Solved

Best way to confirm the payments?

  • 27 October 2021
  • 4 replies
  • 85 views

Badge +4

Hi there,

 

I have a question regarding the payment confirmation. I followed the QuickStart for flutter and I have implemented the IAP. I have 3 lifetime products to purchase coins and I have to verify with RevenueCat if my purchase was legit.

 

What would be the best method? 

 

I am following the docs and implement the following logic:

if (rcPurchaseSuccess) {

  RestAPI.addCoins();

 

I’m afraid if a malicious actor calls RestAPI.addCoins(); without any purchases or if something goes wrong with the app connection to my server. It will be problematic scenario. How do I solve that?

 

Is webhooks a good method for confirmation? Or is there a better way? I’m a bit confused since the docs are not clear.

 

Thanks

icon

Best answer by Jacob Eiting 27 October 2021, 18:43

View original

4 replies

Userlevel 2
Badge +2

Hi Gokula!

This one is tricky, because you’re right, doing the coin granting client side is usually gonna be vulnerable to an attack. If users found that REST endpoint it would be even easier. 

 

The best way to do this is to make your backend the source of truth for coin state, and to only increment via communications directly between your backend and our API.

 

Two ways to do that:

  1. Webhooks - This is nice, but it can be problematic because when a user makes a purchase the webhook isn’t guaranteed to be instantaneous
  2. REST API - Use our REST API on your backend to check our backend. So basically, client side once the purchase has succeed, hit your backend with ah /check-coins call, and have that endpoint call our REST API to verify the purchases. 

Hopefully that answers your question :)

 

Jacob

Badge +4

Thank you for the reply Jacob.

 

May I know which endpoint should I use to verify? I see only GET subscribers and offerings; or POST purchase.

Userlevel 2
Badge +2

The /subscribers endpoint will give you the purchases for a user and you can work backwards from there.

Badge +1

I have faced this problem too.

I need a referent ID or something like a unique key to verify the purchases. 

https://api.revenuecat.com/v1/subscribers → is not helpful

because it is not an easy way to accomplish.

 

We need sample codes or documents about this topic.

 

Thank you.

Reply