I was looking for a way to contact with bazaar developers, so that's why I've open this issue, this is things that seems good in your iap REST API implementation:
- OAuth2 is overkill, a simple API key would be enough
- OAuth2 is not very suitable in this case, created Client would have one user maximum (the Developer who created the Client)
- protecting of refresh token is same as it takes for a simple API key, if refresh token get exposed Developer have to remove Client, create a new one, change credentials in server, re-login via OAuth2
- for automation, OAuth2 is not good, you're just making it hard for developers
- REST api should return
orderId
- in your document you've stated that we should check if
orderId is unique and didn't proceeded already, but this is DANGEROUS.
- attacker can change
orderId to a random value and send it back to the server, as server does not know it has been changed, will considers it as new order and will proceed it as valid order
- if you return
orderId via REST API we can use that instead, otherwise orderId is redundant and we have to save and check purchaseToken instead which is up to 1000 characters.
- checking RSA hash
- this can fix above issue, but it didn't documented
- only a link to this repo which is 5years old!
I was looking for a way to contact with bazaar developers, so that's why I've open this issue, this is things that seems good in your iap REST API implementation:
orderIdorderIdis unique and didn't proceeded already, but this is DANGEROUS.orderIdto a random value and send it back to the server, as server does not know it has been changed, will considers it as new order and will proceed it as valid orderorderIdvia REST API we can use that instead, otherwiseorderIdis redundant and we have to save and checkpurchaseTokeninstead which is up to 1000 characters.