Developer payload (external data) in App Store server notifications - notifications

We are using server-to-server purchase notifications for Google Play and App Store mobile apps. User can pay for subscription in several ways: in web broswer (via third-party billing provider), in android application (via google play) and in ios/macos application (via app store). That is why we use custom user/subscription ids - it should be equal across all platforms/devices within single account.
Now, everhing went just fine with other billing providers until we came to App Store. We configured server side notification with callback at our server as we did it before. And now it turns out, that there is no user information in App Store receipt data. And it seems to be no way to pass that data from mobile application. For example, Google Play have so called "developer payload" field for this purposes, other providers also have possibility to add external data into server notification request. Is there any analog for App Store notifications?
Another question is about notifications itself. If there is no user information in the receipt - that means that there is no way to bind user id and receipt id data. Then what is the purpose of such notfications with external server scenario?

Related

How could the app send a message to the phone when certain mission fulfilled?

I can use FCM console to send messages to all users or certain users at a certain time.
Now I want the app send a message to specified users when their in-game energy is full. How to realize it with FCM? And can I know the messages' sends, opens, conversions?
Sending a message to a user can only be done from a trusted environment, such as the Firebase console, or a place where you can trust that the code running is yours (such as your development machine, a server that you control, or something like Cloud Functions/Cloud Run).
For examples of how to send a message by calling FCM's API, see the documentation on building send requests, and this sample use-case of notifying the user when something interesting happens using Cloud Functions.

How to tie an account from a backend server to a google assistant user

I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.

Best API for syncing Exchange Email/Calendar to my webapp?

Looking for additional products similar to www.nylas.com which provide an API to sync my web application with my microsoft exchange email and calendar.
Most email services are aimed at marketing and hosting, whereas I just want a simple connection between exchange and my app, without building an API from the ground up.
Any suggestions?
Why not using Exchange EWS?
Calendars and EWS in Exchange
Working with calendar items by using the EWS Managed API 2.0
I do not know your App so a simple cronjob would do it...
P.S.
By the way I personally think the best way is to access the calendar via the App directly on the device. The reason is that a user normally have ActiveSync configured so that he get all the content on his device. If he change his password he do that on the device. So your app might use a old password and will no longer work. Additional your app try to access content with the old password and might block the user account then. The user got upset and will no longer use it. Accessing the calendar now directly on the device eliminate the need to get the user password and also eleminite the need that the user need to change it in your app...

Should i backup GCM registration ID with google cloud?

Is it advised to backup GCM id using android cloud back up ? i am storing the GCM id in a sharedpreferences so i dont have to keep registering.
if i backup this GCM sharedpref and user changes devices do i need to update it to a new registration id ? Is the registration ID device specific ? What happens when user changes devices and backs up ?
I tried and read this from the docs:
You must exclude any device specific identifiers, either issued by a server or generated on the device. This includes the Google Cloud Messaging (GCM) registration token which, when restored to another device, can render your app on that device unable to receive GCM messages.
From the docs i found my answer that the reason this should not be done is that it can intrefer in the apps intialization of gcm and it will not try to get the GCM id if its already restored from a new device that restored a old registration id.
Handle Google Cloud Messaging
For apps that use Google Cloud Messaging (GCM) for push notifications,
backing up the registration token that Google Cloud Messaging
registration returned can cause unexpected behavior in notifications
for the restored app. This is because when a user installs your app on
a new device, the app must query the GCM API for a new registration
token. If the old registration is present, because the system had
backed it up and restored it, the app doesn't seek the new token. To
prevent this issue from arising, exclude the registration token from
the set of backed-up files.

HOLLER: Secure Payment over API & Titanium Studio

I am using Titanium studio to build an iphone mobile app, and I want to do the following
Send a user id using API to my server
Server processes payment for that user using the previous card on file
Server sends a success/failure response.
What is the most secure way to do this? I know if I just send the user id then anyone could hack.
Are you sure what your doing is allowed (roll-your-own Payments and credit cards in-app will generally get you rejected)
Make sure your app does not violate any of these guidelines:
11.1 Apps that unlock or enable additional features or functionality with mechanisms other than the App Store will be rejected
11.2 Apps utilizing a system other than the In App Purchase API (IAP) to purchase content, functionality, or services in an app will be
rejected
11.13 Apps that link to external mechanisms for purchases or subscriptions to be used in the app, such as a “buy” button that goes
to a web site to purchase a digital book, will be rejected
Check the latest App store review guidelines here : https://developer.apple.com/appstore/resources/approval/guidelines.html
Also refer to these SO questions for more information:
iPhone Paypal in UIWebView Appstore approval process
iOS - Integrating credit card payments
A more secure way to do this (if you pass all the above guidelines) would be to use a userid, password, and salt, encrypted either over https or SHA256. Note that you have to specify you use encryption if you go the second route, during the review process.
Here is a wikipedia article about Salt and Passwords that I used.
Here is a SHA256 library for JavaSCript that works great with Titanium and is simple to use.