From cb4ffa34bed5180051cb2c182f1b2e4cc7192484 Mon Sep 17 00:00:00 2001
From: Peter Dulacka <dulacka@gmail.com>
Date: Tue, 29 Sep 2020 09:46:15 +0200
Subject: [PATCH] Fix issue with only one access token per inapp purchase

Check looking at existing user's access token didn't include
device token condition. In case device 2 wanted to claim
the purchase (via restore purchase), access token of device 1
was overwritten and device 1 lost the access to inapp purchase.
---
 src/api/VerifyPurchaseApiHandler.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/api/VerifyPurchaseApiHandler.php b/src/api/VerifyPurchaseApiHandler.php
index 6bfe044..ad88e9b 100644
--- a/src/api/VerifyPurchaseApiHandler.php
+++ b/src/api/VerifyPurchaseApiHandler.php
@@ -487,6 +487,7 @@ private function pairUserWithAuthorizedToken(UserTokenAuthorization $authorizati
         if ($deviceToken) {
             $accessToken = $this->accessTokensRepository
                 ->allUserTokensBySource($user->id, GooglePlayBillingModule::USER_SOURCE_APP)
+                ->where('device_token_id = ?', $deviceToken->id)
                 ->limit(1)
                 ->fetch();
             if (!$accessToken) {