server/src/Hokm.Server/Payments/IabService.cs

using System.Net.Http.Json;
using System.Text.Json;

namespace Hokm.Server.Payments;

/// <summary>
/// Config for store in-app billing verification. Fill these from the Cafe Bazaar
/// (pardakht) and Myket developer panels. Bound from the "Iab" config section /
/// <c>Iab__*</c> env vars.
/// </summary>
public sealed class IabOptions
{
    /// <summary>Android package name registered in the store panels.</summary>
    public string PackageName { get; set; } = "com.bargevasat.app";

    // ── Cafe Bazaar (pardakht dev API, OAuth refresh-token flow) ──
    public string BazaarClientId { get; set; } = "";
    public string BazaarClientSecret { get; set; } = "";
    public string BazaarRefreshToken { get; set; } = "";

    /// <summary>
    /// Cafe Bazaar in-app billing RSA public key (panel: «دریافت کلید RSA برای
    /// قراردادن در برنامه»). Used to verify a purchase payload's signature locally
    /// (Poolakey in-app library flow). NOT used by the current deep-link flow,
    /// which verifies server-to-server via the pardakht API above — kept here so
    /// the key has a home if/when the native Poolakey plugin is added.
    /// </summary>
    public string BazaarRsaPublicKey { get; set; } = "";

    // ── Myket (developer validation API) ──
    public string MyketAccessToken { get; set; } = "";

    /// <summary>
    /// DEV ONLY. When true, purchases are credited WITHOUT remote verification
    /// (use for local testing before you have store credentials). NEVER enable in
    /// production — it lets a forged token mint coins.
    /// </summary>
    public bool AllowUnverified { get; set; } = false;
}

/// <summary>
/// Verifies a store purchase token (Cafe Bazaar / Myket) server-to-server before
/// coins are credited. Endpoints are config-driven; confirm the exact URLs against
/// your store panel — the request/response shapes mirror Google Play's IAB API.
/// </summary>
public sealed class IabService
{
    private static readonly HttpClient Http = new();
    private readonly IabOptions _opts;
    private readonly ILogger<IabService> _log;

    public IabService(IabOptions opts, ILogger<IabService> log)
    {
        _opts = opts;
        _log = log;
    }

    public async Task<bool> Verify(string store, string productId, string token)
    {
        if (string.IsNullOrWhiteSpace(token)) return _opts.AllowUnverified;
        store = (store ?? "").Trim().ToLowerInvariant();
        try
        {
            return store switch
            {
                "bazaar" or "cafebazaar" => await VerifyBazaar(productId, token),
                "myket" => await VerifyMyket(productId, token),
                _ => _opts.AllowUnverified,
            };
        }
        catch (Exception ex)
        {
            _log.LogWarning(ex, "IAB verify failed for store {Store} product {Product}", store, productId);
            return _opts.AllowUnverified;
        }
    }

    /// <summary>
    /// Cafe Bazaar: exchange the refresh token for an access token, then validate
    /// the in-app purchase. See https://pardakht.cafebazaar.ir/devapi/v2/.
    /// </summary>
    private async Task<bool> VerifyBazaar(string productId, string token)
    {
        if (string.IsNullOrWhiteSpace(_opts.BazaarRefreshToken)) return _opts.AllowUnverified;

        // 1) refresh_token → access_token
        var form = new FormUrlEncodedContent(new Dictionary<string, string>
        {
            ["grant_type"] = "refresh_token",
            ["client_id"] = _opts.BazaarClientId,
            ["client_secret"] = _opts.BazaarClientSecret,
            ["refresh_token"] = _opts.BazaarRefreshToken,
        });
        var tokenResp = await Http.PostAsync("https://pardakht.cafebazaar.ir/devapi/v2/auth/token/", form);
        if (!tokenResp.IsSuccessStatusCode) return false;
        using var tokenDoc = JsonDocument.Parse(await tokenResp.Content.ReadAsStringAsync());
        if (!tokenDoc.RootElement.TryGetProperty("access_token", out var at)) return false;
        var access = at.GetString();

        // 2) validate the purchase
        var url = $"https://pardakht.cafebazaar.ir/devapi/v2/api/validate/{_opts.PackageName}/inapp/{Uri.EscapeDataString(productId)}/purchases/{Uri.EscapeDataString(token)}/?access_token={access}";
        var vResp = await Http.GetAsync(url);
        if (!vResp.IsSuccessStatusCode) return false;
        using var vDoc = JsonDocument.Parse(await vResp.Content.ReadAsStringAsync());
        // purchaseState: 0 = purchased (1 = refunded/cancelled). Absent ⇒ a 200 body
        // is itself proof of a valid purchase.
        if (vDoc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)
            return ps.GetInt32() == 0;
        return true;
    }

    /// <summary>
    /// Myket: validate via the developer API (mirrors Google Play). The access
    /// token comes from the Myket developer panel.
    /// </summary>
    private async Task<bool> VerifyMyket(string productId, string token)
    {
        if (string.IsNullOrWhiteSpace(_opts.MyketAccessToken)) return _opts.AllowUnverified;

        var url = $"https://developer.myket.ir/api/applications/{_opts.PackageName}/purchases/products/{Uri.EscapeDataString(productId)}/tokens/{Uri.EscapeDataString(token)}";
        using var req = new HttpRequestMessage(HttpMethod.Get, url);
        req.Headers.Add("X-Access-Token", _opts.MyketAccessToken);
        var resp = await Http.SendAsync(req);
        if (!resp.IsSuccessStatusCode) return false;
        using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync());
        if (doc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)
            return ps.GetInt32() == 0;
        return true;
    }
}
feat: UNO-style table, social hub, cosmetics, speed mode, store IAB 2026-06-06 18:39:24 +03:30			`using System.Net.Http.Json;`
			`using System.Text.Json;`

			`namespace Hokm.Server.Payments;`

			`/// <summary>`
			`/// Config for store in-app billing verification. Fill these from the Cafe Bazaar`
			`/// (pardakht) and Myket developer panels. Bound from the "Iab" config section /`
			`/// <c>Iab__*</c> env vars.`
			`/// </summary>`
			`public sealed class IabOptions`
			`{`
			`/// <summary>Android package name registered in the store panels.</summary>`
fix(iab): correct package name to com.bargevasat.app + slot for Bazaar RSA key 2026-06-12 08:55:17 +03:30			`public string PackageName { get; set; } = "com.bargevasat.app";`
feat: UNO-style table, social hub, cosmetics, speed mode, store IAB 2026-06-06 18:39:24 +03:30
			`// ── Cafe Bazaar (pardakht dev API, OAuth refresh-token flow) ──`
			`public string BazaarClientId { get; set; } = "";`
			`public string BazaarClientSecret { get; set; } = "";`
			`public string BazaarRefreshToken { get; set; } = "";`

fix(iab): correct package name to com.bargevasat.app + slot for Bazaar RSA key 2026-06-12 08:55:17 +03:30			`/// <summary>`
			`/// Cafe Bazaar in-app billing RSA public key (panel: «دریافت کلید RSA برای`
			`/// قراردادن در برنامه»). Used to verify a purchase payload's signature locally`
			`/// (Poolakey in-app library flow). NOT used by the current deep-link flow,`
			`/// which verifies server-to-server via the pardakht API above — kept here so`
			`/// the key has a home if/when the native Poolakey plugin is added.`
			`/// </summary>`
			`public string BazaarRsaPublicKey { get; set; } = "";`

feat: UNO-style table, social hub, cosmetics, speed mode, store IAB 2026-06-06 18:39:24 +03:30			`// ── Myket (developer validation API) ──`
			`public string MyketAccessToken { get; set; } = "";`

			`/// <summary>`
			`/// DEV ONLY. When true, purchases are credited WITHOUT remote verification`
			`/// (use for local testing before you have store credentials). NEVER enable in`
			`/// production — it lets a forged token mint coins.`
			`/// </summary>`
			`public bool AllowUnverified { get; set; } = false;`
			`}`

			`/// <summary>`
			`/// Verifies a store purchase token (Cafe Bazaar / Myket) server-to-server before`
			`/// coins are credited. Endpoints are config-driven; confirm the exact URLs against`
			`/// your store panel — the request/response shapes mirror Google Play's IAB API.`
			`/// </summary>`
			`public sealed class IabService`
			`{`
			`private static readonly HttpClient Http = new();`
			`private readonly IabOptions _opts;`
			`private readonly ILogger<IabService> _log;`

			`public IabService(IabOptions opts, ILogger<IabService> log)`
			`{`
			`_opts = opts;`
			`_log = log;`
			`}`

			`public async Task<bool> Verify(string store, string productId, string token)`
			`{`
			`if (string.IsNullOrWhiteSpace(token)) return _opts.AllowUnverified;`
			`store = (store ?? "").Trim().ToLowerInvariant();`
			`try`
			`{`
			`return store switch`
			`{`
			`"bazaar" or "cafebazaar" => await VerifyBazaar(productId, token),`
			`"myket" => await VerifyMyket(productId, token),`
			`_ => _opts.AllowUnverified,`
			`};`
			`}`
			`catch (Exception ex)`
			`{`
			`_log.LogWarning(ex, "IAB verify failed for store {Store} product {Product}", store, productId);`
			`return _opts.AllowUnverified;`
			`}`
			`}`

			`/// <summary>`
			`/// Cafe Bazaar: exchange the refresh token for an access token, then validate`
			`/// the in-app purchase. See https://pardakht.cafebazaar.ir/devapi/v2/.`
			`/// </summary>`
			`private async Task<bool> VerifyBazaar(string productId, string token)`
			`{`
			`if (string.IsNullOrWhiteSpace(_opts.BazaarRefreshToken)) return _opts.AllowUnverified;`

			`// 1) refresh_token → access_token`
			`var form = new FormUrlEncodedContent(new Dictionary<string, string>`
			`{`
			`["grant_type"] = "refresh_token",`
			`["client_id"] = _opts.BazaarClientId,`
			`["client_secret"] = _opts.BazaarClientSecret,`
			`["refresh_token"] = _opts.BazaarRefreshToken,`
			`});`
			`var tokenResp = await Http.PostAsync("https://pardakht.cafebazaar.ir/devapi/v2/auth/token/", form);`
			`if (!tokenResp.IsSuccessStatusCode) return false;`
			`using var tokenDoc = JsonDocument.Parse(await tokenResp.Content.ReadAsStringAsync());`
			`if (!tokenDoc.RootElement.TryGetProperty("access_token", out var at)) return false;`
			`var access = at.GetString();`

			`// 2) validate the purchase`
			`var url = $"https://pardakht.cafebazaar.ir/devapi/v2/api/validate/{_opts.PackageName}/inapp/{Uri.EscapeDataString(productId)}/purchases/{Uri.EscapeDataString(token)}/?access_token={access}";`
			`var vResp = await Http.GetAsync(url);`
			`if (!vResp.IsSuccessStatusCode) return false;`
			`using var vDoc = JsonDocument.Parse(await vResp.Content.ReadAsStringAsync());`
			`// purchaseState: 0 = purchased (1 = refunded/cancelled). Absent ⇒ a 200 body`
			`// is itself proof of a valid purchase.`
			`if (vDoc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)`
			`return ps.GetInt32() == 0;`
			`return true;`
			`}`

			`/// <summary>`
			`/// Myket: validate via the developer API (mirrors Google Play). The access`
			`/// token comes from the Myket developer panel.`
			`/// </summary>`
			`private async Task<bool> VerifyMyket(string productId, string token)`
			`{`
			`if (string.IsNullOrWhiteSpace(_opts.MyketAccessToken)) return _opts.AllowUnverified;`

			`var url = $"https://developer.myket.ir/api/applications/{_opts.PackageName}/purchases/products/{Uri.EscapeDataString(productId)}/tokens/{Uri.EscapeDataString(token)}";`
			`using var req = new HttpRequestMessage(HttpMethod.Get, url);`
			`req.Headers.Add("X-Access-Token", _opts.MyketAccessToken);`
			`var resp = await Http.SendAsync(req);`
			`if (!resp.IsSuccessStatusCode) return false;`
			`using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync());`
			`if (doc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)`
			`return ps.GetInt32() == 0;`
			`return true;`
			`}`
			`}`