Append extra string to the purchaseToken can also pass the validation ?
We are validate the transation from our backend server, and found the purchaseToken can be fake by append string to it. e.g.
https://appstore-sdk.amazon.com/version/2.0/verify/developer/XXX/user/YYY/purchaseToken/ZZZ can get a valid result. And once hacker can hack our app's binary, they can upload a new token with random suffix like ZZZ123 or ZZZaaa to our bakend server, and the facked token can also pass the validation. That may cause our backend server will trust it is a new purchase, and increasing the cosumable item for that user again and again. And actually he may only pay once to get a valid token, and can generate as many valid token as he want.