Verifying Store Receipts(收据)
Your application should perform the additional step of verifying that the receipt you received from Store Kit came from Apple. This is particularly important when your application relies on(依靠) a separate server to provide subscriptions, services, or downloadable content. Verifying receipts on your server ensures that requests from your application are valid.
Important On iOS, the contents and format of the store receipt is private and subject to change. Your application should not attempt to parse the receipt data directly. Use the mechanism described here to validate(验证) the receipt(收据、收条、回执) and retrieve the information stored inside it.
On Mac OS X, the contents and format of the store receipt are described(描述) in Validating Mac App Store Receipts. Mac OS X supports both the server validation(验证) method described in this chapter and the local validation method described in Validating Mac App Store Receipts.
Verifying a Receipt with the App Store
When Store Kit returns a completed purchase to your payment queue observer, the transaction’s transactionReceipt property contains a signed receipt that records all the critical information for the transaction. Your server can post this receipt to the App Store to verify that the receipt is valid and has not been tampered(篡改) with. Queries transmitted(传播) directly to the App Store are sent and received as JSON dictionaries, as defined in RFC 4627.
To verify the receipt, perform the following steps:
- Retrieve the receipt data from the transaction’s transactionReceipt property (on iOS) or from the receipt file inside the application bundle (on Mac OS X) and encode(编码) it using base64 encoding.
- Create a JSON object with a single key named receipt-data and the string you created in step 1. Your JSON code should look like this:
|
|
|
- Post the JSON object to the App Store using an HTTP POST request. The URL for the store is https://buy.itunes.apple.com/verifyReceipt.
- The response received from the App Store is a JSON object with two keys, status and receipt. It should look something like this:
|
|
|
|
If the value of the status key is 0, this is a valid receipt. If the value is anything other than 0, this receipt is invalid.
The Store Receipt
The receipt data you send to the App Store encodes information about the transaction. When the App Store validates a receipt, the data stored in the receipt data are decoded and returned in the receipt key of the response. The receipt response is a JSON dictionary that includes all of the information returned to your application in the SKPaymentTransaction object. Your server can query these fields to retrieve the details of the purchase. Apple recommends that you send only the receipt data to your server and use receipt validation(验证) to retrieve the purchase details. Because the App Store verifies that the receipt data has not been tampered with, retrieving this information from the response is more secure than transmitting both receipt data and the transaction data to your server.
Table 5-1 provides a list of keys that you may use to retrieve information about the purchase. Many of these keys match properties on the SKPaymentTransaction class. All keys not specified in Table 5-1 are reserved for Apple.
Note: Some keys vary depending on whether your application is connected to the App Store or the sandbox testing environment. For more information on the sandbox, see “Testing a Store.”
Table 5-1 Purchase info keys
|
Key |
Description |
|
quantity |
The number of items purchased. This value corresponds to the quantity property of the SKPayment object stored in the transaction’s payment property. |
|
product_id |
The product identifier of the item that was purchased. This value corresponds to the productIdentifier property of the SKPayment object stored in the transaction’s payment property. |
|
transaction_id |
The transaction identifier of the item that was purchased. This value corresponds to the transaction’s transactionIdentifier property. |
|
purchase_date |
The date and time this transaction occurred. This value corresponds to the transaction’s transactionDate property. |
|
original_transaction_id |
For a transaction that restores a previous transaction, this holds the original transaction identifier. |
|
original_purchase_date |
For a transaction that restores a previous transaction, this holds the original purchase date. |
|
app_item_id |
A string that the App Store uses to uniquely identify the application that created the payment transaction. If your server supports multiple applications, you can use this value to differentiate between them. Applications that are executing in the sandbox do not yet have an app-item-id assigned to them, so this key is missing from receipts created by the sandbox. |
|
version_external_identifier |
An arbitrary number that uniquely identifies a revision of your application. This key is missing in receipts created by the sandbox. |
|
bid |
The bundle identifier for the application. |
|
bvrs |
A version number for the application. |
THE END !