I have a question regarding the payment confirmation. I followed the QuickStart for flutter and I have implemented the IAP. I have 3 lifetime products to purchase coins and I have to verify with RevenueCat if my purchase was legit.
What would be the best method?
I am following the docs and implement the following logic:
if (rcPurchaseSuccess) {
RestAPI.addCoins();
}
Iβm afraid if a malicious actor calls RestAPI.addCoins(); without any purchases or if something goes wrong with the app connection to my server. It will be problematic scenario. How do I solve that?
Is webhooks a good method for confirmation? Or is there a better way? Iβm a bit confused since the docs are not clear.
Thanks
Best answer by Jacob Eiting
Hi Gokula!
This one is tricky, because youβre right, doing the coin granting client side is usually gonna be vulnerable to an attack. If users found that REST endpoint it would be even easier.
The best way to do this is to make your backend the source of truth for coin state, and to only increment via communications directly between your backend and our API.
Two ways to do that:
Webhooks - This is nice, but it can be problematic because when a user makes a purchase the webhook isnβt guaranteed to be instantaneous
REST API - Use our REST API on your backend to check our backend. So basically, client side once the purchase has succeed, hit your backend with ah /check-coins call, and have that endpoint call our REST API to verify the purchases.
This one is tricky, because youβre right, doing the coin granting client side is usually gonna be vulnerable to an attack. If users found that REST endpoint it would be even easier.
The best way to do this is to make your backend the source of truth for coin state, and to only increment via communications directly between your backend and our API.
Two ways to do that:
Webhooks - This is nice, but it can be problematic because when a user makes a purchase the webhook isnβt guaranteed to be instantaneous
REST API - Use our REST API on your backend to check our backend. So basically, client side once the purchase has succeed, hit your backend with ah /check-coins call, and have that endpoint call our REST API to verify the purchases.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.