I have the "happy path" of signing up a user implemented using Flutter & AWS Amplify. I have made the user to verify their account using their phone numbers so that the verification code is sent to the phone and the signup process is completed.
I realised that, during testing, one could easily make a mistake. So I want the user to be able to go back and change the phone number so that the verification code is sent to the correct one. However, using Amplify, you cannot change the details if the user is not signed in, and the user cannot be signed in unless their account is "confirmed". Of course, their account cannot be "confirmed" if they don't receive the verification code and with the wrong phone number due to their mistake, they will never receive the verification code...
Has anyone faced the same problem and could help me how to solve this please?
I read that you could use Lambda functions to "auto-confirm" the account without any verification which means they can sign in, which would allow me to change their phone number if they have entered a wrong phone number. But I am not sure if this is the easiest way to do it
How to implement phone number verification in Flutter. In my app user is signed in via email, after the sign in process i need to add the phone number and verify it via OTP. I tried in Firebase the phone number verification is added with the authentication flow.
I don’t want to include the authentication flow, i just need to verify the number. How to implement this?
Please someone help me on this.
It is not possible to implement phone number verification without using Firebase Authentication as phone number verification is a feature within the Firebase Authentication system.
Hello I am new to flutter and Stripe and I have this issue about creating cards. To start, the user must have a stored CreditCard so I used StripePayment.createTokenWithCard and send the output tokenID to the server-side API to create the Credit Card, and it was successfully done. Then next is another feature where the user has to pay via Stripe. I have to use StripePayment.setStripeAccount(stripe_connect_account_id) so that processing the paymentIntents and all to be successful, it was also successful. Here comes the issue, after a successful transaction whenever the user wants to create new card and go back to the screen where I used StripePayment.createTokenWithCard and send the output to the server-side API, the API would give me an http status 400-{"error":"No such token: 'tok_1INxXpBd3AiaZE5efApj6I2D'"}, but if I restart the app manually it will be successful.
What will I do with this? Is there a way for me not to restart the app as it is not user friendly. How to unset Stripe Account and get back to normal before transaction begins?
I seem to have everything setup correctly, however my transactions are not being placed and I get an error saying “There was an error processing your order, please contact us or try again later", when I hit the “PLACE ORDER” button.
I had double checked that the merchant email. partner id, user, vendor and the password are provided correctly and the test mode is enabled.
My payflow pro account is not activated, so its a test account. Is that the reason for my problem ? Any help would be greatly appreciated.
This is a normal process then, I would contact PayPal as they are declining the payment, due to a rule on their side, over max limit, etc.
Other option would be is that you could change the request sent to increase the verbosity of the error but it would only shed further light and would help in troubleshooting.
The request string needs to appended with Verbosity=Medium to increase the output. I believe this can be done via class Mage_Paypal_Model_Payflowpro:_buildBasicRequest() and modify the setVerbosity()
Refer to PayPal Documentation for information.
Look at Apple's diagram for the server purchase model.
In step #9, how can the server know that it is really talking with an iPhone that is entitled to the purchase, and that Eve is not performing a replay with a dishonestly obtained receipt?
The receipt may be valid, but that doesn't prove that the sender is the entitled party.
Is there any notion of a device certificate on the iPhone that can be used to sign the receipt?
Is there any way to bind the receipt to the device, or bind the receipt to both the iTunes account and to the device, so the server can validate?
Apple-Provided Vulnerable Approach
The server can authenticate a purchase by doing the following:
The iPhone application receives a transactionReceipt after the purchase. Have the iPhone base64 encode it (You can use this open-source addition to NSData) and send it to your server. (You could even send it as-is and have the server base64 encode it before validation.)
Have your server send a JSON request with the single key receipt-data with the base64 encoded transactionReceipt to https://buy.itunes.apple.com/verifyReceipt using an HTTP POST. (For directions on how to do this in various server-side languages see this site)
The server will respond with a JSON object with two keys: status which is an integer and receipt which is the receipt repeated.
If status is zero, the receipt is valid should be accepted, a non-zero value means the receipt isn't valid.
Secure Additions to Apple's Approach
However, there are a few security implications. A user could use another user's receipt since devices aren't tied to receipts, or a user could use another product's receipt since the server doesn't verify the product id of the receipt. To ensure this doesn't happen you should also do the following:
When you first get the receipt in the application, immediately send it to your server along with the device's UUID over a secure channel such as HTTPS or an SSL socket. Do not store it anywhere, leave it in memory.
On your server, store the UUID and receipt pair in a database.
When a device sends a UUID and receipt pair, verify with your database that the receipt has not already been used, and make sure the receipt is actually for your product by checking the receipt's product id. The receipt is just a JSON object, so your server can read the contents by decoding the receipt from base64.
Return a response to the device over the secure channel telling it whether the purchase is:
Authenticated as new (wasn't in DB and was valid)
Authenticated in the past (Same UUID and receipt pair was already in DB)
Denied due to wrong product id
Denied due to having already used the receipt with another UUID.
Since the receipt is only ever in memory on the device, and your application uses the device's UUID (can be spoofed by jailbroken devices, see comments), and all purchases of your product are logged with the device's UUID on your server in a secure manner; a user could not use another user's receipt to verify the purchase, nor could they use a receipt from another product, since you check for that.
You can also validate other fields from the receipt if you want to verify other details of the transaction. For example, if your product is a subscription, you'll like want to look at the transaction date as well.
Also, users cannot pretend to be your server by having the device on a private network with a host of the same name as yours, since they won't have your SSL certificate.
Failure Considerations
Since failure might occur between when the user's device gets the receipt and verifying it with your server (for example if the user looses connectivity, or your server is down for maintenance), you should also let the user "re-authorize". Re-authorizing should get the receipt from the store (using a Restored Transaction) and re-send it to the server just as though this was a new purchase. This should rarely need to be used, but should be available to save the user having to re-buy the product in the case of network failure.
Multiple Devices Consideration
This means that if a user wants to use an application on more than one device, they will have to purchase the product multiple times. This might be the desired effect, but you should likely inform your users before they purchase since they might expect to be able to use the content across devices they have associated with their account.
If the receipt also contains the iTunes account information, authentication could use that to allow users to share content between all their devices (but not their friends').
I do not think that can bind the receipt to the device.
My understanding is that you are allowed to install an application on multiple devices without extra cost. Binding it to the device would mean that if you for example upgrade/change your phone you would need to purchase all the apps again.
I believe if you can't read the user's apple ID, your only protection against piracy would be keeping track(server-side of course) of the number of download requests per transaction_id and limit those if they go over a certain value.
So if you limit it to say 50, that gives a reasonable margin for the user to deploy the app and it's contents on multiple devices and restore several times, but makes it hard for whoever wants to distribute a pirated version with a valid receipt for unlimited restores. Of course they can just distribute a version with all your content, but that's nothing you can do about that and at least they're not taxing your servers.
UDID Does Not Work Anymore
Beniot answer is great, however, these days, as mentioned by Joe D'Andrea, UDID is deprecated and the last time I tried, an App that used the call to get the UDID failed to pass validation during upload to iTunes.
Time-limited Receipts as Alternative to Receipt Counters
To add on to hloupyhonza's answer, besides having a "download request" counter for a particular receipt, you can just limit the receipt validity by time. I found anything between 12 to 24 hours reasonable.
This method also allows the purchaser to use the purchase on any other device he owns as long as he logs into the App Store with the same Apple ID. Note: Each time Restore Purchases is done, Apple returns a completely new receipt (with details of the original receipt contained) - this allows purchases to be restored past the time limit we set for a particular receipt.
Preventing "Off-The-Shelf" Hacks
To prevent typical "Googled" hacking solutions (my data shows this constitutes almost all of IAP hacking attempts), I use a checksum (pick your favorite algorithm, doesn't matter unless you want to make it watertight) of the following concatenation:
receipt-data json string
A shared secret key
Validation success status code.
The App will verify the checksum returned by our validation server. This is not watertight though, as the hacker may retrieve the shared key from your App's binary. But it has prevented all "off-the-shelf" hacks thus far and that's good enough for my use.