How do we verify Windows 8 in-app billing receipt on the server side?

StackOverflow https://stackoverflow.com/questions/11985618

Question

I am currently implementing in-app purchases in an app that I am working for Windows 8.

After reading the documentation:

  1. Request the license Information for the app: msdn.microsoft.com/en-us/library/windows/apps/windows.applicationmodel.store.licenseinformation.aspx

This tells you if the app is trial or not, and the list of products bought using in-app.

  1. To perform a purchase you need to use the objects:

CurrentApp: In live environment. This will only work when the app is APPROVED in the store, so you need to make this change before packaging to submit to the store.

CurrentAppSimulator: Debug and testing.

2.a. If you are running an app in trial mode, you purchase the app calling: CurrentApp.RequestAppPurchaseAsync (true)

The parameter is requesting to get a string that contains XML that represents all receipts for the app and any in-app purchases. If includeReceipt is set to false, this string is empty.

2.b. Validate a purchase from your servers. Reference

We want to verify that the receipt that we got from server 2.a is genuine. To verify a receipt's authenticity, you can check the receipt's signature using the public certificate. To get this certificate, use the following URL: go.microsoft.com/fwlink/?LinkId=246509&cid= where is the CertificateId of the receipt.

This is a real Receipt from the CurrentAppSimulator:

<?xml version="1.0" encoding="utf-8"?>
    <Receipt Version="1.0" ReceiptDate="2012-08-23T14:21:40Z" CertificateId="" ReceiptDeviceId="9d6b1f28-cab8-421f-8f8d-23df2dc3abbe">
    <ProductReceipt Id="d9437a12-4f91-4ef0-b0bf-527ab9da2ec9" AppId="Zolmo.JamiesRecipes_40cj6885yhw56" ProductId="JMPK_0004" PurchaseDate="2012-08-23T14:21:40Z" ProductType="Durable" />
</Receipt>

No CertificateId, how could I implement the server side validation? how can I test all this without having an app in the Store?

Thanks, Pedro

Was it helpful?

Solution

There is no sandbox environment to do this kind of end-to-end testing for the Windows Store. This should help get you a bit further though:

The CertificateId being used by the Store currently is b809e47cd0110a4db043b3f73e83acd917fe1336 (this can change over time so your code should get this programmatically from the signed receipts)

The cert download URL becomes this: https://go.microsoft.com/fwlink/?LinkId=246509&cid=b809e47cd0110a4db043b3f73e83acd917fe1336

Here's a sample receipt you can test your code that parses the CertificateId value to use in the URL above and for the code that verifies the signature is valid using the cert returned by the URL above:

<Receipt Version="1.0" ReceiptDate="2012-08-28T22:11:33Z" CertificateId="b809e47cd0110a4db043b3f73e83acd917fe1336" ReceiptDeviceId="4e362949-acc3-fe3a-e71b-89893eb4f528">
<AppReceipt Id="8ffa256d-eca8-712a-7cf8-cbf5522df24b" AppId="55428GreenlakeApps.CurrentAppSimulatorEventTest_z7q3q7z11crfr" PurchaseDate="2012-06-04T23:07:24Z" LicenseType="Full" />
<ProductReceipt Id="2559fa9a-9f86-0525-e655-536a6c96fac6" ProductId="Product1" PurchaseDate="2012-06-04T23:07:50Z" ExpirationDate="2012-06-07T23:07:49Z" ProductType="Durable" AppId="55428GreenlakeApps.CurrentAppSimulatorEventTest_z7q3q7z11crfr" />
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <Reference URI="">
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <DigestValue>npmBq7pdtq9FkfILSsHuVyD+QWiZg6J/klBKsyWhrw8=</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>LKZSHmk6XjLaEHoJPFBB1GxVsFf2eilOXeyf2RvYtVvqjU4EIdOUfNM46sVifq3MyeE4N2s77iJmvdzgxmOM9tCimebiL7jsdpWakO0A9daImHESMPIrwZNham6jPCWaBUEOFT6PNy1v5MS+cdX25Wenk702L0wVQ6R8oGPlk5Im6Q62K69cvAFA3q/kiLHOyTZWHoIGw5lvFvAYI/aZhVoFQLv1FjK0Syg5nbMA19UrzwZ39jnJjcfuw/VX51uSv5Ze2x36HDXTpiw8wHoTzauGYzt9MXd4+qbiJ4AQys22AgO+cfAbDrTuH5duZ6DMeuFeEv8nu2p9PiVyBEOlZw==</SignatureValue>
</Signature>

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top