Unity IAP doesn't consume consumable acknowledged purchases

Which cheater user? You have not described a valid scenario yet.

And also I really want this bug to be fixed for working promo code. As I wrote before, items redeemed with promo codes are created in acknowledged: true status, consumed: false. And Unity IAP doesn’t know, what to do with acknowledged items. So it is most likely the same issue. Two bugs will be fixed with one fix :slight_smile:

I described a valid scenario before. Server authorization doesn’t depend on account, logged in Google play store for the second or next app launch.
Even Google sign-in will use previous Google account on the next app launch, and will sign in silently.

Also robbgray described potential security problems.

We have no server API to consume item. Consumption have to be done on client. We have server API to acknowledge item. We can’t give item to user on server without any mark. It is not safe. Acknowledgement for server, consumption for client. I think it is logical. Or acknowledgement + consumption on client for non multiplayer games, that Unity IAP does great.

1 Like

@JeffDUnity3D The article is old but the github for it that I linked is kept up to date and uses Google v3 billing API.

What link are you referring to? This is your first post on this thread. Yes, I missed the original link from that the OP posted. We are checking further here.

There is no security issue here. Transactions are associated with the user logged into Google Play on the device. If you change the user account on the phone, they won’t receive a ProcessPurchase from a transaction generated from another user, regardless if your game has it’s own login mechanism. The only scenario that I see is the user who continues to receive ProcessPurchase in Pending state, which goes to your server again, perhaps to award the product again. You want to return Complete on the client in this case, but understood this could be problematic. Can you not look for the duplicate receipt on the server? It should contain the same purchaseToken. Then tell the client to return Complete. Regardless, we are checking further here.

And it is a security problem, that they won’t receive a ProcessPurchase. User will get gems on server, but client will not acknowledge purchase if user changed Google play store account, and Google will return money to user after 3 days. User has gems, we have no money.

Yes, I done something like this.

1 Like

How will the new user get gems on the server? Please help me to understand. Valid security issues will indeed raise the priority of this issue, but first we would need to understand the scenario. This is my understanding, please correct me

  • UserA owns phone, plays your game and makes a purchase but you have a server error. The transaction is left in Pending so continues to trigger ProcessPurchase on each IAP initialization. (I’m my view, the issue is limited to this scope)
  • UserA logs out of the Play Store, and UserB logs into it with their Google account (or any valid Play Store login)
  • UserB launches your game with their own user account as defined in your game, which is a separate login from their Play Store login. Assume they are a brand new user.
  • During app launch, no ProcessPurchase would be triggered for this user
  • How does UserB now own any content on your server?

If UserA will not log out from the game, Google Play Store UserB will be logged to UserA account in game.
Google sign-in, Facebook sign-in or others sign-ins use the previous account and sign-in silently, if user didn’t logout.
So Google Play Store UserB logged in UserA account in game will not get ProcessPurchase and the purchase will not be acknowledged.

This was my original question on this thread, if servers have to implement their own purchase acknowledgment systems to support Unity IAP. This is not possible for us because our entitlement fulfillment system is shared with other games. And it is setup correctly as per how Google recommends ie acknowledge purchases upon fulfillment.

“This acknowledgement communicates to Google Play that you have granted entitlement for the purchase.”
https://developer.android.com/google/play/billing/integrate

Yes, this is expected. The problem lies when UserA logs in, and gets caught in the Pending cycle. Your ask is for us to detect that the transaction has been acknowledged on your server, we are checking into this.

@robbgray @Olegleg We could use your help, could one of you code up the curl request or Postman script to Acknowledge the transaction? The sooner we can reproduce, the sooner we can offer an update, thanks. Since it will contain your productID and an actual token, you can send the script to me in a private message. Also, please provide your client code that is calling the server method.

@robbgray @Olegleg Was this flow working in a previous version of IAP? Engineering is asking.

Unfortunately, I can’t code up the curl request or Postman script to Acknowledge the transaction right now.

The problem exists on 2.2.7, 3.0.1, 3.1.0.

Was this flow working in a previous version of IAP? Engineering is asking.

I haven’t tested it in earlier versions. Only 2.2.7+. Should I downgrade to previous versions?

It works for us on older version but google is going to require billing api v3 (which is present in newer Unity IAP versions). All new games in august then all games by November.

1 Like

I have similar issue.
Once using a google promo code,
When I try to but same product, purchasing is failed with message “Duplicate Transaction”

Unity version : 2019.2.17f1
Issued IAP version : over 3.0.1
Right working IAP version : 1.23.1

I have same concern about…
It works for us on older version but google is going to require billing api v3 (which is present in newer Unity IAP versions). All new games in august then all games by November.

Please check this issue.

Thank you!

Hello, we have same problems with pre registration bonus. After receipt validation on our server client try consuming product. Its looks like the product was be consumed, but it generate order on next launch.
We didn’t send anything to google servers

Which version specifically? We would want to do a “diff” between versions to try to see what may have changed.