should I call finishTransaction when serverside receipt verification fails?

Question

I use server side receipt verification.

When client's

- (void)paymentQueue:(SKPaymentQueue *)queue updatedTransactions:(NSArray *)transactions

is called, and transactionState is SKPaymentTransactionStatePurchased, client sends the receipt to our server, and our server verifies it.

When the server side receipt verification succeeds, client obviously calls finishTransaction, no problem.

When the server side receipt verification failed, because apple temporary returned non json, or client sent invalid receipt, or something, server returns that information to client.

Next, what should our client do? Should we call finishTransaction?

This leads to invalid transactions living forever in the queue? like said in this question: iPhone in-app purchase: receipt verification

But if you find out that a receipt is invalid, you should finish the associated transaction. If not, you may have extra-transactions living forever in the transaction queue. That means that each time your app runs, paymentQueue:updatedTransaction: will be called once per transaction...

But if we do finishTransaction, our precious user is charged by this receipt (which we failed to verify), right?

Or does the verify-failed-transaction expires in some period?

Is this documented somewhere in apple's document? I couldn't find any in http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/Introduction/Introduction.html

Answer 1

Yes, you have to finishTransaction.

It's up to you if you give the user what they want then. In some cases it's better to give the user what they want, even if the receipt is invalid or fake (using jailbreak). Especially when it costs you nothing.

Answer 2

I finish the transaction to clear it from the queue, but don't provide the extra content if the validation fails. If it is an invalid receipt then they were not charged by Apple. If it turns out to be something else, such as Apple's verification server being temporarily down, then they will have been charged and when they attempt to restore purchases (or add it again) they won't get charged again, and your app will get another shot at verifying the receipt.

If the verification fails for a technical reason such as Apple's server being down it will be awkward, but there is no other way that I can see to prevent someone from stealing your content. The good news is that you can let the user know in a popup if Apple's server is down and that they should try again later and most importantly that they won't be charged again.