Send google play public key during /purchase/can-do-purchase

docs/api/purchase.md

@@ -21,7 +21,7 @@ On a invalid request body: HTTP status code 400 Bad request
 
 On a invalid auth token: HTTP status code 401 Unauthorized
 
-On success: a JSON object with the property ``canDoPurchase`` of the type string
+On success: a JSON object with the property ``canDoPurchase`` (string) and ``googlePlayPublicKey`` (string, base64)
 
 possible values of ``canDoPurchase``:
 
@@ -29,6 +29,8 @@ possible values of ``canDoPurchase``:
 - ``no due to old purchase``
 - ``no because not supported by the server``
 
+The ``googlePlayPublicKey`` is the key by which purchases using google play should be signed.
+
 ## POST /purchase/finish-purchase-by-google-play
 
 Use this to report a purchase to the server/ unlock all features after a purchase

src/api/purchase.ts

@@ -23,6 +23,7 @@ import {
   addPurchase,
   areGooglePlayPaymentsPossible,
   canDoNextPurchase,
+  googlePlayPublicKey,
   isGooglePlayPurchaseSignatureValid,
   requireFamilyEntry
 } from '../function/purchase'
@@ -54,7 +55,8 @@ export const createPurchaseRouter = ({ database, websocket }: {
       const result = canDoNextPurchase({ fullVersionUntil: parseInt(familyEntry.fullVersionUntil, 10) })
 
       res.json({
-        canDoPurchase: result ? 'yes' : 'no due to old purchase'
+        canDoPurchase: result ? 'yes' : 'no due to old purchase',
+        googlePlayPublicKey
       })
     } catch (ex) {
       next(ex)

src/function/purchase/index.ts

@@ -1,6 +1,6 @@
 /*
  * server component for the TimeLimit App
- * Copyright (C) 2019 Jonas Lochmann
+ * Copyright (C) 2019 - 2020 Jonas Lochmann
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -17,5 +17,7 @@
 
 export { canDoNextPurchase } from './can-do-next-purchase'
 export { requireFamilyEntry } from './require-family-entry'
-export { isGooglePlayPurchaseSignatureValid, areGooglePlayPaymentsPossible } from './verification'
+export {
+  isGooglePlayPurchaseSignatureValid, areGooglePlayPaymentsPossible, googlePlayPublicKey
+} from './verification'
 export { addPurchase } from './add-purchase'

src/function/purchase/verification.ts

@@ -19,7 +19,7 @@ const IABVerifier: new (publicKey: string) => {
   verifyReceipt: (data: string, signature: string) => boolean
 } = require('iab_verifier')
 
-const googlePlayPublicKey = process.env.GOOGLE_PLAY_PUBLIC_KEY || ''
+export const googlePlayPublicKey = process.env.GOOGLE_PLAY_PUBLIC_KEY || ''
 
 const verifier = new IABVerifier(googlePlayPublicKey)