从周日开始,我已经通过六种方式在谷歌上搜索了这个概念,但我觉得我找不到一个直接的答案。谷歌官方文档说这不是为了安全,但是我发现的一堆答案似乎暗示了其他方面,等等。
从文档:
第五个参数包含一个“开发人员有效负载”字符串,您可以使用它来发送有关订单的补充信息(它可以是一个空字符串)。如果您指定字符串值,Google Play 会将此字符串与购买响应一起返回。随后,当您查询此次购买时,Google Play 会返回此字符串以及购买详情。
注意:请勿将 developerPayload 字段用于安全验证目的。完成与应用内结算相关的任务时,此字段并不总是可用。有关安全最佳实践的更多信息,请参阅应用内计费安全和设计指南。
来自谷歌官方测试项目:
/** Verifies the developer payload of a purchase. */
boolean verifyDeveloperPayload(Purchase p) {
String payload = p.getDeveloperPayload();
/*
* TODO: verify that the developer payload of the purchase is correct. It will be
* the same one that you sent when initiating the purchase.
*
* WARNING: Locally generating a random string when starting a purchase and
* verifying it here might seem like a good approach, but this will fail in the
* case where the user purchases an item on one device and then uses your app on
* a different device, because on the other device you will not have access to the
* random string you originally generated.
*
* So a good developer payload has these characteristics:
*
* 1. If two different users purchase an item, the payload is different between them,
* so that one user's purchase can't be replayed to another user.
*
* 2. The payload must be such that you can verify it even when the app wasn't the
* one who initiated the purchase flow (so that items purchased by the user on
* one device work on other devices owned by the user).
*
* Using your own server to store and verify developer payloads across app
* installations is recommended.
*/
return true;
}
我完全不知道这意味着什么。如果我没有自己的服务器,我应该只使用空白字符串吗?我应该如何区分用户、购买和设备?
这些对我来说都不是很清楚,这段代码/官方文档也没有提供真正的澄清,大多数在线答案也同样稀疏。
谁能简单地说一下:我应该发送什么作为我的开发人员有效负载参数?