Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added purchaseData to PurchaseResponse to enable validation of purchases #9

Merged
merged 1 commit into from
Mar 20, 2017
Merged

Added purchaseData to PurchaseResponse to enable validation of purchases #9

merged 1 commit into from
Mar 20, 2017

Conversation

virusman
Copy link
Contributor

It doesn't validate anything yet, but now gives access to the raw purchase data that can be used to validate the signature.
#5

@GameDevLlama
Copy link

is this repository still active? Seems like there are several issues and missing features that would really help making this library a great one.

@virusman
Copy link
Contributor Author

No, looks like it's been abandoned.

@GameDevLlama
Copy link

That's sad since currently it seems to be the best rx-solution for billing. I haven't found any other lib for that purpose that is thought through very well.

... well I've forked it and will see if I'll contribute some parts

@lukaspili
Copy link
Owner

Hi @virusman, @TheWhiteLlama,
Sorry for taking so much time to respond.

Why do you need raw purchase data, rather than com.github.lukaspili.reactivebilling.model.Purchase object?

From my understanding, the developer "free to use" field for custom validation is developer payload, which Purchase already exposes. See: https://developer.android.com/google/play/billing/billing_best_practices.html#payload

Did I miss something?

@virusman
Copy link
Contributor Author

Developer payload is useless for validation unless the entire receipt can be validated with a signature.
Here is the relevant info:
https://developer.android.com/google/play/billing/billing_integrate.html#billing-security

To help ensure the integrity of the transaction information that is sent to your application, Google Play signs the JSON string that contains the response data for a purchase order. Google Play uses the private key that is associated with your application in the Developer Console to create this signature. The Developer Console generates an RSA key pair for each application.

For client-server apps, validation is essential, and one has to send the raw JSON to the server to be able to validate it.

@lukaspili
Copy link
Owner

Makes sense, thanks for the explanation and contribution.
I will merge and release a new version tomorrow.

@virusman
Copy link
Contributor Author

I've also made a similar change to getPurchases:
virusman@bf1b535
Do you want me to update this PR?

@lukaspili
Copy link
Owner

That would be great.
What do you think about having an extra field in Purchase named rawJson, rather than having an additional method param String purchaseData?

@ycuicui
Copy link

ycuicui commented Feb 27, 2017
edited
Loading

I think you should keep the name purchaseData as this is how Google refers to it.
As all fields are final i see no objection to leave it public without getter.
The best place is in PurchaseResponse as this is where we found the signature.

@lukaspili lukaspili merged commit 823def5 into lukaspili:master Mar 20, 2017
@lukaspili
Copy link
Owner

Merged, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@virusman @GameDevLlama @lukaspili @ycuicui