So I was verifying auto-renewable subscription receipts when I ran into this problem:
Somebody wanted to subscribe to my app with the famous
"product_id":"com.zeptolab.ctrbonus.superpower1"
hack. Of course, I do not allow this ;) but I would like to know which HTTP status (REST Web Service) should I return to my client app to let it know what happened here.
Should I return a 403 Forbidden? Is there a specific status for this situation?
I have been tempted to return a "418 I'm a teapot" but I decided to ask you guys first.