H,
I have successfully setup real money iAPs for virtual currency on Android and iOS. The implementation uses UnityIAP, receipt validation and PlayFab bundles to award the currency on the server. This is all great!
I would now like to be able to test the client code surrounding my real money iAPs without having to build to device. I need the code paths to be as similar as possible between the Unity Editor and a device build.
When making a purchase in the Unity Editor UnityIAP will accept a valid item purchase request without requiring any payment, it just fires ProcessPurchase (just like on device when the iAP has actually been purchased). On device I then call PlayFabClientAPI.ValidateGooglePlayPurchase() or similar, which verifies the receipt and awards the currency automatically.
What I think I need is a way of awarding the player with the currency based off of this fake Unity Editor purchase, essentially something like PlayFabClientAPI.ValidateUnityEditorPurchase() that is somehow secure from being called from real devices...
I have created my own pretend receipt validation function intended to only be used by the Unity Editor (that doesn't actually validate anything!) using CloudScript and GrantItemsToUser, it takes the bundle item ID as the args parameter. This seems very insecure to me though as a hacked device client could potentially route all receipt validation calls to this piece of CloudScript!
handlers.EditorGrantItem = function(args) { var itemID = null; if (args && args.itemID) { log.info("Attempting to grant item: " + itemID); itemID = args.itemID; var grantItemResult = server.GrantItemsToUser({ PlayFabId: currentPlayerId, CatalogVersion: "iAP", ItemIds: [itemID] }); return grantItemResult; } return []; }
Is there a way to make this more secure? Perhaps I'm just going about this the wrong way?
Thank you,
Niall