Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mobile IAP on purchase success always trigger when canceling payment #8084

Open
riocascade opened this issue Jun 24, 2024 · 9 comments
Open

Mobile IAP on purchase success always trigger when canceling payment #8084

riocascade opened this issue Jun 24, 2024 · 9 comments
Assignees
@AshleyScirra
Labels
external

Comments

@riocascade
Copy link

riocascade commented Jun 24, 2024
edited
Loading

Problem description

The mobileIAP on purchase success triggered when canceling the process payment for the first time, not happen on next attempt.

Attach a .c3p

IAPBug.c3p

Steps to reproduce

  1. Prepare your google play console as usual, Create application, setup the play service, setup the tester, setup the product id (consumable), etc.
  2. Upload aab file from exported IAPBug.c3p
  3. After installing the game on phone, open the game.
  4. Buy the product by pressing green button, the payment info appear, hold on this screen, and minimize the game/go back to home phone.
  5. Wait for 10seconds, and get back to game.
  6. Close the payment screen.
  7. Any actions in on purchase success event will be triggered.
  8. You can use your existing C3 android project that already on playstore and follow step 3 to 7.
  9. This issue only happen once and on fresh install.

Observed result

When user canceling the payment, any actions in on purchase success event will be triggered.
Video here

Expected result

When user canceling the payment, any actions in on purchase success event should not be triggered.

More details

Affected browsers/platforms:
Android 9.0++

First affected release:
R396b

System details

View details Platform information Product: Construct 3 r396 (beta) Browser: Chrome 126.0.6478.63 Browser engine: Chromium Context: webapp Operating system: Windows 10 Device type: desktop Device pixel ratio: 1 Logical CPU cores: 12 Approx. device memory: 8 GB User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Language setting: en-US

Local storage
Storage quota (approx): 572 gb
Storage usage (approx): 456 mb (0.1%)
Persistant storage: No

Browser support notes
This list contains missing features that are not required, but could improve performance or user experience if supported.

Nothing is missing. Everything is OK!
WebGL information
Version string: WebGL 2.0 (OpenGL ES 3.0 Chromium)
Numeric version: 2
Supports NPOT textures: yes
Supports GPU profiling: no
Supports highp precision: yes
Vendor: Google Inc. (NVIDIA)
Renderer: ANGLE (NVIDIA, NVIDIA GeForce GTX 1060 6GB (0x00001C03) Direct3D11 vs_5_0 ps_5_0, D3D11)
Major performance caveat: no
Maximum texture size: 16384
Point size range: 1 to 1024
Extensions:

EXT_clip_control
EXT_color_buffer_float
EXT_color_buffer_half_float
EXT_conservative_depth
EXT_depth_clamp
EXT_disjoint_timer_query_webgl2
EXT_float_blend
EXT_polygon_offset_clamp
EXT_render_snorm
EXT_texture_compression_bptc
EXT_texture_compression_rgtc
EXT_texture_filter_anisotropic
EXT_texture_mirror_clamp_to_edge
EXT_texture_norm16
KHR_parallel_shader_compile
NV_shader_noperspective_interpolation
OES_draw_buffers_indexed
OES_sample_variables
OES_shader_multisample_interpolation
OES_texture_float_linear
OVR_multiview2
WEBGL_blend_func_extended
WEBGL_clip_cull_distance
WEBGL_compressed_texture_s3tc
WEBGL_compressed_texture_s3tc_srgb
WEBGL_debug_renderer_info
WEBGL_debug_shaders
WEBGL_lose_context
WEBGL_multi_draw
WEBGL_polygon_mode
WEBGL_provoking_vertex
WEBGL_stencil_texturing
Audio information
System sample rate: 48000 Hz
Output channels: 2
Output interpretation: speakers
Supported decode formats:

WebM Opus (audio/webm;codecs=opus)
WebM Vorbis (audio/webm;codecs=vorbis)
MPEG-4 Opus (audio/mp4;codecs=opus)
MPEG-4 AAC (audio/mp4;codecs=mp4a.40.2)
MP3 (audio/mpeg)
FLAC (audio/flac)
PCM WAV (audio/wav;codecs=1)
Supported encode formats:

WebM Opus (audio/webm;codecs=opus)
MPEG-4 Opus (audio/mp4;codecs=opus)
MPEG-4 AAC (audio/mp4;codecs=mp4a.40.2)
Video information
Supported decode formats:

WebM AV1 (video/webm;codecs=av01.0.00M.08)
WebM VP9 (video/webm;codecs=vp9)
WebM VP8 (video/webm;codecs=vp8)
MPEG-4 AV1 (video/mp4;codecs=av01.0.00M.08)
MPEG-4 H.265 (video/mp4;codecs=hev1.1.2.L93.B0)
MPEG-4 H.264 (video/mp4;codecs=avc1.420034)
Supported encode formats:

WebM AV1 (video/webm;codecs=av01.0.00M.08)
WebM VP9 (video/webm;codecs=vp9)
WebM VP8 (video/webm;codecs=vp8)
WebM H.264 (video/webm;codecs=avc1.420034)
MPEG-4 VP9 (video/mp4;codecs=vp9)
MPEG-4 H.264 (video/mp4;codecs=avc1.420034)
@AshleyScirra AshleyScirra self-assigned this Jun 24, 2024
@AshleyScirra
Copy link
Member

Did this issue occur in earlier releases? The only change we have made to MobileIAP is in r394 we updated the underlying cordova-plugin-purchase Cordova plugin to v13.11.1. So if that update caused this problem, then it is likely an issue with cordova-plugin-purchase rather than Construct.

@riocascade
Copy link
Author

I don't have android app released before, but someone on forum said his app that already on store is affected.

So I just wait Cordova to fix the issue?
Do i need report bug to them?

@riocascade
Copy link
Author

currently i tried putting all mobileIAP method, and only return purchase success when close the payment modal for first time

@riocascade
Copy link
Author

i'm recording the bug, check owned x0 become owned x3

Video here

@igortyhon
Copy link

igortyhon commented Jun 25, 2024
edited
Loading

Did this issue occur in earlier releases? The only change we have made to MobileIAP is in r394 we updated the underlying cordova-plugin-purchase Cordova plugin to v13.11.1. So if that update caused this problem, then it is likely an issue with cordova-plugin-purchase rather than Construct.

Hi. I have a version built on r368.2 in the store right now and it also has this problem.
Getting it is very simple, tap on any purchase and after the native purchase window appears minimize the app. Wait a bit and expand the application and cancel the purchase, but the goods in the game we will get all the same.

@riocascade
Copy link
Author

Solved or Temporary Work Around

So apparently using on product owned event will return null using this exploit, so i will using this event instead on purchase success event.

have no problem with purchasing normally also.

@RobinBloood
Copy link

Did this issue occur in earlier releases? The only change we have made to MobileIAP is in r394 we updated the underlying cordova-plugin-purchase Cordova plugin to v13.11.1. So if that update caused this problem, then it is likely an issue with cordova-plugin-purchase rather than Construct.

Hello Ashley! I have the same issue with r397 and with r358 (the oldest I have in GP). Do you have any news/updates?

@AshleyScirra
Copy link
Member

I've looked in to this and I believe it is a bug in cordova-plugin-purchase - it looks likely to be the same cause as this issue: j3k0/cordova-plugin-purchase#1548

In short, when you switch away from the app and come back, then cordova-plugin-purchase reports to Construct the same result as if you had pressed 'buy', so Construct reports that as 'on purchase success'. Unfortunately there does not appear to be any good way to work around this as there is no way to distinguish this situation from a genuinely successful purchase.

However providing your events are correct, this should not cause any unauthorized use of IAPs. 'On purchase success' merely means the user has pressed 'buy' and a transaction is going to start. The transaction could fail for other reasons. You already must use 'On product owned' to know that the user pressed 'buy' and that the transaction then completed successfully and they legitimately acquired the product. So using 'On product owned' is not just a temporary workaround - it's actually the correct way you should already be handling this, and with that approach the user will not get any products they did not really purchase.

I guess the biggest risk with this issue is your app gets stuck thinking a transaction is going to happen after 'on purchase success' but then nothing actually happens. I suppose the best way to avoid that is to make sure there is a "cancel" button somewhere so the user can get back to the rest of the app.

I've contacted the developer of cordova-plugin-purchase about a fix and hopefully a future update can resolve the underlying issue too.

@AshleyScirra
Copy link
Member

The developer of cordova-plugin-purchase has advised that this likely only affects development builds of apps. The problem apparently comes from background updates happening while the purchase is in progress. These updates happen frequently in development but rarely (days apart) in production, so the chance of the issue affecting production ought to be very low. Further, given that purchases are still correctly identified if you use the correct 'On product owned' check, then this seems to be overall a relatively minor issue. We've still asked the developer for a fix and they have said they will be looking in to it in the coming weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AshleyScirra AshleyScirra

Labels
external
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AshleyScirra @riocascade @RobinBloood @igortyhon