如何验证服务器端的Android应用程序购买（谷歌播放应用程序开发v3） [英] How to verify purchase for android app in server side (google play in app billing v3)

问题描述

我有一个简单的应用程序（需要用户登录帐户）。我为付费用户提供了一些高级功能，比如更多新闻内容。

I have a simple app (needs user login with account). I provide some premium features for paid users, like more news content.

如果用户在我的服务器数据库中购买了这个项目，我需要记录。当我向用户的设备提供数据内容时，我可以检查用户的状态，并为付费用户提供不同的内容。

I need to record if the user has bought this item in my server database. When I provide data content to user's device, I can then check the user's status, and provide different content for paid user.

我检查了Google提供的官方Trivialdrive示例，它没有为服务器端验证提供任何示例代码，这是我的问题。

I checked the official Trivialdrive sample provided by Google, it does not provide any sample code for server-side verification, here are my questions.

1. 我发现样本使用我的应用程序的公钥内部为了验证购买，它看起来不太好，我想我可以将验证过程移到我的服务器上并结合用户登录凭据来查看用户购买是否完成，然后更新数据库。


2. 还有购买API 我可以用来查询，什么我需要的是将用户的purchaseToken传递到服务器。

1. I found the sample use my app's public key inside to verify purchase, it looks not good, I think I can just move the verification process to my server combined with user login credentials to see whether the user purchase completed, and then update the database.
2. Also there is purchase API I can use to query, what I need is to pass the user's purchaseToken into server.

我不确定我应采取什么方法来验证用户的购买，以及在我的数据库中标记用户的状态，可能两者都是？

I am not sure what method I should take to verify the user's purchase, and mark the user's status in my database, maybe both?

我担心有一种情况，如果用户从谷歌播放购买此项目，但出于某种原因，就在那个时候，当我的应用程序启动验证到我的服务器，网络连接中断或我自己的服务器已关闭，用户只是在谷歌播放中支付了钱，但我没有在我的服务器上记录购买？我该怎么办，我该如何应对这种情况。

And I am afraid there is a situation, if a user bought this item from google play, but for some reason, just in that time, when my app launched verification to my server, the network connection is down or my own server is down, user just paid the money in google play but I did not record the purchase in my server? What should I do, How can I deal with this situation.

推荐答案

听起来你正在寻找的是一种方式检查用户是否在其帐户中启用了高级功能，因此这是我要开始的地方;

It sounds what you're looking for is a way to check if the user has premium features enabled on their account, so this is where I would start;

确保数据库上有某种标志，指示用户是否具有高级功能，并在请求帐户信息时包含在API响应有效负载中。此标志将是您高级功能的主要权限。

Ensure there is a flag of some sort on your database indicating if the user has premium features and include that in the API response payload when requesting account info. This flag will be your primary authority for "premium features".

当用户进行应用内购买时，请缓存详细信息（令牌，订单ID和产品ID） ）在客户端本地（即应用程序）然后将其发送到您的API。

When a user makes an in-app purchase, cache the details (token, order id, and product id) locally on the client (i.e the app) then send it to your API.

您的API应该发送 purchaseToken 到 Google Play Developer API 进行验证。

Your API should then send the purchaseToken to the Google Play Developer API for validation.

从这里可能会发生一些事情：

A few things might happen from here:

1. 收据有效，您的API响应具有200状态代码的客户


2. 收据无效，您的API使用400错误请求状态代码响应客户


3. Google Play API关闭，您的API以502 Bad Gateway状态代码响应

在1.或2的情况下（2xx或4xx状态）代码）您的客户清除购买详细信息的缓存，因为它不再需要它，因为API表示已收到。

In the case of 1. or 2. (2xx or 4xx status codes) your client clears the cache of purchase details because it doesn't need it anymore because the API has indicated that it has been received.

验证成功后（案例1），您应该为用户将 premium 标志设置为true。

Upon a successful validation (case 1.), you should set the premium flag to true for the user.

对于3.（5xx状态代码）或网络超时，客户端应继续尝试，直到它从您的API收到2xx或4xx状态代码。

In the case of 3. (5xx status code) or a network timeout the client should keep trying until it receives a 2xx or 4xx status code from your API.

根据您的要求，您可以在再次发送之前等待几秒钟，或者只在应用程序再次启动时将详细信息发送到您的API，购买详细信息存在于应用缓存中。

Depending on your requirements, you could make it wait a few seconds before sending again or just send the details to your API when ever the app is launched again or comes out of background if the purchase details are present on the app cache.

此方法应该处理网络超时，服务器不可用等等。

This approach should take care of network timeouts, servers being unavailable, etc.

现在需要考虑几个问题：

There are now a few questions you need to consider:

购买后会立即发生什么？如果应用程序在提供优质内容之前等待验证成功，或者应该暂时授予访问权限并在验证失败时将其删除吗？

What should happen immediately after a purchase? Should the app wait until validation is successful before providing premium content or should it tentatively grant access and take it away if the validation fails?

授予对高级功能的暂时访问权限可以平滑适用于大多数用户的流程，但当您的API验证 purchaseToken 时，您也会授予对多个欺诈用户的访问权限。

Granting tentative access to premium features smooths the process for a majority of your users, but you will be granting access to a number of fraudulent users too while your API validates the purchaseToken.

以另一种方式说明：购买有效，直至证明有欺诈行为或;欺诈，直到证明有效？

To put this in another way: Purchase is valid until proven fraudulent or; fraudulent until proven valid?

为了确定用户在续订的订阅期限内是否仍然有有效订阅，您需要安排重新验证在 purchaseToken 上运行 expiryTimeMillis 。 google.com/android-publisher/api-ref/purchases/subscriptions\">结果。

In order to identify if the user still has a valid subscription when their subscription period comes up for renewal, you will need to schedule a re-validation on the purchaseToken to run at the expiryTimeMillis that was returned in the result.

如果 expiryTimeMillis 过去，您可以将 premium 标记设置为false。如果是将来，请再次为新的 expiryTimeMillis 重新安排。

If the expiryTimeMillis is in the past, you can set the premium flag to false. If it's in the future, re-schedule it again for the new expiryTimeMillis.

最后，为了确保用户有权访问（或不访问），您的应用应该在API上查询应用启动时的用户详细信息或背景时的详细信息。

Lastly, to ensure the user has premium access (or not), your app should query your API for the users details on app launch or when it comes out of background.

这篇关于如何验证服务器端的Android应用程序购买（谷歌播放应用程序开发v3）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！