate.html) we've added a recommendation:
Caution: Don't use the developerPayload field for security validation purposes. This field isn't always available when completing tasks related to In-app Billing. For more information about security best practices, see the In-app Billing Security and Design guide.
Our recommendation is to validate on your own backend, using the Play Developer API.
这篇关于通过促销代码进行的应用内购买会返回空的开发人员负载字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
