View Issue Details

IDProjectCategoryView StatusLast Update
0018063RunnerIAPsPublic2019-09-02 11:20
Reporterzachrm614Assigned ToDan 
PriorityHighSeverityC - GeneralReproducibility100%
Status ClosedResolutionFixed 
PlatformAndroidOSOS Version
Product VersionPre-2.1.3 
Target Version2.2.4Fixed in Version2.2.4 
Summary0018063: IAPs: Checking if an IAP product has been refunded using iap_refunded always returns false
DescriptionChecking to see if an IAP has been refunded by using something like "if (ds_map_find_value(map, "status") == iap_refunded)" will always return false. To verify 100% I have tested using a live IAP that was refunded using a personal tester account for Google Play.

Allows a player to essentially keep their IAP(s) while getting their money back, thus "cheating the system". If iap_refunded returned true I could react appropriately by "taking away" the IAP from the customer who got their refund, which would end in a fair outcome.
Additional InformationOriginal helpdesk ticket:
TagsNo tags attached.
1.4 Found In1.4.1567
2.x Runtime Found In
2.x Runtime Verified In



2019-08-12 17:27

Adminstrator   ~0064543

Last edited: 2019-09-02 11:20

View 2 revisions

The current Google Play "Billing" system doesn't appear to have any concept of refunding a standard durable/consumable product - only one call to get the list of revoked subscriptions. However, this subscription revoke call is a HTTP request you would have to do via your custom payment web server and isn't part of the SDK for us to implement in the updated IAP library offered alongside 2.2.4 (the functionality to support payment servers will be there, but you will have to write the server yourself). Under the current Google Play model, you should basically be querying every startup which IAPs have been purchased, at which point refunded ones won't be returned, and then you only unlock restricted content for that one game session. That way, if a purchase is refunded it's only "exploitable" until the game is restarted (or, if using a custom server and opted-in to Google's notification service, you could send a message to the game to turn it off immediately).

Suspect we now actually need to just make iap_...() functions write to the console that they have no effect on Google Play/Apple platforms/Amazon.


2019-08-16 11:46

Adminstrator   ~0064553

As suggested above, the function is now gone. Closing as "Fixed".

You will need to handle receipt validation and only unlock the items you successfully validate / don't unlock things which don't pass validation. This is the same on all Apple platforms, Google Play, and Amazon.