Retrieving payment data google-play in-app and PayPal mobile checkout from a server

Question

I'm calling a server to deliver a digital product, and I want to let the server check if the payment is completed. I'm using in-app billing and the mobile checkout from PayPal from an Android app.

They get a RESULT_OK, then I'm calling a server, but I want the server to verify if the payment is completed.

I've found some documentation, but it's not really clear what I should use.

For google play in-app I should be able to check this POST:

www.googleapis.com/androidpublisher/v1.1/applications/{packageName}/inapp/{productId}/purchases/{token}

I couldn't find what the productId is, but I'm guessing it's the SKU I'm sending, and where to I get the token?

For PayPal, I found:

GET https://api.paypal.com/v1/payments/sale/{id}

This makes it a little more clear, but I don't know how to convert this into PHP: https://quar.me/paypal/rest/_sales_look-up-a-sale.html

But the id in the documentation looks a lot different than the one I have in the app and is not working. It returns nothing, my ID looks like this AP-8BH89990X7137743X:

{
  "name": "INVALID_RESOURCE_ID",
  "message": "The requested resource ID was not found",
  "information_link": "https://developer.paypal.com/webapps/developer/docs/api/#INVALID_RESOURCE_ID",
  "debug_id": "fec9d138aa55d"
}

Getting closer on PayPal, I'm still not sure how to translate this to PHP and how to deal with the certificate when using this form my server. It also seems like depending on the use of a PayPal account or a credit card you should use different verifications, how do I know which method the user used?:

curl -s --insecure
-H "X-PAYPAL-SECURITY-USERID: api_username"
-H "X-PAYPAL-SECURITY-PASSWORD: api_password"
-H "X-PAYPAL-SECURITY-SIGNATURE: api_signature"
-H "X-PAYPAL-REQUEST-DATA-FORMAT: NV"
-H "X-PAYPAL-RESPONSE-DATA-FORMAT: NV"
-H "X-PAYPAL-APPLICATION-ID: app_id"
https://svcs.sandbox.paypal.com/AdaptivePayments/PaymentDetails  -d
"payKey=AP-3TY011106S4428730
&requestEnvelope.errorLanguage=en_US"

Some example code would help me a lot, I'm using PHP.

Answer 1

You can use the following functions:

function verify_play($signed_data, $signature) 
{
  global $public_key_base64;
  $pkey =  "-----BEGIN PUBLIC KEY-----\n".
    chunk_split($public_key_base64, 64,"\n").
    '-----END PUBLIC KEY-----';   
  //using PHP to create an RSA key
  $pkey = openssl_get_publickey($pkey);
  //$signature should be in binary format, but it comes as BASE64. 
  //So, I'll convert it.
  $signature = base64_decode($signature);   
  //using PHP's native support to verify the signature
  $result = openssl_verify(
      $signed_data,
      $signature,
      $pkey,
      OPENSSL_ALGO_SHA1);

  if (0 === $result) 
  {
    return false;
  }
  else if (1 !== $result)
  {
    return false;
  }
  else 
  {
    return true;
  }
} ;

function verify_paypal($payKey, $appID)
{
  global $payPalUser_Id, $payPalPassword, $payPalSig;
$headerArray = array(
'X-PAYPAL-SECURITY-USERID:'.$payPalUser_Id,
'X-PAYPAL-SECURITY-PASSWORD:'.$payPalPassword,
'X-PAYPAL-SECURITY-SIGNATURE:'.$payPalSig,
'X-PAYPAL-REQUEST-DATA-FORMAT:JSON',
'X-PAYPAL-RESPONSE-DATA-FORMAT:XML',
'X-PAYPAL-APPLICATION-ID:'.$appID
);


$url="https://svcs.paypal.com/AdaptivePayments/PaymentDetails?payKey={$payKey}&requestEnvelope.errorLanguage=en_US";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headerArray);
$adaptiveResponse = curl_exec($ch);
curl_close($ch);

echo $adaptiveResponse;

//check following and return true or false:
//Is completed ("status": "COMPLETED").
//Is the expected currency ("currencyCode": "USD").
//Has a paymentInfo within paymentInfoList that:
//Has a receiver with amount and email as expected.
//Is complete ("senderTransactionStatus": "COMPLETED").
};