Payments Lite(无服务器):第一次购买有效,但第二次总是失败

Payments Lite (serverless): first purchase works, but the second always fails

在 Facebook 作为 Canvas 应用程序托管的文字游戏中,我想出售消耗品“1 年 VIP 状态”,让玩家可以临时访问游戏中的某些区域 - 通过使用 Facebook Payments Lite (serverless).

我的 JavaScript 代码显示 支付对话框 然后将 signed_request 传递到我的 PHP-脚本 -

JavaScript 我的 Canvas 应用程序中的代码:

function buyVip() { 
        var obj = {
                method: "pay",
                action: "purchaseiap",
                product_id: "test1"
        };

        FB.ui(obj, function(data) {
                $.post("/payment-lite.php", 
                { signed_request: data.signed_request })
                .done(function(data) {
                        location.reload();
                });
        });
}

我的PHP脚本/payment-lite.php:

const APP_SECRET = 'XXXXXXX';

$request = parse_signed_request($_POST['signed_request'], APP_SECRET);
error_log(print_r($request, TRUE));
// TODO validate $request and set the user VIP status in the game database

function parse_signed_request($signed_request, $secret) {
        list($encoded_sig, $payload) = explode('.', $signed_request, 2);
        $sig = base64_url_decode($encoded_sig);
        $data = json_decode(base64_url_decode($payload), TRUE);

        if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
                error_log('Unknown algorithm. Expected HMAC-SHA256');
                return NULL;
        }

        $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = TRUE);
        if ($sig !== $expected_sig) {
                error_log('Bad Signed JSON signature!');
                return NULL;
        }
        return $data;
}

function base64_url_decode($input) {
        return base64_decode(strtr($input, '-_', '+/'));
}

在应用程序 仪表板 -> 网络支付 我添加了一个测试用户和一个测试产品 "Product ID" test1 和 0.01 欧元的价格:

最后我以测试用户身份登录并按下应用程序中调用 buyVip 方法的按钮 - 导致 支付对话框 出现:

然后在服务器日志中我看到 payment.php 脚本被成功调用:

[30-Jul-2017 14:34:20 Europe/Berlin] Array
(
    [algorithm] => HMAC-SHA256
    [amount] => 0.01
    [app_id] => 376218039240910
    [currency] => EUR
    [issued_at] => 1501418059
    [payment_id] => 1084810821649513
    [product_id] => test1
    [purchase_time] => 1501418057
    [purchase_token] => 498440660497153
    [quantity] => 1
    [status] => completed
)

然而,当我稍后尝试相同的过程时,会出现支付对话框,但在按下购买按钮后失败并出现错误

There Was a Problem Processing Your Payment: Sorry, but we're having trouble processing your payment. You have not been charged for this transaction. Please try again.

并且在浏览器控制台中我看到 1383001 Unknown 错误代码:

{error_code: 1383001, error_message: "There Was a Problem Processing Your Payment: Sorry…n charged for this transaction. Please try again."}

请问这是什么意思,为什么第一次购买请求成功,但随后失败?

在我的应用程序中,我当然会在购买成功后隐藏 "buy VIP status" 按钮一年,但我仍然想知道这里发生了什么。

以后我还想在我的游戏中出售像"coins"这样的消耗性虚拟商品,然后多次购买应该会成功。

更新:

我已尝试 consume the purchase by adding the following code to my payment.php (using APP_ID|APP_SECRET 而不是所需的用户访问令牌):

$post = [
    'access_token' => APP_ID . '|' . APP_SECRET,
];

$ch = curl_init('https://graph.facebook.com/498440660497153/consume');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
$response = curl_exec($ch);
curl_close($ch);
error_log(print_r($response, TRUE));

但不幸得到错误:

{"error":{"message":"Unsupported post request. Object with ID '498440660497153' does not exist, cannot be loaded due to missing permissions, or does not support this operation. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api","type":"GraphMethodException","code":100,"fbtrace_id":"HDusTBubydJ"}}

在使用相同的 product_id 创建新的之前,您应该消耗该用户之前的购买。这样做是为了防止用户多次购买同一商品作为非消耗品。

FB.api(
  '/' + PURCHASE_TOKEN + '/consume',    // Replace the PURCHASE_TOKEN
  'post',
  {access_token: access_token},         // Replace with a user access token
  result => {
    console.log('consuming product', productId, 'with purchase token', purchaseToken);
    console.log('Result:');
    console.log(result);
  }
);

https://developers.facebook.com/docs/games_payments/payments_lite#consuming

更新:

如果您想通过服务器消费购买,您可以将 access_token 传递给您的 php 脚本。

$.post("/words/facebook/payment.php", { access_token: access_token })        

要获得 access_token 你可以使用这个。

var access_token = '';
FB.getLoginStatus(function(response) {
  if (response.status === 'connected') {
    access_token = response.authResponse.accessToken;
  }
});

我正在回答我自己的问题,以分享通过 Facebook Payments Lite 销售 消耗品 虚拟商品所需的完整源代码,基于 Alexey Mukhin 的有用回复 -

JavaScript Facebook Canvas 应用程序中的代码(分配给按钮-ONCLICK):

function buyItemLite() { 
        var payDialog = {
                method: "pay",
                action: "purchaseiap",
                product_id: "test1"
        };

        FB.ui(payDialog, function(payResponse) {
                FB.getLoginStatus(function(loginResponse) {
                        if (loginResponse.status === "connected") {
                                $.post("/payment-lite.php", {
                                        signed_request: payResponse.signed_request,
                                        access_token: loginResponse.authResponse.accessToken 
                                })
                                .done(function(consumeResponse) {
                                        location.reload();
                                });
                        }
                });
        });
}

PHP 付款中的代码-lite.php 托管在您的网络服务器上的脚本:

const APP_ID              = 'replace by your app id';
const APP_SECRET          = 'replace by your app secret';
const SIGNED_REQUEST      = 'signed_request';
const STATUS              = 'status';
const COMPLETED           = 'completed';
const PRODUCT_ID          = 'product_id';
const PURCHASE_TOKEN      = 'purchase_token';
const ACCESS_TOKEN        = 'access_token';
const CONSUME_URL         = 'https://graph.facebook.com/%d/consume';

$request = parse_signed_request($_REQUEST[SIGNED_REQUEST], APP_SECRET);
error_log('pay dialog request: ' . print_r($request, TRUE));

if ($request[STATUS] === COMPLETED && $request[PRODUCT_ID] === 'test1') {
        # perform POST request to consume the purchase_token
        $url = sprintf(CONSUME_URL, $request[PURCHASE_TOKEN]);
        $fields = array(ACCESS_TOKEN => $_REQUEST[ACCESS_TOKEN]);
        $client = curl_init($url);
        curl_setopt($client, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($client, CURLOPT_POSTFIELDS, $fields);
        $response = curl_exec($client);
        curl_close($client);
        error_log('consume response: ' . print_r($response, TRUE));
        # TODO give the player the newly purchased consumable "test1" product
}

function parse_signed_request($signed_request, $secret) {
        list($encoded_sig, $payload) = explode('.', $signed_request, 2);
        $sig = base64_url_decode($encoded_sig);
        $data = json_decode(base64_url_decode($payload), TRUE);
        if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
                error_log('Unknown algorithm. Expected HMAC-SHA256');
                return NULL;
        }

        $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = TRUE);
        if ($sig !== $expected_sig) { // or better use hash_equals
                error_log('Bad Signed JSON signature!');
                return NULL;
        }
        return $data;
}

function base64_url_decode($input) {
        return base64_decode(strtr($input, '-_', '+/'));
}

注意:如果你碰巧有最新的PHP版本,那么最好在上面的代码中使用hash_equals,以减轻定时攻击.

不要忘记在您应用的 Facebook Dashboard 中启用 Payments Lite 并在其中添加 "test1" 产品:

如果您按照上述说明进行操作,您将能够多次购买 "test1" 商品,并且您在 PHP 日志中获得的输出将如下所示:

pay dialog request: Array
(
    [algorithm] => HMAC-SHA256
    [amount] => 0.01
    [app_id] => 376218039240910
    [currency] => EUR
    [issued_at] => 1501674845
    [payment_id] => 1041009052696057
    [product_id] => test1
    [purchase_time] => 1501674843
    [purchase_token] => 499658830375336
    [quantity] => 1
    [status] => completed
)

consume response: {"success":true}

最后,我将在下面分享我的非精简版 webhook 代码 Facebook Payments,因为这是我实际最终使用的代码(它处理退款并确实购买后不需要标记物品消耗品)-

JavaScript Facebook Canvas 应用程序中的代码(分配给按钮-ONCLICK):

function buyItemFull() { 
        var payDialog = {
                method:  "pay",
                action:  "purchaseitem",
                product: "https://myserver/test1.html"
        };

        FB.ui(payDialog, function(data) {
                location.reload();
        });
}

PHP 付款中的代码-full.php 托管在您的网络服务器上的脚本:

const APP_ID              = 'replace by your app id';
const APP_SECRET          = 'replace by your app secret';

const HUB_MODE            = 'hub_mode';
const HUB_CHALLENGE       = 'hub_challenge';
const HUB_VERIFY_TOKEN    = 'hub_verify_token';
const SUBSCRIBE           = 'subscribe';

const ENTRY               = 'entry';
const CHANGED_FIELDS      = 'changed_fields';
const ID                  = 'id';
const USER                = 'user';
const ACTIONS             = 'actions';
const ITEMS               = 'items';
const PRODUCT             = 'product';
const AMOUNT              = 'amount';

# payment status can be initiated, failed, completed
const STATUS              = 'status';
const COMPLETED           = 'completed';

# possible payment event types are listed below
const TYPE                = 'type';
const CHARGE              = 'charge';
const CHARGEBACK_REVERSAL = 'chargeback_reversal';
const REFUND              = 'refund';
const CHARGEBACK          = 'chargeback';
const DECLINE             = 'decline';

const GRAPH               = 'https://graph.facebook.com/v2.10/%d?access_token=%s|%s&fields=user,actions,items';
const TEST1               = 'https://myserver/test1.html';

# called by Facebook Dashboard when "Test Callback URL" button is pressed
if (isset($_GET[HUB_MODE]) && $_GET[HUB_MODE] === SUBSCRIBE) {
        print($_GET[HUB_CHALLENGE]);
        exit(0);
}

# called when there is an update on a payment (NOTE: better use hash_equals)
$body = file_get_contents('php://input');
if ('sha1=' . hash_hmac('sha1', $body, APP_SECRET) != $_SERVER['HTTP_X_HUB_SIGNATURE']) {
        error_log('payment sig=' . $_SERVER['HTTP_X_HUB_SIGNATURE'] . ' does not match body=' . $body);
        exit(1);
}

# find the updated payment id and what has changed: actions or disputes
$update         = json_decode($body, TRUE);
error_log('payment update=' . print_r($update, TRUE));
$entry          = array_shift($update[ENTRY]);
$payment_id     = $entry[ID];
$changed_fields = $entry[CHANGED_FIELDS];

if (!in_array(ACTIONS, $changed_fields)) {
        error_log('payment actions has not changed');
        exit(0);
}

# fetch the updated payment details: user, actions, items
$graph   = sprintf(GRAPH, $payment_id, APP_ID, APP_SECRET);
$payment = json_decode(file_get_contents($graph), TRUE);
error_log('payment details=' . print_r($payment, TRUE));

# find the user id who has paid
$uid     = $payment[USER][ID];

# find the last action and its status and type
$actions = $payment[ACTIONS];
$action  = array_pop($actions);
$status  = $action[STATUS];
$type    = $action[TYPE];
$price   = $action[AMOUNT];

# find which product was purchased
$items   = $payment[ITEMS];
$item    = array_pop($items);
$product = $item[PRODUCT];
error_log("payment uid=$uid status=$status type=$type product=$product price=$price");

if ($status != COMPLETED) {
        error_log('payment status is not completed');
        exit(0);
}

# money has been received, update the player record in the database
if ($type === CHARGE || $type === CHARGEBACK_REVERSAL) {
        if ($product === TEST1) {
                # TODO give the player the purchased "test1" product
        }
} else if ($type === REFUND || $type === CHARGEBACK || $type === DECLINE) {
        # TODO take away from the player the "test1" product
}

不要忘记在您的应用 Facebook Dashboard 中禁用 Payments Lite 并在其中添加 "payment-full.php" webhook:

最后在您的网络服务器上添加 "test1.html" 产品文件:

<!DOCTYPE html><html>
 <head prefix=
    "og: http://ogp.me/ns# 
     fb: http://ogp.me/ns/fb# 
     product: http://ogp.me/ns/product#">
    <meta property="og:type"                content="og:product" />
    <meta property="og:title"               content="Test1" />
    <meta property="og:image"               content="https://myserver/icon-50x50.png" />
    <meta property="og:description"         content="Test1" />
    <meta property="og:url"                 content="https://myserver/test1.html" />
    <meta property="product:price:amount"   content="0.01"/>
    <meta property="product:price:currency" content="EUR"/>
  </head>
</html>

目前在网络上发现的 Facebook 支付示例并不多。

如果您发现我的源代码(public 域许可)有用,请为问题和答案点赞,以帮助其他开发人员发现它。