7 Replies Latest reply on Dec 22, 2012 1:35 PM by areohbee

    License mechanism

    dhmc05 Level 1

      I developed a simple but hopefully effective plug-in and have people to get it as donationware.

       

      How can I check if people made a valid donation via PayPal and give them a key that is somehow checked.

        • 1. Re: License mechanism
          DawMatt Level 3

          Most people I know of use server components on their web sites as part of the verification mechanism. Some issue a registration code after the donation has been received by the website/paypal, and I think some allow the paypal receipt number to be used as the registration code and probably use a call back to the website to verify the receipt matches a known donation.

           

          Building this type of mechanism is not an easy task.

           

          Matt

          • 2. Re: License mechanism
            jarnoh Level 1

            Actually, using Paypal is quite straight forward.  I'm using similar system at http://capturemonkey.com

             

            Paypal sends me IPN (Instant Payment Notification) whenever a payment is made and my server stores the payment data (seller transaction ID) into database.  When user inputs the client transaction ID as registration number, the code is verified from my server, which asks Paypal to convert it to seller transaction ID and if it is then found from the database, plugin gets activated with a signed token.

             

            There is maybe 150 lines of server code in my implementation.

             

            Jarno

            • 3. Re: License mechanism
              areohbee Level 5

              Thanks Jarno,

               

              I understand all of that except:

               

              |>"plugin gets activated with a signed token".

               

              Would you mind elaborating?

               

              Thanks in advance,

              Rob

              • 4. Re: License mechanism
                jarnoh Level 1

                The response is validated by the plugin to make sure it is actually talking to a real server.  If the server sent just "ok", it would be trivial to create a fake server.

                 

                Jarno

                • 5. Re: License mechanism
                  areohbee Level 5

                  Hi Jarno,

                   

                  Gotcha, but then how does the plugin store the info that the copy is registered - text file on disk? - no: that wouldn't be good, hmm... - how then??? Prefs? - doesn't seem like a good idea. Custom plugin metadata? - not sure about that either......... I'm assuming the plugin can function even if machine not connected to internet, right?

                   

                  UPDATE:

                  ------------

                  I suppose the encrypted password store would be the logical place to store registration status - I guess the code would have to be compiled too or it would be trivial for user to circumvent. Is there any way to secure uncompiled code? And what format to store registration, a boolean go/no-go? - seems too easy to foil...

                   

                  Thanks, Rob.

                  • 6. Re: License mechanism
                    jarnoh Level 1

                    Well, easiest way is probably storing the registration key and the encrypted token into preferences, then you can verify the token every time plugin is started.

                     

                    Of course, using e.g. encrypted lua code would be more secure, but so far I don't think it is worth the effort for me

                     

                    Jarno

                    • 7. Re: License mechanism
                      areohbee Level 5

                      jarnoh wrote:

                       

                      Of course, using e.g. encrypted lua code would be more secure, but so far I don't think it is worth the effort for me

                      Yeah, I'm also thinking mostly of keeping fairly honest people fairly honest. But it does seem like the whole plugin, or most of it anyway, would need to be compiled, even for minimal security - not necessarily a big deal, just sayin'...

                       

                       

                      jarnoh wrote:

                       

                      Well, easiest way is probably storing the registration key and the encrypted token into preferences, then you can verify the token every time plugin is started.

                      Registration key is, for example, paypal transaction ID - got it.

                       

                      But what is this encrypted token you are referring to, and how does one verify it - this is the missing piece in my mind.

                       

                      Sorry for being dense ,

                      Rob