question

Ozan Yilmaz avatar image
Ozan Yilmaz asked

PlayFab accepting pending purchases

Hello everyone,

I post this issue on this forum before but I got the same issue again and I realized some new things. (Old post: https://community.playfab.com/questions/54964/playfab-accepting-pending-payments.html).

First of all, this issue happened to me again with the IDR currency (Indonesia). I'm not sure what the client did to get stuck on the charging step.

While confirming receipts, I log the receipts in Cloudscript. This is one of the pending purchases that passed PlayFab check, but not being charged.

As it can be seen from the image, the purchase state of the receipt is 4, however, the receipt's valid value is true. I guess, PlayFab only checks the valid value. So, this receipt passes the PlayFab check. I searched the purchase state 4 on the Internet, but couldn't find any information about it. When a client is charged successfully and send receipt to PlayFab, the purchase state is always 1, which means "Charged". (The receipts with purchase state 4 becomes "canceled" 3 days after the purchase date).

I'm using Unity IAP to handle purchases. A temporary solution can be checking the purchase state of the receipts. If the state is 4, don't execute the validate API. However, a hacked client can still bypass the if statement and can send pending receipts to PlayFab to buy items in the game without being charged. PlayFab should also check the purchase state in my opinion.

00.jpg (30.4 KiB)
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

3 Answers

·
Brendan Vanous avatar image
Brendan Vanous answered

Discussion of this is now in this thread: https://community.playfab.com/questions/62485/playfab-is-accepting-pending-payments.html. Please be sure to post any follow-up quesitons there.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

JayZuo avatar image
JayZuo answered

This is a known issue that our engineering team is working on. Google Play supports deferred purchases now — also called pending trasacations or pending purchases — where users can create a purchase and complete it later using cash in stores. For more details, see Use the Google Play Billing Library with Unity (android.com).

Our engineering team is reviewing the receipt validation process and going to re- factorize of the purchase workflow. This will take some time. Before the new purchase workflow is ready, as Seth said, please check the PurchaseState in Client as a workaround. If it is not “PURCHASED”, please do not call ValidateGooglePlayPurchase API.

This can't prevent hacked client, but you can use Data Explorer (advanced) to query all "player_receipt_validation" events like 

['events.all'] | where FullName_Name =="player_receipt_validation" and EventData.ReceiptContent contains "purchaseState\":4"

If you can still find an event contains "purchaseState\":4" after you've implemented the above workaround, then this is a malicious player, you can ban this player to prevent cheating.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

robert avatar image
robert answered

Same issue here, has there been any update for these pending transactions?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.