Skip to main content

Hi Revenuecat team, I am new flutter developer and use firestore as my server, my question is for my flutter app I want to check user’s subscription status, so I can get it via

CustomerInfo customerInfo = await Purchases.getCustomerInfo();

Should I then pass this value

customerInfo.entitlements.alllentitlementID]?.isActive

directly to my cloud function to calculate different methods based on user’s subscription status, or I need to move revenuecat code part in cloud function, in case someone can hack my code and always pass TRUE value to my cloud function? Thanks! 

Hi,

Happy to help here. Yeah, I would definitely either pass that method into your backend, or use one of firestore’s authentication methods to do this. You’re right that just sending a boolean from the SDK could be insecure if someone took apart your code.


hi Ryan, many thx for the reply, sry I am new to Revenuecat world, since I just found this introduction https://www.revenuecat.com/docs/customer-info which tells me how to check subscribe status in client, but not in backend with cloud function via using typescript, not to mention is it possible to configure Revenuecat in cloud function?

If I want to check through Firestore, do you mean to check Collection(customers) → Document(userID) → Collection(subscriptions/myProduct/) and then compare to expire_date there? Or there is a better way or some tutorial that I did not find yet in Revenuecat’s document page?


I think the easiest way to do this would be just to hit our api, actually.

This endpoint will return a customerInfo object just like the method in the doc you linked.

If you do that in a Cloud function, then we return the customer status without it leaking to the app.


Hi, Ryan I got it, thanks for the help!


Maybe as simple as this? Client-side *insecure* authorization vs. server-side Cloud Firestore Security Rules:
 

service cloud.firestore {
match /databases/{database}/documents {
match /articles/{articleId} {
allow read: if true;
allow write: ....;

match /protected/{protecedId} {
allow read: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.subscription == true;
}
}
}
}


And cloud function listening for updates from Apple/Google stores?

Any better examples?

I was expecting that RevenueCat Firebase Integration provides “out-of-the-box” server-side API which we can use to customize Cloud Firestore Security Rules


Reply