question

Matt avatar image
Matt asked

Validate Receipt from CloudScript

Hey folks,

When I make a purchase (within Unity), I'd like to send the receipt for validation. I'd like to perform this action from my cloud script (not just for security, but also to help support some of my purchases that aren't a VC or catalog item).

I don't see any calls in the server API, just the client. Is there another means of doing this from a cloud script or is there a different way I should be pursuing this altogether?

Thanks!

-Matt

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

No, receipt validation is a client-side operation, since the client is the one that would receive the receipt from the provider service. Given that our receipt validation already checks that the receipt is actually for the title in question, hasn't been used previously, and is for an item in the game's catalog, what additional things are you trying to do? Why would you have an item defined in the iTunes/Google Play catalog which isn't defined in your in-game catalog in PlayFab, specifically?

10 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Matt avatar image Matt commented ·

Well I have the typical currency IAPs; but, I also have 1-time sales with items like treasure chests (where the data is tracked in my UserData KVPs). I don't mind validating on the client and then telling my cloud script of the successful purchase, I just want to make sure nobody can sneak in there and change what they bought (spend $1 but change the call going out after validation claiming they spent $100).

0 Likes 0 ·
brendan avatar image brendan Matt commented ·

Substitution attacks aren't really possible in our model. If the receipt is modified, or if someone else's receipt is substituted, the call is going to fail. What you're trying to protect against is specifically what we designed the receipt validation service to protect against. :)

0 Likes 0 ·
Matt avatar image Matt brendan commented ·

Well I mean if I validate from the client, I still need to get to the cloud script to give the player their updated KVP. The validation is secure, but that call to the cloud isn't. At some point I need to tell the server a purchase was made since my game is server authoritative.

0 Likes 0 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.