购买Google Play应用内结算第3版的服务器端验证（第2部分） [英] Server side verification of Google Play in-app billing version 3 purchase (part 2)

问题描述

所以我想我理解了应用内结算和服务器端验证是如何工作的，这要归功于对我的上一个问题但现在我想起来我还是迷路了......

So I thought I understood how in-app billing and server-side verification works thanks to an answer to a previous question of mine but now that I think of it I'm still lost...

这就是我拥有的和我想做的事情：

This is what I have and what I want to do:

我有一个应用程序，用户可以购买几个项目。每个项目都存储在服务器上，并且项目应该在购买时可以在应用程序中下载。这些项目是可以只购买一次的管理项目（即非消费品）。我在Google Play开发者控制台中定义项目没有问题，我可以成功购买。

I have an app where the users can purchase several "items". Each item is stored on a server and and item should be made available for downloaded within the app upon purchase. The items are managed items that can be purchased only once (ie non-consumable). I have no problem defining items in the Google Play Developer console and I can perform a successful purchase.

我不明白的是我如何让我的服务器不能仅验证购买（使用purchaseToken和签名），但也知道它是项目X而不是购买的项目Y？是否有一些Google API，服务器可以与Google通话并询问某个purchaseToken属于哪个商品ID？有没有其他方法可以做到这一点？

What I don't understand is how I can get my server to not only validate the purchase (using the purchaseToken and signature) but also know that it is item X and not item Y that is purchased? Is there some Google API where the server can talk to Google and ask what item id a certain purchaseToken belongs to? Is there some other way to do this?

推荐答案

我讨厌回答我自己的问题，但是，嘿，没有人做过！我和我的同事们今天早上又重新审视了这个问题。在看了TrivialDrive示例中客户端验证的工作原理后，我终于想到了解决问题的方法。伙计，当我明白什么是错的时候，我觉得我戴上了愚蠢的帽子。

I hate to answer my own question, but hey, nobody else did! Me and my colleagues took another look at the problem again this morning. The solution to my problem finally occurred to me after taking another look at how the client side verification works in the TrivialDrive example. Man, did I feel like putting on my "stupid-hat", when I understood what was wrong.

我认为这是buyToken和使用的签名验证购买，但是没有办法验证是否是购买的商品A或商品B.

I thought that it was the purchaseToken and the signature that was used to verify the purchase, but that way there was no means of verifying if it was item A or item B that was purchased.

如果您想进行服务器端验证（或任何类型的验证）在向买方提供内容之前，它实际上是原始JSON数据（如果您使用IabHelper类，您从Purchase类获得原始JSON），您应该与其一起使用签名和公钥。由于它是您传递给服务器的原始JSON数据，因此它还包含有关购买的所有信息（例如SKU ID等）。

If you want to do server-side verification (or any kind of verification for that matter) before making content available to the buyer it's actually the original JSON data (if you use the IabHelper classes, you get the original JSON from the Purchase class) that you're supposed to use together with the signature and the public key. And since it's the original JSON data you're passing along to your server it also contains all the information about the purchase (such as SKU id etc).

这也很重要将开发人员有效负载设置为唯一标识用户（而不是设备！）的内容。在我们的例子中，每个用户在服务器上都有一个帐户，我使用唯一的用户ID作为开发人员有效负载。

It's also important to set the developer payload to something that uniquely identifies your user (not the device!). In our case each user has an account on the server and I use the unique user id as developer payload.

/Mr.Stupid签约！

/Mr.Stupid signing off!

这篇关于购买Google Play应用内结算第3版的服务器端验证（第2部分）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！