question

Matthew Draper avatar image
Matthew Draper asked

Best way to retrofit IAP synchronization

Hi, we have an existing game on Steam and mobile, with many users with in-app purchases. We would like to use PlayFab to help users synch their IAPs between platforms, so they don't have to buy content twice.

When the game starts, we aim to gather their existing IAPs on that platform, and send them to PlayFab, then *retrieve* the list IAPs from PlayFab (which may include IAPs synched from other platforms).

So we need to tell PlayFab that someone has already purchased an item. Would the best way be to use a Player Data entry to represent each IAP, or to call PurchaseItem to register them as purchased inventory items?

Thanks for any advice,

-Mat

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Citrus Yan avatar image
Citrus Yan answered

Hi @Matthew Draper,

From my understanding, if you reflect purchases to the player’s inventory every time he/she successfully makes an in-app purchase regardless of the platform (Steam or mobile). Then the contents he/she bought will be auto-synced, you’ll just need to call GetUserInventory to retrieve them from PlayFab when the game starts.

Using a Player Data entry to represent each IAP may not be the best way, the concept of Inventory suits your use case more. And, I am assuming that you want to utilize PurchaseItem from the client-side to add those items to the player’s inventory after he/she completed the IAPs. This seems not secure enough for me because it’ll expose a way for some potential cheaters to purchase items using Virtual Currency while other players paid for real money. Therefore, a recommended way to do that would be using the server API GrantItemsToUser in a CloudScript function to add specific content in the player’s inventory after IAP purchases completes, which will enable you to add some checking logic to enhance security.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Matthew Draper avatar image
Matthew Draper answered

Hi, many thanks for the quick reply.

We need this to work retrospectively for players who have already made purchases, so CloudScript seems to be the way to go. (I suppose if we just simulate previous purchases with PurchaseItem, this can be trivially hacked).

If we go with the CloudScript solution, what methods do you suggest to enhance security? I guess we need a custom event with a payload that the CloudScript can verify before granting the IAP - maybe some kind of on-the-fly auth token creation or hash?

I don't expect to make this 100% secure, just not trivial to cheat.

Thanks,

-Mat

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Matthew Draper avatar image Matthew Draper commented ·

I think we could use ValidateIOsReceipt and ValidateGooglePlayPurchase to synch IAPs retroactively on our mobile platforms, but I'm not sure there's an equivalent way to do this on Steam?

0 Likes 0 ·
Citrus Yan avatar image Citrus Yan Matthew Draper commented ·

Yes, you can use ValidateIOsReceipt and ValidateGooglePlayPurchase to sync IAPs on mobile platforms, however, PlayFab does not support Validating Steam purchases right now, please feel free to make a feature request.

About enhancing security, I think the key here is to send something that only the Cloud Script can interpret, either by itself or from an auth server. So, yes, auth token or hash should do the trick.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.