蘋果內購:只要你在蘋果系統購買APP中虛擬物品(虛擬貨幣,VIP充值等),必須通過內購方式進行支付,蘋果和商家進行三七開
驗證模式有兩種:
1、Validating Receipts With the App Store 通過訪問蘋果接口進行驗證。
2、Validating Receipts Locally 本地代碼解碼進行驗證
官方文檔說明:
我這里主要說一下服務端驗證模式,大致流程為
1、app進行支付,然后收到蘋果的收據(一串很長的BASE64編碼的字符串)
2、app請求服務端,將收據給到服務端,服務端拿到收據請求蘋果服務器驗證收據是否為真
3、服務端驗證收據真偽,驗證當前支付的交易是否成功,成功則處理支付成功的業務邏輯
進行代碼前,首先使用postman將收據發送給蘋果服務器,熟悉一下返回的數據結構
重點說一下我的理解:
在官方文檔和各個私人博客中都沒有明確說明要驗證的內容,百度一整天得到的驗證邏輯為:蘋果服務器只驗證了收據的真偽,而收據包含多個交易的信息。
所以,我們驗證當status字段為0(即收據為真),且當前交易ID(app傳遞到后台)在收據交易列表中,即可認為交易支付成功;同時app傳遞當前支付產品的ID(我們內部的商品ID),處理該商品的訂單。
注意:這個接口可以多次請求,所以應當將交易ID與訂單進行綁定,防止一個交易生成多個訂單
一、上驗證代碼,首先來一個百度的工具類,功能為組裝請求數據,發送http請求
import javax.net.ssl.*; import java.io.BufferedOutputStream; import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; import java.net.URL; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Locale; /** * 蘋果IAP內購驗證工具類 * Created by wangqichang on 2019/2/26. */
public class IosVerifyUtil { private static class TrustAnyTrustManager implements X509TrustManager { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[] {}; } } private static class TrustAnyHostnameVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession session) { return true; } } private static final String url_sandbox = "https://sandbox.itunes.apple.com/verifyReceipt"; private static final String url_verify = "https://buy.itunes.apple.com/verifyReceipt"; /** * 蘋果服務器驗證 * * @param receipt * 賬單 * @url 要驗證的地址 * @return null 或返回結果 沙盒 https://sandbox.itunes.apple.com/verifyReceipt * */
public static String buyAppVerify(String receipt,int type) { //環境判斷 線上/開發環境用不同的請求鏈接
String url = ""; if(type==0){ url = url_sandbox; //沙盒測試
}else{ url = url_verify; //線上測試
} //String url = EnvUtils.isOnline() ?url_verify : url_sandbox;
try { SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, new TrustManager[] { new TrustAnyTrustManager() }, new java.security.SecureRandom()); URL console = new URL(url); HttpsURLConnection conn = (HttpsURLConnection) console.openConnection(); conn.setSSLSocketFactory(sc.getSocketFactory()); conn.setHostnameVerifier(new TrustAnyHostnameVerifier()); conn.setRequestMethod("POST"); conn.setRequestProperty("content-type", "text/json"); conn.setRequestProperty("Proxy-Connection", "Keep-Alive"); conn.setDoInput(true); conn.setDoOutput(true); BufferedOutputStream hurlBufOus = new BufferedOutputStream(conn.getOutputStream()); String str = String.format(Locale.CHINA, "{\"receipt-data\":\"" + receipt + "\"}");//拼成固定的格式傳給平台
hurlBufOus.write(str.getBytes()); hurlBufOus.flush(); InputStream is = conn.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(is)); String line = null; StringBuffer sb = new StringBuffer(); while ((line = reader.readLine()) != null) { sb.append(line); } return sb.toString(); } catch (Exception ex) { System.out.println("蘋果服務器異常"); ex.printStackTrace(); } return null; } /** * 用BASE64加密 * * @param str * @return */
public static String getBASE64(String str) { byte[] b = str.getBytes(); String s = null; if (b != null) { s = new sun.misc.BASE64Encoder().encode(b); } return s; } }
二、驗證邏輯代碼
/** * 蘋果內購校驗 * @param priceId 會員價格ID * @param transactionId 蘋果內購交易ID * @param payload 校驗體(base64字符串) * @return */ @PostMapping("/iospay") public Map<String, Object> iosPay(Long priceId,String transactionId, String payload) { log.info("蘋果內購校驗開始,交易ID:" + transactionId + " base64校驗體:" + payload); Shipper shipper = getLoginShipper(); if (shipper == null) { return failure("未登錄"); } //線上環境驗證
String verifyResult = IosVerifyUtil.buyAppVerify(payload, 1); if (verifyResult == null) { return failure("蘋果驗證失敗,返回數據為空"); } else { log.info("線上,蘋果平台返回JSON:" + verifyResult); JSONObject appleReturn = JSONObject.parseObject(verifyResult); String states = appleReturn.getString("status"); //無數據則沙箱環境驗證
if ("21007".equals(states)) { verifyResult = IosVerifyUtil.buyAppVerify(payload, 0); log.info("沙盒環境,蘋果平台返回JSON:" + verifyResult); appleReturn = JSONObject.parseObject(verifyResult); states = appleReturn.getString("status"); } log.info("蘋果平台返回值:appleReturn" + appleReturn); // 前端所提供的收據是有效的 驗證成功
if (states.equals("0")) { String receipt = appleReturn.getString("receipt"); JSONObject returnJson = JSONObject.parseObject(receipt); String inApp = returnJson.getString("in_app"); List<HashMap> inApps = JSONObject.parseArray(inApp, HashMap.class); if (!CollectionUtils.isEmpty(inApps)) { ArrayList<String> transactionIds = new ArrayList<String>(); for (HashMap app : inApps) { transactionIds.add((String) app.get("transaction_id")); } //交易列表包含當前交易,則認為交易成功
if (transactionIds.contains(transactionId)) { //處理業務邏輯
VipOrder vipOrder = vipOrderService.saveVipOrder(shipper, priceId, EnumPayType.APPLE_IN_APP_PURCHASES.getValue(),transactionId); vipOrderService.paySuccess(vipOrder.getOrderCode(),null); log.info("交易成功,新增並處理訂單:{}",vipOrder.getOrderCode()); return success("充值成功"); } return failure("當前交易不在交易列表中"); } return failure("未能獲取獲取到交易列表"); } else { return failure("支付失敗,錯誤碼:" + states); } } }
以上轉載於作者:老王——KICHUN
鏈接:https://www.jianshu.com/p/976fc6090cfa
三、驗證攻擊處理
當然還需要注意一下攻擊,畢竟是涉及到錢的問題
1、返回字段名
2、常見攻擊
3、業務代碼如下:
@Slf4j @Service public class ApplePayService { @Autowired private CurrencyService currencyService; @Autowired private EnvService envService; @Autowired private CurrencyHistoryDAO currencyHistoryDAO; private static class TrustAnyTrustManager implements X509TrustManager { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[] {}; } } private static class TrustAnyHostnameVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession session) { return true; } } // 發送請求驗證訂單真偽
public String applePayVerify(String receiptData, Boolean isAgain){ String verifyUrl = envService.isProd() ? "https://buy.itunes.apple.com/verifyReceipt" : "https://sandbox.itunes.apple.com/verifyReceipt"; if (isAgain){ verifyUrl = "https://sandbox.itunes.apple.com/verifyReceipt"; } try{ SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, new TrustManager[] { new ApplePayService.TrustAnyTrustManager() }, new java.security.SecureRandom()); URL console = new URL(verifyUrl); HttpsURLConnection conn = (HttpsURLConnection) console.openConnection(); conn.setSSLSocketFactory(sc.getSocketFactory()); conn.setHostnameVerifier(new ApplePayService.TrustAnyHostnameVerifier()); conn.setRequestMethod("POST"); conn.setRequestProperty("content-type", "text/json"); conn.setRequestProperty("Proxy-Connection", "Keep-Alive"); conn.setDoInput(true); conn.setDoOutput(true); BufferedOutputStream hurlBufOus = new BufferedOutputStream(conn.getOutputStream()); String str = String.format(Locale.CHINA, "{\"receipt-data\":\"" + receiptData + "\"}");//拼成固定的格式傳給平台
hurlBufOus.write(str.getBytes()); hurlBufOus.flush(); InputStream is = conn.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(is)); String line = null; StringBuffer sb = new StringBuffer(); while ((line = reader.readLine()) != null) { sb.append(line); } return sb.toString(); } catch (Exception e) { log.error("蘋果服務器異常:" + LogUtil.getStack(e)); } return null; } /** * 蘋果內購校驗 * @param transactionId 蘋果內購交易ID * @param receiptData 校驗體(base64字符串) * @return */
public OperationInfo applePay(String transactionId, String receiptData){ // 驗證真偽
String verifyResult = applePayVerify(receiptData, false); if (verifyResult == null) { return OperationInfo.failure("蘋果驗證失敗,返回數據為空"); } else { JSONObject appleReturn = JSONObject.parseObject(verifyResult); String status = appleReturn.getString("status"); // 如果生產環境也是沙箱,則使用沙箱url請求
if (status.equals("21007")){ verifyResult = applePayVerify(receiptData, true); if (verifyResult == null) { return OperationInfo.failure("蘋果驗證失敗,返回數據為空"); } else { appleReturn = JSONObject.parseObject(verifyResult); status = appleReturn.getString("status"); } } if (status.equals("0")) { String receipt = appleReturn.getString("receipt"); // 防止重復驗證攻擊
String md5Receipt = DigestUtils.md5DigestAsHex(receipt.getBytes()); List<Integer> historyList = currencyHistoryDAO.findByMd5Receipt(md5Receipt); if (historyList != null && !historyList.isEmpty()){ return OperationInfo.failure("支付失敗,重復驗證"); } JSONObject returnJson = JSONObject.parseObject(receipt); // 防止跨app攻擊
if (!StringUtils.equals("com.modbapp", returnJson.getString("bid"))){ return OperationInfo.failure("支付失敗,非本app訂單"); } // 防止換價格攻擊
if (!StringUtils.equals(transactionId, returnJson.getString("product_id"))){ return OperationInfo.failure("支付失敗,支付金額有誤"); } BigDecimal price; switch (transactionId){ case "**6": price = new BigDecimal(6); break; case "**18": price = new BigDecimal(18); break; case "**68": price = new BigDecimal(68); break; case "**108": price = new BigDecimal(108); break; case "**218": price = new BigDecimal(218); break; case "**318": price = new BigDecimal(318); break; case "**418": price = new BigDecimal(418); break; case "**648": price = new BigDecimal(648); break; case "**998": price = new BigDecimal(998); break; default: return OperationInfo.failure("當前交易不在交易列表中"); } // 更改墨幣
currencyService.rechargeCurrency(CurrencyEnum.PURCHASE_CURRENCY, price, UserUtils.getCurrentUserId(), "購買墨幣", md5Receipt); return OperationInfo.success("充值成功"); } return OperationInfo.failure("支付失敗,錯誤碼:" + status); } } }