Question regarding store validation client APIs (for AppStore and GooglePlay store)
Hello,
First of all I'd like to show my appreciation for what you guys did with playfab, it's been great implementing it in my game. On to the problem now : Currently, the iOS and googleplay validation API calls are only handled on the client side. My problem is that once the user has his/her purchase validated on the client I should give them some hard currency and update their inventory on playfab with the new amount of currency, but this is open to exploitation since i'd call a "GiveHardCurrency" script in the client's validation callback. So the current flow would be:
client.purchase ->client.OnSpecificStoreCallbackSuccess -> client.playfabValidate -> client.OnValidationSuccess -> client.callServerScriptThatGivesMeMoney -> server.giveMoney.
The exploitable part is client.callServerScriptThatGivesMeMoney because the validation callback happens in the client. Is there anyway that i could have this validation happen on the server somehow?
Thanks
Best Answer
Thanks! It sounds like what you really want to do is use our receipt validation API calls, since they're entirely server authoritative. The way it works is that you set up items in the PlayFab Catalog (including bundles that hold Virtual Currency, for example), set their prices there or in Stores, and then use the appropriate receipt validation call. What we do is take the receipt you send to us, check that it's valid, that it's actually for your title, that it's for an item in your catalog, and that it has never been used before, and then (and only then) add the item purchased to the player inventory. This write-up is a little out of date (we're about to produce an update), but it does provide all the details for iOS and Android (we'll be adding Amazon's as part of the update): https://playfab.com/show-me-money-receipt-validation-ios-and-android/.
You would then use PurchaseItem for any VC purchases. It checks that the player actually has the amount of currency it takes to purchase the item from your Catalog/Store (which again, is where you define the prices), adds the item(s) and removes the VC.
