As the documentation states; the UserOwnsGamepassAsync API caches and doesn’t update the result if a player purchases the gamepass while in-experience.
2 Likes
Is this vulnerability fixed for PromptGamePassPurchaseFinished?
I believe it (kinda) is, though if you don’t have proper checks, exploiters can still call it multiple times and get ingame rewards multiple times. (if you reward then via PromptGamePassPurchaseFinished)
How would you perform proper checks?
You can’t really use UserOwnsGamePassAsync because of its caching behavior.
Why would you use promptproductpurchasefinished though? Handling devproducts is meant to be in a callback function with processreceipt.
Is there any way to safely listen to assets and bundles purchases? as ProcessRecepit only works for developer products. 
EDIT:
Probably forced to use, PlayerOwnsAsset and PlayerOwnsBundle few seconds later… kinda sucks ngl.
EDIT 2:
Also have to check if the user already bought it or once purchased they can spam and cheat it.