苹果内购:只要你在苹果系统购买APP中虚拟物品(虚拟货币,VIP充值等),必须通过内购方式进行支付,苹果和商家进行三七开
验证模式有两种:
1、Validating Receipts With the App Store 通过访问苹果接口进行验证。
2、Validating Receipts Locally 本地代码解码进行验证
官方文档说明:
我这里主要说一下服务端验证模式,大致流程为
1、app进行支付,然后收到苹果的收据(一串很长的BASE64编码的字符串)
2、app请求服务端,将收据给到服务端,服务端拿到收据请求苹果服务器验证收据是否为真
3、服务端验证收据真伪,验证当前支付的交易是否成功,成功则处理支付成功的业务逻辑
进行代码前,首先使用postman将收据发送给苹果服务器,熟悉一下返回的数据结构
重点说一下我的理解:
在官方文档和各个私人博客中都没有明确说明要验证的内容,百度一整天得到的验证逻辑为:苹果服务器只验证了收据的真伪,而收据包含多个交易的信息。
所以,我们验证当status字段为0(即收据为真),且当前交易ID(app传递到后台)在收据交易列表中,即可认为交易支付成功;同时app传递当前支付产品的ID(我们内部的商品ID),处理该商品的订单。
注意:这个接口可以多次请求,所以应当将交易ID与订单进行绑定,防止一个交易生成多个订单
一、上验证代码,首先来一个百度的工具类,功能为组装请求数据,发送http请求
import javax.net.ssl.*;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Locale;
/**
* 苹果IAP内购验证工具类
* Created by wangqichang on 2019/2/26.
*/
public class IosVerifyUtil {
private static class TrustAnyTrustManager implements X509TrustManager {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[] {};
}
}
private static class TrustAnyHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true;
}
}
private static final String url_sandbox = "https://sandbox.itunes.apple.com/verifyReceipt";
private static final String url_verify = "https://buy.itunes.apple.com/verifyReceipt";
/**
* 苹果服务器验证
*
* @param receipt
* 账单
* @url 要验证的地址
* @return null 或返回结果 沙盒 https://sandbox.itunes.apple.com/verifyReceipt
*
*/
public static String buyAppVerify(String receipt,int type) {
//环境判断 线上/开发环境用不同的请求链接
String url = "";
if(type==0){
url = url_sandbox; //沙盒测试
}else{
url = url_verify; //线上测试
}
//String url = EnvUtils.isOnline() ?url_verify : url_sandbox;
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] { new TrustAnyTrustManager() }, new java.security.SecureRandom());
URL console = new URL(url);
HttpsURLConnection conn = (HttpsURLConnection) console.openConnection();
conn.setSSLSocketFactory(sc.getSocketFactory());
conn.setHostnameVerifier(new TrustAnyHostnameVerifier());
conn.setRequestMethod("POST");
conn.setRequestProperty("content-type", "text/json");
conn.setRequestProperty("Proxy-Connection", "Keep-Alive");
conn.setDoInput(true);
conn.setDoOutput(true);
BufferedOutputStream hurlBufOus = new BufferedOutputStream(conn.getOutputStream());
String str = String.format(Locale.CHINA, "{"receipt-data":"" + receipt + ""}");//拼成固定的格式传给平台
hurlBufOus.write(str.getBytes());
hurlBufOus.flush();
InputStream is = conn.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line = null;
StringBuffer sb = new StringBuffer();
while ((line = reader.readLine()) != null) {
sb.append(line);
}
return sb.toString();
} catch (Exception ex) {
System.out.println("苹果服务器异常");
ex.printStackTrace();
}
return null;
}
/**
* 用BASE64加密
*
* @param str
* @return
*/
public static String getBASE64(String str) {
byte[] b = str.getBytes();
String s = null;
if (b != null) {
s = new sun.misc.BASE64Encoder().encode(b);
}
return s;
}
}
二、验证逻辑代码
/**
* 苹果内购校验
* @param priceId 会员价格ID
* @param transactionId 苹果内购交易ID
* @param payload 校验体(base64字符串)
* @return
*/
@PostMapping("/iospay")
public Map<String, Object> iosPay(Long priceId,String transactionId, String payload) {
log.info("苹果内购校验开始,交易ID:" + transactionId + " base64校验体:" + payload);
Shipper shipper = getLoginShipper();
if (shipper == null) {
return failure("未登录");
}
//线上环境验证
String verifyResult = IosVerifyUtil.buyAppVerify(payload, 1);
if (verifyResult == null) {
return failure("苹果验证失败,返回数据为空");
} else {
log.info("线上,苹果平台返回JSON:" + verifyResult);
JSONObject appleReturn = JSONObject.parseObject(verifyResult);
String states = appleReturn.getString("status");
//无数据则沙箱环境验证
if ("21007".equals(states)) {
verifyResult = IosVerifyUtil.buyAppVerify(payload, 0);
log.info("沙盒环境,苹果平台返回JSON:" + verifyResult);
appleReturn = JSONObject.parseObject(verifyResult);
states = appleReturn.getString("status");
}
log.info("苹果平台返回值:appleReturn" + appleReturn);
// 前端所提供的收据是有效的 验证成功
if (states.equals("0")) {
String receipt = appleReturn.getString("receipt");
JSONObject returnJson = JSONObject.parseObject(receipt);
String inApp = returnJson.getString("in_app");
List<HashMap> inApps = JSONObject.parseArray(inApp, HashMap.class);
if (!CollectionUtils.isEmpty(inApps)) {
ArrayList<String> transactionIds = new ArrayList<String>();
for (HashMap app : inApps) {
transactionIds.add((String) app.get("transaction_id"));
}
//交易列表包含当前交易,则认为交易成功
if (transactionIds.contains(transactionId)) {
//处理业务逻辑
VipOrder vipOrder = vipOrderService.saveVipOrder(shipper, priceId, EnumPayType.APPLE_IN_APP_PURCHASES.getValue(),transactionId);
vipOrderService.paySuccess(vipOrder.getOrderCode(),null);
log.info("交易成功,新增并处理订单:{}",vipOrder.getOrderCode());
return success("充值成功");
}
return failure("当前交易不在交易列表中");
}
return failure("未能获取获取到交易列表");
} else {
return failure("支付失败,错误码:" + states);
}
}
}
以上转载于作者:老王——KICHUN
链接:https://www.jianshu.com/p/976fc6090cfa
三、验证攻击处理
当然还需要注意一下攻击,毕竟是涉及到钱的问题
1、返回字段名
2、常见攻击
3、业务代码如下:
@Slf4j
@Service
public class ApplePayService {
@Autowired
private CurrencyService currencyService;
@Autowired
private EnvService envService;
@Autowired
private CurrencyHistoryDAO currencyHistoryDAO;
private static class TrustAnyTrustManager implements X509TrustManager {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[] {};
}
}
private static class TrustAnyHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true;
}
}
// 发送请求验证订单真伪
public String applePayVerify(String receiptData, Boolean isAgain){
String verifyUrl = envService.isProd() ? "https://buy.itunes.apple.com/verifyReceipt" : "https://sandbox.itunes.apple.com/verifyReceipt";
if (isAgain){
verifyUrl = "https://sandbox.itunes.apple.com/verifyReceipt";
}
try{
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] { new ApplePayService.TrustAnyTrustManager() }, new java.security.SecureRandom());
URL console = new URL(verifyUrl);
HttpsURLConnection conn = (HttpsURLConnection) console.openConnection();
conn.setSSLSocketFactory(sc.getSocketFactory());
conn.setHostnameVerifier(new ApplePayService.TrustAnyHostnameVerifier());
conn.setRequestMethod("POST");
conn.setRequestProperty("content-type", "text/json");
conn.setRequestProperty("Proxy-Connection", "Keep-Alive");
conn.setDoInput(true);
conn.setDoOutput(true);
BufferedOutputStream hurlBufOus = new BufferedOutputStream(conn.getOutputStream());
String str = String.format(Locale.CHINA, "{"receipt-data":"" + receiptData + ""}");//拼成固定的格式传给平台
hurlBufOus.write(str.getBytes());
hurlBufOus.flush();
InputStream is = conn.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line = null;
StringBuffer sb = new StringBuffer();
while ((line = reader.readLine()) != null) {
sb.append(line);
}
return sb.toString();
} catch (Exception e) {
log.error("苹果服务器异常:" + LogUtil.getStack(e));
}
return null;
}
/**
* 苹果内购校验
* @param transactionId 苹果内购交易ID
* @param receiptData 校验体(base64字符串)
* @return
*/
public OperationInfo applePay(String transactionId, String receiptData){
// 验证真伪
String verifyResult = applePayVerify(receiptData, false);
if (verifyResult == null) {
return OperationInfo.failure("苹果验证失败,返回数据为空");
} else {
JSONObject appleReturn = JSONObject.parseObject(verifyResult);
String status = appleReturn.getString("status");
// 如果生产环境也是沙箱,则使用沙箱url请求
if (status.equals("21007")){
verifyResult = applePayVerify(receiptData, true);
if (verifyResult == null) {
return OperationInfo.failure("苹果验证失败,返回数据为空");
} else {
appleReturn = JSONObject.parseObject(verifyResult);
status = appleReturn.getString("status");
}
}
if (status.equals("0")) {
String receipt = appleReturn.getString("receipt");
// 防止重复验证攻击
String md5Receipt = DigestUtils.md5DigestAsHex(receipt.getBytes());
List<Integer> historyList = currencyHistoryDAO.findByMd5Receipt(md5Receipt);
if (historyList != null && !historyList.isEmpty()){
return OperationInfo.failure("支付失败,重复验证");
}
JSONObject returnJson = JSONObject.parseObject(receipt);
// 防止跨app攻击
if (!StringUtils.equals("com.modbapp", returnJson.getString("bid"))){
return OperationInfo.failure("支付失败,非本app订单");
}
// 防止换价格攻击
if (!StringUtils.equals(transactionId, returnJson.getString("product_id"))){
return OperationInfo.failure("支付失败,支付金额有误");
}
BigDecimal price;
switch (transactionId){
case "**6": price = new BigDecimal(6); break;
case "**18": price = new BigDecimal(18); break;
case "**68": price = new BigDecimal(68); break;
case "**108": price = new BigDecimal(108); break;
case "**218": price = new BigDecimal(218); break;
case "**318": price = new BigDecimal(318); break;
case "**418": price = new BigDecimal(418); break;
case "**648": price = new BigDecimal(648); break;
case "**998": price = new BigDecimal(998); break;
default: return OperationInfo.failure("当前交易不在交易列表中");
}
// 更改墨币
currencyService.rechargeCurrency(CurrencyEnum.PURCHASE_CURRENCY, price, UserUtils.getCurrentUserId(), "购买墨币", md5Receipt);
return OperationInfo.success("充值成功");
}
return OperationInfo.failure("支付失败,错误码:" + status);
}
}
}