question

This documentation -- Getting started with PlayFab, Unity IAP, and Android and the blog -- Receipt Validation for iOS and Android provide the tutorials of IAP purchase. As the documentation said, you can use this client API ValidateGooglePlayPurchase to validate a Google Play purchase. Besides, these API methods ValidateAmazonIAPReceipt, ValidateIOSReceipt, ValidateWindowsStoreReceipt can be used for other platforms' receipt validation. Clients pass the receipt to PlayFab with the above API calls.

Then, as you said, PlayFab will validate the receipt on the backend. In this step, PlayFab will validate the receipt via the corresponding provider’s server (Google, Apple) and will behave according to the response from the provider’s server. Spoof usually won’t work.

After PlayFab did the receipt validation, the event player_receipt_validation would be generated, when the receipt is validated as valid, the player_receipt_validation's "Valid" property would return true, if the receipt is invalid, the "Valid" property would return false.

>> What's the recommended way to do IAP receipt validation and also execute some cloudscript player data in regards to that IAP purchase?

The workflow you mentioned is the recommended way.

1. The client gets receipts.
2. The client passes the Receipt Json to PlayFab using API methods, such as ValidateGooglePlayPurchase. PlayFab validates receipt on the backend. The result of validation would display in the event player_receipt_validation.
3. The event player_receipt_validation trigger the CloudScript function “ProcessIAP”. CloudScript function verify the context of player_receipt_validation.
4. If the "Valid" property is true, execute the main logic to update the data.

>> But how would I confirm that the receipt payload is valid? (because client can call that cloudscript ProcessIAP).

In the CloudScript function, you can get the PlayStream event's context. You can confirm this function is triggered by player_receipt_validation through this context's name, and confirm the receipt is valid through this context's properties. For more information about using context in the CloudScript, please check this documentation -- Writing custom CloudScript, especially this section -- Intermediate Overview: Globals and advanced arguments. More details about the properties of player_receipt_validation, please check this documentation -- player_receipt_validation.

You can refer to the following CloudScript function to confirm the function is triggered by the player_receipt_validation event and the receipt is valid.

handlers.ProcessIAP = function (args, context) {
    
    var psEvent = context.playStreamEvent;
    log.info(psEvent);
    if (psEvent != null && psEvent.EventName == "player_receipt_validation") {
        if (psEvent.Valid == true) {
            //Update the read-only player data here.
            return { result: "Executed the function." };
        } else { return { result: "Error: The receipt is invalid." }; }
 
    } else { return { result: "Error: This function isn't triggered by player_receipt_validation." }; }
 
};