soroushdes/HokmPlay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
83d9c1c7d0119872e0ea7a76725806ad2bf988eb
HokmPlay/server/src/Hokm.Server/Payments/IabService.cs
T
soroush.asadi 83d9c1c7d0
CI/CD / CI - API (dotnet build + engine sim) (push) Successful in 29s
Details
CI/CD / CI - Web (tsc + next build) (push) Successful in 1m6s
Details
CI/CD / Deploy - local stack (db + server + web) (push) Successful in 41s
Details
fix(iab): correct Myket purchase verification to the documented POST /verify API 
Myket's server-to-server validation is POST
/api/partners/applications/{pkg}/purchases/products/{sku}/verify with the
purchase token in the JSON body ({"tokenId": ...}) + X-Access-Token header —
not a GET with the token in the path. purchaseState 0 = valid.
Ref: https://myket.ir/kb/pages/server-to-server-payment-validation-api/

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-12 22:12:57 +03:30

138 lines
6.1 KiB
C#
Raw Blame History

using System.Net.Http.Json;
using System.Text.Json;
namespace Hokm.Server.Payments;
/// <summary>
/// Config for store in-app billing verification. Fill these from the Cafe Bazaar
/// (pardakht) and Myket developer panels. Bound from the "Iab" config section /
/// <c>Iab__*</c> env vars.
/// </summary>
public sealed class IabOptions
{
/// <summary>Android package name registered in the store panels.</summary>
public string PackageName { get; set; } = "com.bargevasat.app";
// ── Cafe Bazaar (pardakht dev API, OAuth refresh-token flow) ──
public string BazaarClientId { get; set; } = "";
public string BazaarClientSecret { get; set; } = "";
public string BazaarRefreshToken { get; set; } = "";
/// <summary>
/// Cafe Bazaar in-app billing RSA public key (panel: «دریافت کلید RSA برای
/// قراردادن در برنامه»). Used to verify a purchase payload's signature locally
/// (Poolakey in-app library flow). NOT used by the current deep-link flow,
/// which verifies server-to-server via the pardakht API above — kept here so
/// the key has a home if/when the native Poolakey plugin is added.
/// </summary>
public string BazaarRsaPublicKey { get; set; } = "";
// ── Myket (developer validation API) ──
public string MyketAccessToken { get; set; } = "";
/// <summary>
/// DEV ONLY. When true, purchases are credited WITHOUT remote verification
/// (use for local testing before you have store credentials). NEVER enable in
/// production — it lets a forged token mint coins.
/// </summary>
public bool AllowUnverified { get; set; } = false;
}
/// <summary>
/// Verifies a store purchase token (Cafe Bazaar / Myket) server-to-server before
/// coins are credited. Endpoints are config-driven; confirm the exact URLs against
/// your store panel — the request/response shapes mirror Google Play's IAB API.
/// </summary>
public sealed class IabService
{
private static readonly HttpClient Http = new();
private readonly IabOptions _opts;
private readonly ILogger<IabService> _log;
public IabService(IabOptions opts, ILogger<IabService> log)
{
_opts = opts;
_log = log;
}
public async Task<bool> Verify(string store, string productId, string token)
{
if (string.IsNullOrWhiteSpace(token)) return _opts.AllowUnverified;
store = (store ?? "").Trim().ToLowerInvariant();
try
{
return store switch
{
"bazaar" or "cafebazaar" => await VerifyBazaar(productId, token),
"myket" => await VerifyMyket(productId, token),
_ => _opts.AllowUnverified,
};
}
catch (Exception ex)
{
_log.LogWarning(ex, "IAB verify failed for store {Store} product {Product}", store, productId);
return _opts.AllowUnverified;
}
}
/// <summary>
/// Cafe Bazaar: exchange the refresh token for an access token, then validate
/// the in-app purchase. See https://pardakht.cafebazaar.ir/devapi/v2/.
/// </summary>
private async Task<bool> VerifyBazaar(string productId, string token)
{
if (string.IsNullOrWhiteSpace(_opts.BazaarRefreshToken)) return _opts.AllowUnverified;
// 1) refresh_token → access_token
var form = new FormUrlEncodedContent(new Dictionary<string, string>
{
["grant_type"] = "refresh_token",
["client_id"] = _opts.BazaarClientId,
["client_secret"] = _opts.BazaarClientSecret,
["refresh_token"] = _opts.BazaarRefreshToken,
});
var tokenResp = await Http.PostAsync("https://pardakht.cafebazaar.ir/devapi/v2/auth/token/", form);
if (!tokenResp.IsSuccessStatusCode) return false;
using var tokenDoc = JsonDocument.Parse(await tokenResp.Content.ReadAsStringAsync());
if (!tokenDoc.RootElement.TryGetProperty("access_token", out var at)) return false;
var access = at.GetString();
// 2) validate the purchase
var url = $"https://pardakht.cafebazaar.ir/devapi/v2/api/validate/{_opts.PackageName}/inapp/{Uri.EscapeDataString(productId)}/purchases/{Uri.EscapeDataString(token)}/?access_token={access}";
var vResp = await Http.GetAsync(url);
if (!vResp.IsSuccessStatusCode) return false;
using var vDoc = JsonDocument.Parse(await vResp.Content.ReadAsStringAsync());
// purchaseState: 0 = purchased (1 = refunded/cancelled). Absent ⇒ a 200 body
// is itself proof of a valid purchase.
if (vDoc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)
return ps.GetInt32() == 0;
return true;
}
/// <summary>
/// Myket: validate via the developer API. POST the purchase token in the body
/// (`{ "tokenId": ... }`) to the partners/verify endpoint with an X-Access-Token
/// header. The access token comes from the Myket developer panel → in-app
/// products. See https://myket.ir/kb/pages/server-to-server-payment-validation-api/
/// </summary>
private async Task<bool> VerifyMyket(string productId, string token)
{
if (string.IsNullOrWhiteSpace(_opts.MyketAccessToken)) return _opts.AllowUnverified;
var url = $"https://developer.myket.ir/api/partners/applications/{_opts.PackageName}/purchases/products/{Uri.EscapeDataString(productId)}/verify";
using var req = new HttpRequestMessage(HttpMethod.Post, url);
req.Headers.Add("X-Access-Token", _opts.MyketAccessToken);
req.Content = new StringContent(
JsonSerializer.Serialize(new { tokenId = token }),
System.Text.Encoding.UTF8,
"application/json");
var resp = await Http.SendAsync(req);
if (!resp.IsSuccessStatusCode) return false;
using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync());
// purchaseState: 0 = successful purchase, 1 = failed.
if (doc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)
return ps.GetInt32() == 0;
return true;
}
}
Reference in New Issue View Git Blame Copy Permalink