[Android] Support Real-time Developer Notifications

[superandrew213]

We can use in-app-purchase to validate Apple's subscription event notifications because Apple provides the receipt data. Google doesn't 😊

https://developer.android.com/google/play/billing/realtime_developer_notifications.html

Google sends us this:

{
  "version":"1.0",
  "packageName":"com.some.thing",
  "eventTimeMillis":"1503349566168",
  "subscriptionNotification":
  {
    "version":"1.0",
    "notificationType":4,
    "purchaseToken":"PURCHASE_TOKEN",
    "subscriptionId":"my.sku"
  }
}

We can use this to recreate Google's receipt data and pass it to in-app-purchase. You only need packageName, productId and purchaseToken for validating using Google API:

{
  data: {
    packageName: "com.some.thing",
    productId: "my.sku",
    purchaseToken: "PURCHASE_TOKEN",
  }
}

However using this receipt data won't work because of the checks in-app-purchase does.

Using this will pass checks and will validate:

{
  data: {
    packageName: "com.some.thing",
    productId: "my.sku",
    purchaseToken: "PURCHASE_TOKEN",
    autoRenewing: true,    // Needed for isSubscription method
  },
  signature: 'signature',    // Needed to detect platform as Google and pass checks
}

However it's probably not a good idea to do that in production.

Changes required:

• Update getService() method. Need better way to differentiate between Google and Amazon
  https://github.com/voltrue2/in-app-purchase/blob/develop/index.js#L75-L79
  https://github.com/voltrue2/in-app-purchase/blob/develop/index.js#L95-L99
• Make signature not required because it is not needed if user has provided Google API credentials
  https://github.com/voltrue2/in-app-purchase/blob/develop/lib/google.js#L147
• isSubscription() method. Not sure about this one because there is no way to determine if it is a subscription or not given only packageName, productId and purchaseToken. An option would be to allow isSubscription field in receipt object that we could also check for.
  https://github.com/voltrue2/in-app-purchase/blob/develop/lib/google.js#L265-L283

Not sure if I am missing anything else.

@voltrue2 what do you think?

[voltrue2]

Hi @superandrew213

Thank you for the detailed suggestion.
It is interesting. I certainly have not thought it!

Let me sit on this a little bit to consider if considering this further makes sense for the package!

Cheers!

[superandrew213]

Thanks @voltrue2.

To simplify things we can leave getService() alone. It looks pretty complicated. We would just need to provide iap.GOOGLE to validate() manually for this use case.

1. Remove requirement for signature for the receipt data:
   https://github.com/voltrue2/in-app-purchase/blob/develop/lib/google.js#L147

Change it to something like this to ensure that signature or api credentials are supplied:

if (!receipt.data || !(receipt.signature || (tokenMap.clientId && tokenMap.clientSecret && tokenMap.refreshToken))) {

2. When checking for isSubscription() also check the receipt object for a isSubscription field:
   https://github.com/voltrue2/in-app-purchase/blob/develop/lib/google.js#L265-L283

return receipt.isSubscription || (receipt.data && receipt.data.autoRenewing !== undefined);

That would be quite an easy change and wouldn't break anything.

[superandrew213]

@voltrue2 any news on this?

[voltrue2]

Hello,

My apologizes for taking this long. I have been side tracked by other projects. I will get back on this issue as soon as I can.

Cheers!

[superandrew213]

@voltrue2 no problem at all!

[voltrue2]

Closing as the latest version resolves this issue by using googoleServiceAccount in configuration.