If you're an iOS developer and sell virtual goods in your app, you've no doubt heard about the recent hack that gives users unlimited access to your in-app purchases by simulating the Apple services with a rogue server. Of course, this hack only affects apps that don't follow Apple's recommended practice of doing server-side receipt validation.

Fortunately, server side receipt validation is trivially easy to do using Moai Cloud. Sample code after the fold.

The sample below relies on the HTTP boilerplate from my last post. Just paste the boilerplate into a file called http.lua and upload it with your service.

To use the sample, POST a JSON body to it in the form of { paymentType:"apple", receipt:"<encoded itunes receipt here>" }. The sample just echoes whatever Apple's server returns. In production you will want to fetch the item description from your service database and return it along with the receipt.

And here's the code:

 

--============================================================--
-- main
--============================================================--

----------------------------------------------------------------
function main ( web, req )

    dofile = moai.loadsource
    dofile ( 'http.lua' )

    local method = web:method ()
    local ok, body = pcall ( json.decode, req.body )
    
    if method == POST and ok and body then
        if body.paymentType == 'apple' and body.receipt then
            return web:ok ( http.post ( 'https://sandbox.itunes.apple.com/verifyReceipt', nil, {[ 'receipt-data' ] = body.receipt }))
        end
    end
    
    return web:page ( '{}', 400, 'Bad Request', {['content-type'] = 'application/json' })
end