When I try and do a sandbox test with iOS, I receive the following error:

error { Error: getaddrinfo ENOTFOUND buy.itunes.apple.com buy.itunes.apple.com:443
    at errnoException (dns.js:28:10)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:76:26)
  code: 'ENOTFOUND',
  errno: 'ENOTFOUND',
  syscall: 'getaddrinfo',
  hostname: 'buy.itunes.apple.com',
  host: 'buy.itunes.apple.com',
  port: 443 }

@superandrew213 Your commit 458c892 added purchaseDate and expirationDate to all responses, which is great. I noticed however that sometimes it seems to return a property purchaseData instead of purchaseDate.

I think it's limited to Apple. Could you double check?

Currently it seems that an access token for Google APIs is requested with each payment verification. This is unnecessary extra load to verify a single receipt and could cause significant delays when verifying a large amount of payments.

Since the function verifyPayment only works with callback, when I try to check the payment with the Apple store, when it responds and I can't return the result from the controller to the router, in order to send a response with it to the client.

Router code:

router.get('/subscriptionCheck', verifyToken, async function(req, res) {
    try {
        const subscription = await subscriptionController.getSubscription(req.userId);

        if (!subscription) return res.status(404).send('Failed to get subscription.');

        const response = await subscriptionController.checkSubscription(subscription.receipt);

        if(response.active){
            return res.status(200).json(response.data);
        } else {
            return res.status(400).json(response.data);
        }
    } catch (error) {
        return res.status(500).json({error: error.message});
    }
 });

Controller code:

 async function checkSubscriptionIOS(receipt, productId) {
    const payment = {
        receipt: receipt,
        productId: productId,
        packageName: 'bundleId',
        secret: 'secret',
    };

    return iap.verifyPayment('apple', payment, function(error, response) {
        if(error) {
            console.log("verify Apple subscriptions error:\n", error);

            return {active: false, data: error};
        } else {
            if (response.receipt.in_app.expires_date_ms < new Date().getTime()) {
                return {active: false, data: response};
            }

            return {active: true, data: response};
        }
    });
 }

iap has a dependency of jwt-simple, and jwt-simple has a high severity vulnerability that is fixed in>=0.5.3

https://www.npmjs.com/advisories/831

Could you bump jwt-simple?

If the subscription has expired (21006), the response indeed contains a valid decoded receipt.
I think it would make sense to return the decoded receipt rather than throwing an error.
What do you guys think?

Hey can you guys release a new version with the excludeOldTransactions option that was merged recently?

Thanks!

Hey, I am trying to verify a payment that has done in Unity, but I keep getting Error 400 - Invalid Value. I am quite sure I've followed your instructions on how to use it but it seems like I've missed something. Here's my code snippet:

And this is the result of this request:

Could you please help me see what's wrong here? Thanks in advance.

for (i=0.....){
var payment.receipt = receipt(i);
iap.verifyPayment('google', payment, function (error, response) {
if(!error && response){
callback(response);
}
});
}
i m passing diffrant receipt each time but it return same responce for every recipt.
note: all responce consist copy of first itration.

Is there support for verification of google play subscriptions?
seems like it is not supported? how trivial is it to add?
the url for subscription verification is
https://www.googleapis.com/androidpublisher/v2/applications/packageName/purchases/subscriptions/subscriptionId/tokens/token

I am trying out google verification.

if the purchase is not yet consumed, i get an error that it is not yet consumed.
if the purchase is consumed, then i get the proper response.
if the purchase does not exist, i get an error but blank.

Is this the expected behavior? I just find it weird

npm audit currently fails due to minimist not being up-to-date:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ iap                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ iap > minimist                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 2492 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Hi,

I am trying to make this work with the itunes shared secret. How to do ?

Thanks !

I understand that I need to create some kind of service account on google cloud platform.

Is there a step-by-step on which exact project/service/role I should be creating the service account against?

Whatsup!

What do you think about us adopting a coding standard for this package?

We've been using the following:

https://github.com/standard/standard

Seems to be pretty popular among maintainers. I think it may help us with our formatting.

This node package looks great and I think I will use it, however the documenation doesn't specify how we know whether the receipt is valid or not (i.e there is no isValid or the likes of it in the response). Should I just check whether error is null to know if the receipt is valid?

Hi!

While using your library I couldn't validate purchases, so I dug in the code and noticed that the receipt contained in the response from apple verification url isn't the one expected by the library.

-the bundle id is in receipt.bundle_id property instead of receipt.bid
-transaction_id and product_id are contained in receipt.in_app[0] instead of directly in the receipt.

I don't know why these values where located at different places for me, so I changed the code to test and made it work now.

I'll make a pull request to show you what I did and you can include it in the project if you want.

before i do a pull request, can you guys check if you think this can be added into this project?

https://github.com/kelchy/node-iap

it is not directly related to verifying payments so i am not sure. however, this is something important
to developers offering inapp purchases. recently we got a lot of cheaters who made a lot of refunds.
this would help everyone in the long run.

i am not sure how you guys want to format the readme for this so asking for help.

Noticed that a iOS user who was having receipt validation issues had two items in the latest receipt info array:

  "latest_receipt_info": [
    {
      "quantity": "1",
      "product_id": "yearly",
      "transaction_id": "501136461303889853",
      "original_transaction_id": "501136461303889853",
      "purchase_date": "2022-02-10 17:59:20 Etc/GMT",
      "purchase_date_ms": "1644515960000",
      "purchase_date_pst": "2022-02-10 09:59:20 America/Los_Angeles",
      "original_purchase_date": "2022-02-10 17:59:21 Etc/GMT",
      "original_purchase_date_ms": "1644515961000",
      "original_purchase_date_pst": "2022-02-10 09:59:21 America/Los_Angeles",
      "expires_date": "2022-02-17 17:59:20 Etc/GMT",
      "expires_date_ms": "1645120760000",
      "expires_date_pst": "2022-02-17 09:59:20 America/Los_Angeles",
      "cancellation_date": "2022-03-10 20:57:06 Etc/GMT",
      "cancellation_date_ms": "1646945826586",
      "cancellation_date_pst": "2022-03-10 12:57:06 America/Los_Angeles",
      "is_trial_period": "true",
      "is_in_intro_offer_period": "false",
      "cancellation_reason": "0",
      "in_app_ownership_type": "FAMILY_SHARED"
    },
    {
      "quantity": "1",
      "product_id": "monthly",
      "transaction_id": "150001161180179",
      "original_transaction_id": "150001161180179",
      "purchase_date": "2022-08-12 19:06:35 Etc/GMT",
      "purchase_date_ms": "1660331195000",
      "purchase_date_pst": "2022-08-12 12:06:35 America/Los_Angeles",
      "original_purchase_date": "2022-08-12 19:06:35 Etc/GMT",
      "original_purchase_date_ms": "1660331195000",
      "original_purchase_date_pst": "2022-08-12 12:06:35 America/Los_Angeles",
      "expires_date": "2022-09-12 19:06:35 Etc/GMT",
      "expires_date_ms": "1663009595000",
      "expires_date_pst": "2022-09-12 12:06:35 America/Los_Angeles",
      "is_trial_period": "false",
      "is_in_intro_offer_period": "false",
      "in_app_ownership_type": "PURCHASED"
    }
  ]

Our tactic of grabbing the last item in the array failed, because iap sorts the items before returning them:

However the sorting is via transaction_id and in this case the first transaction has a much larger id than the second. Not sure if related to family sharing, or a red herring.

Perhaps don't sort the array when parsing?

While I'm using this library for Google validation with no problems, I can't find a way to make it work with Apple.

I'm getting the receipt as Apple's documentation says:
To retrieve the receipt data, use the appStoreReceiptURL method of NSBundle to locate the app’s receipt, and then read the entire file. If the appStoreReceiptURL method is not available, you can fall back to the value of a transaction's transactionReceipt property for backward compatibility.

The result is a VERY LOOONG string:
MIIT3AYJKoZIhvcNAQcCoIITzTCCE8kCAQExCzAJBgUrDgMCGgUAMIIDjQYJKoZIhvcNAQcBoIIDfgSCA3oxggN2MAoCAQgCAQEEAhYAMAoCARQCAQEEAgwAMAsCAQECAQEEAwIBADALAgELAgEBBAMCAQAwCwIBDgIBAQQDA... //truncated for obvious reasons

That I'm passing AS IS as the receipt string:
The receipt string passed may be either the base64 string that Apple really wants, or the decoded receipt as returned by the iOS SDK (in which case it will be automatically base64 serialized).

I'm also passing productId and package name:
Both productId and packageName (bundle ID) are optional, but when provided will be tested against. If the receipt does not match the provided values, an error will be returned.

The call fails with this message:
The data in the receipt-data property was malformed or missing.

Is it something that I'm doing wrong?

Thanks,
Walt

Hi, I have this set up and working but would also like to use it to know whether a purchase was a test transaction or not. Capable of doing this with the response.environment on iOS, but no way to do it in Android. Would it be possible to update the code that hits the server to also fetch the "orderId" from Google, or anything else that can note whether it was a sandbox/test transaction?

by merging this: https://github.com/Wizcorp/node-iap/pulls

The README states that you can use the promise version of the method, but the NPM package isn't updated to have this functionality.

Thanks a lot for this library.
I use it for verify google play subscribe.
But I don't know how to get the keyObject.

var payment = {
       //xxxxx
	keyObject: {}, // required, if google
};

Someone can help me? Thanks.

This should help clients find this package with the available platforms listed. For example:

In-app purchases for Node.js (Apple, Google, Amazon, Roku)

https://android-developers.googleblog.com/2019/03/changes-to-google-play-developer-api.html

When a receipt is sent from an app to the server, I need to perform some actions, and then respond to the app that it's ok to consume the purchase.

The problem is that this module is asserting that the purchase is already consumed. That's not safe, because if the app buys then consumes the purchase before notifying the server, and then something goes wrong, the purchase has been (more or less) lost in the ether, since it will no longer appear in the list of purchases from Google after being consumed but will not have registered with the node server.

Any chance that line (along with the purchaseState line, in case we actually need to check on that info) could simply be removed? Or if you have some external code depending on that check being there, add an alternative method for just checking the state of a purchase rather than verifying those exact conditions?

Thanks!

For apple order it's it's working fine but for google order, the response is undefined also it's not giving any error. i m using below configuration.Can you please help me out.

var platform = 'google';
var payment = {
receipt: '', // always required
productId: 'monthly_subscription',
packageName: 'com..io',
keyObject:'../.json'
};

Thanks

Hello,

The Roku payment verification is not yet released on npm. When do you intend to push a new version of iap which contains this?

Thanks.

orderId not the token should be the property used as transactionId

the Google token is more like the Apples base64 encoded receipt: both enable the developer to fetch updated information about users purchase/subscription. Googles orderId is the property which corresponds to Apples transaction_id.

its the orderId that uniquely identifies each transaction made by the user. What you are currently using as transactionId is the token which is used to fetch information from the api about given purchase/subscription. In case of renewing subscriptions, there will by more then one transaction associated with give token, each transaction having a unique orderId which corresponds to subsequent subscription periods. If you ever want to match data fetched from googles purchases api with play store sales & payout reports you will need to use the orderId not the token.

Thank you for this library, but i would like to ask something since it's my first time implementing auto renewable subscription..

So now after the user purchase the subscription i should send the receipt to my backend and validate it, and then if it's valid i should store the receipt and the expiration date in my db, and since i have a corn job that runs daily i can check if the subscription is expired, and if it's i can send the receipt again to check if it's renewed or not, is that right? and if it returns an error meaning that it's not valid anymore?

app.post('/receipt-validation' , (request , response) => {

  const platform = request.body.platform;
  const userId = request.body.userId;
  const receipt = request.body.platform;

  const payment = {
    receipt: receipt, // always required
    productId: 'com.shamhandev.snaplearn',
    packageName: 'com.shamhandev.snaplearn',
    excludeOldTransactions: true, // ios
    secret: 'password',      
    subscription: true,	// optional, if google play subscription
    keyObject: {}, // required, if google
  };


  iap.verifyPayment(platform, payment)
  .then(
    res => {	
       //Updating subscription status in db
    },
    err => {
        /* your code */ 
    }
)



});

The minimist package had some serious security problems. Can you please update the dependencies.

# npm audit report

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m

I get

{ [AssertionError: Google API key object must be provided]
name: 'AssertionError',
actual: undefined,
expected: true,
operator: '==',
message: 'Google API key object must be provided',
generatedMessage: false }

Where do i specify Google API key object?? you said in the document that we need keyObject but since I'm a node first time user, not sure what that means..

also for receipt ... can this be the order number (=transaction id) ?