Research
/Security News
Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
Miasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.
By Socket Research Team - Jun 26, 2026
🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more →
In-app purchase verification
Inspired by the iap_verifier CoffeeScript module
written by Paul Crawford, I wanted a pure JavaScript implementation of in-app purchase verification.
I also wanted to add support for other app stores, and not just limit this to Apple. The iap
module is exactly that. Pull requests to add support for other platforms are very welcome!
Installation
npm install iap
Usage
Only a single method is exposed to verify purchase receipts:
var iap = require('iap');
var platform = 'apple';
var payment = {
receipt: 'receipt data', // always required
productId: 'abc',
packageName: 'my.app'
};
iap.verifyPayment(platform, payment, function (error, response) {
/* your code */
});
The receipt you pass must conform to the requirements of the backend you are verifying with. Read the next chapter for more information on the format.
Supported platforms
Apple
The payment object
The receipt string passed may be either the base64 string that Apple really wants, or the decoded receipt as returned by the iOS SDK (in which case it will be automatically base64 serialized).
Both productId and packageName (bundle ID) are optional, but when provided will be tested against. If the receipt does not match the provided values, an error will be returned.
The response
The response passed back to your callback will also be Apple specific. The entire parsed receipt will be in the result object:
{
"receipt": {
"original_purchase_date_pst": "2014-02-24 23:19:49 America/Los_Angeles",
"purchase_date_ms": "1393312789954",
"unique_identifier": "78abf2209323434771637ee22f0ee8b8341f14b4",
"original_transaction_id": "1000000102526370",
"bvrs": "0.0.1",
"transaction_id": "1000000102526671",
"quantity": "1",
"unique_vendor_identifier": "206FED24-2EAB-4FC6-B946-4AF61086DF21",
"item_id": "820817285",
"product_id": "abc",
"purchase_date": "2014-02-25 07:19:49 Etc/GMT",
"original_purchase_date": "2014-02-25 07:19:49 Etc/GMT",
"purchase_date_pst": "2014-02-24 23:19:49 America/Los_Angeles",
"bid": "test.myapp",
"original_purchase_date_ms": "1393312789954"
},
"transactionId": "1000000102526671",
"productId": "abc",
"platform": "apple"
}
Google Play
The payment object
The receipt string is the purchase token that Google Play returns to the mobile application when a purchase is made.
Both packageName and productId are compulsory.
Lastly you must provide keyObject which is the Google API Service Account JSON key file linked to your Google Play
account for authentication. This property can be either a string, file buffer or an object. If provided a string or file
buffer, the call will automatically parse it into an object for use.
The response
The response passed back to your callback will also be Google Play specific. The entire parsed response will be in the receipt sub-object.
{
"receipt": {
"kind": "androidpublisher#productPurchase",
"purchaseTimeMillis": "1410835105408",
"purchaseState": 0,
"consumptionState": 1,
"developerPayload": ""
},
"transactionId": "ghbbkjheodjokkipdmlkjajn.AO-J1OwfrtpJd2fkzzZqv7i107yPmaUD9Vauf9g5evoqbIVzdOGYyJTSEMhSTGFkCOzGtWccxe17dtbS1c16M2OryJZPJ3z-eYhEJYiSLHxEZLnUJ8yfBmI",
"productId": "abc",
"platform": "google"
}
All Platforms
Regardless of the platform used, besides the platform-specific receipt, the following properties will be included:
- transactionId, to uniquely identify this transaction.
- productId, which specifies what was purchased.
- platform, which is always the platform you passed.
License
MIT
References
Apple References
Code Inspiration
API Reference
Google Play References
Code Inspiration
- https://bitbucket.org/gooroo175/google-play-purchase-validator/src/d88278c30df0d0dc51b852b7bcab5f40e3a30923/index.js?at=master
- https://github.com/machadogj/node-google-bigquery
- https://github.com/extrabacon/google-oauth-jwt/blob/master/lib/request-jwt.js
API Reference
- https://developer.android.com/google/play/billing/gp-purchase-status-api.html
- https://developers.google.com/android-publisher/
- https://developers.google.com/android-publisher/getting_started
- https://developers.google.com/android-publisher/authorization
- https://developers.google.com/accounts/docs/OAuth2ServiceAccount
- https://developers.google.com/android-publisher/api-ref/purchases/products
- https://developers.google.com/android-publisher/api-ref/purchases/products/get
- http://developer.android.com/google/play/billing/billing_testing.html
- http://stackoverflow.com/questions/24323207/use-service-account-to-verify-google-inapppurchase
Receipt Generation
FAQs
In-app purchases for Node.js (Apple, Google)
The npm package node-iap receives a total of 549 weekly downloads. As such, node-iap popularity was classified as not popular.
We found that node-iap demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 10 Feb 2020
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Rolldown Pulls Rust React Compiler Integration After Binary Size Increase
Rolldown paused Rust React Compiler integration after a 5MB binary size increase raised concerns about shipping React-specific code to all Vite users.
By Sarah Gooding - Jun 26, 2026
Security News
/Research
Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
Mini Shai-Hulud expands into the Go ecosystem after hitting LeoPlatform npm packages and targeting GitHub Actions workflows.
By Socket Research Team - Jun 25, 2026