I am making an Ecommerce website which should allow Paypal payments, using Smart Checkout Buttons.
My worry is that everyone can Curl my website, getting the raw HTML+js page and edit the purchase unit values. Once they've done that they could run the webpage, the js code will be executed, the button gets rendered with fake values, and they could fake the payment (with less money).
Is that true? And are there any solutions still using the Smart Button (Without the REST API)?
I cannot create manually the buttons since there will be many articles which are sold by different users.
paypal.Buttons({
// Set up the transaction
createOrder: function(data, actions) {
var o = actions.order.create({
purchase_units: [{
amount: {
value: '30.99' //Can users change this ?
},
payee: {
email_address: 'sb-qloys3515897#business.example.com'//email of the sellers
}
}]
})
return o;
},
// Finalize the transaction
onApprove: function(data, actions) {
console.log(details);
return actions.order.capture().then(function(details) {
// Show a success message to the buyer
//alert('Transaction completed by ' + details.payer.name.given_name + '!');
alert(details);
});
}
}).render('#paypal-button-container');
If you use client-side code only then yes, anyone can edit that client side code right in their browser and pay you any amount they wish, from $0.01 to tens of thousands of dollars.
If this scenario concerns you, then a client-side only integration is obviously too simple for you, and you should instead implement one with your server that does the validation you desire.
Create two routes on your server, one for 'Set Up Transaction' and one for 'Capture Transaction', documented here.
Then have your PayPal button call those two routes; here is the best demo code: https://developer.paypal.com/demo/checkout/#/pattern/server
Related
Hi I have successfully Integrated PayPal Checkout Smart Payment Buttons, where i am using custom payee reference https://developer.paypal.com/docs/checkout/integration-features/custom-payee/
My point is if the custom payee email is invalid still the payment completes and the fund goes to the account of the API credentials owner. But I don't want that. IF custom payee email is wrong the payment should not be successful, it must throw a error with proper message so i can catch the error.
I didn't get any solution from paypal docs.
if the custom payee email is invalid still the payment completes and the fund goes to the account of the API credentials owner
What do you mean by 'invalid'? Please be specific about your meaning.
If the email is not associated with an existing PayPal account, the payment will be in a pending state. The owner has 30 days to create a PayPal account using that email (or add it to an already existing PayPal account) and accept the pending payment. If they do not do so within 30 days, the payment will be automatically refunded. In this scenario, it is not the case that "the fund goes to the account of the API credentials owner". That is not happening.
Now, if you are trying to pass a payee object at payment setup time with a blank / empty string email_address, then it will just be ignored, and the payment will go to the API credentials owner as per normal payment processing w/o a custom payee.
So, you need to do your own validation to ensure the payee field is non-blank. You could simply check that it is a non-empty string.
Or, do one better, and actually check that it is an email address in a valid format:
function isEmail(y) {
var re = /^(([^<>()\[\]\\.,;:\s#"]+(\.[^<>()\[\]\\.,;:\s#"]+)*)|(".+"))#((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
return re.test(String(y).toLowerCase());
}
If it is not valid, you should not allow the order creation to proceed using that non-valid custom payee, since it will obviously not create the transaction you wish. Instead, you should display an error that the checkout is not set up properly for this user/recipient/payee.
<script src="https://www.paypal.com/sdk/js?client-id=XXXXXXXXXX"></script>
paypal.Buttons({
createOrder: function(data, actions) {
return actions.order.create({
purchase_units: [{
amount: {
value: '1.00'
},
payee: {
email_address: 'someemail#somedomain.com'
}
}]
});
},
onApprove: function(data, actions) {
// This function captures the funds from the transaction.
return actions.order.capture().then(function(details) {
//success
},
onCancel: function (data) {
//cancel payment
}
}).render('#paypal-button-container');
Here the payee email is not exists and fund goes to api owner
When I view the transaction details in Paypal sandbox as buyer, it says "Category: flights".
Is it possible to change that - or is this automatically determined by Paypal? (The documentation only knows about item category physical/digital, but setting this value doesn't change anything.)
My code:
actions.order.create({
purchase_units: [{
"items":[
{"name":"ARGENTINISCHES H\u00dcFTSTEAK","unit_amount":{"currency_code":"EUR","value":"12.50"},"quantity":1,"sku":"FG_001"},
{"name":"Beilagensalat","unit_amount":{"currency_code":"EUR","value":"3.50"},"quantity":1,"sku":"FG_008"}
],
"amount":{
"currency_code":"EUR",
"value":"16.00",
"breakdown":{"item_total":{"currency_code":"EUR","value":"16.00"}}
}
}],
application_context: {
payment_method: {payee_preferred: "IMMEDIATE_PAYMENT_REQUIRED"},
shipping_preference: "NO_SHIPPING"
}
});
This is an account setting, not an integration issue.
You can try editing the category of the sandbox Business account you are receiving the payment with, via https://www.sandbox.paypal.com/businessmanage/account/aboutBusiness -> Update
But since it's sandbox, you can also just not worry about it. The setting in sandbox will not have any relation to any live account this integration ever processes payment with.
Using https://developer.paypal.com/docs/checkout/ I create an order:
<script>
paypal.Buttons({
createOrder: function(data, actions) {
// Set up the transaction
return actions.order.create({
purchase_units: [{
amount: {
value: '0.01'
}
}]
});
}
}).render('#paypal-button-container');
</script>
I want to be able to pass customer email such a way, so when on server side I got notified about successfull transaction completed thru IPN or webhook - being able to get this same email directly or by making additional call to PayPal API?
It can be done by not using express checkout and specifying custom fields. But how to do it via jscript API in express checkout? didn't find appropriate fields in their API docs.
We are integrating the PayPal client side Checkout Integration for taking payments on our website. This can be found here:
https://developer.paypal.com/docs/checkout/integrate/#6-verify-the-transaction
Once the payment has been made and approved by PayPal, we need to call our server to verify the transaction and store it within our database. This code can be found below, note the part "Call your server to save the transaction".
<script>
paypal.Buttons({
createOrder: function(data, actions) {
return actions.order.create({
purchase_units: [{
amount: {
value: '0.01'
}
}]
});
},
onApprove: function(data, actions) {
return actions.order.capture().then(function(details) {
alert('Transaction completed by ' + details.payer.name.given_name);
// Call your server to save the transaction
return fetch('/paypal-transaction-complete', {
method: 'post',
body: JSON.stringify({
orderID: data.orderID
})
});
});
}
}).render('#paypal-button-container');
</script>
Now, in the above instance, what happens if the call to "/paypal-transaction-complete" fails? session timeout or lost internet connection? For example, in the Stripe integration, the money is "approved" in on the client side and then only confirmed/charged in our API to "/stripe-transaction-complete". If there is an error, we don't actually charge the money.
Within PayPal, the money is charged before the API call, so the is the small possibility we charge the user but they don't receive the paid order in the database. How would we best handle this? one option would be to call the PayPal API and match all the orders with payments and then either auto-refund or auto-complete the order. But I'm not sure if this is recommended.
For both PayPal and similar issues with Stripe Checkout, this can be addressed using WebHooks.
https://developer.paypal.com/docs/integration/direct/webhooks/rest-webhooks/#
I am building a really simple payment form where the user can enter an amount and a thank you message. I have got it successfully working with just the amount but I cannot get add a message field and get it to come through!
Here is just the payment function of my JavaScript:
payment: function(data, actions) {
return actions.payment.create({
payment: {
transactions: [
{
amount: {
total: window.transactionAmount,
currency: 'GBP'
},
note_to_payee: document.getElementById('custom-message').value,
description: 'A gift to Martin.',
custom: 'This is a test custom field',
payee: {
"email": "martin#[hidden].com"
}
}
]
},
experience: {
input_fields: {
no_shipping: 1,
allow_note: true
}
}
});
},
I have tried setting custom and note_to_payee but neither seem to be recorded on either the notification email or the data that is logged in the recipient's account.
I have also tried turning on the ability for the payer to add a note by setting allow_note: true in the experience config but that does nothing!
Please help, just any way of passing through a little message with the payment is all I need.
It took PayPal Support team 4 days to come back with the answer that No, it cannot be done.
Here's their full response:
With regard to your request, I have to inform you that "note to seller" (allow_note:true) field is only available in the older PayPal payment experience, and is not available in the newer payment experience.
Unfortunately, there's nothing the caller can do at this time to force an old or new experience and we recommend to collect this information in your website where possible.
So it looks like they've dropped one of the nicest and most simple features of the PayPal checkout which was the ability to include a friendly little note.
Now, my only option is to build a whole back-end system with API end-points and extend my JavaScript just to record my payer's note. Meanwhile, every email notification I receive will continue to contain that annoying lie: "The buyer hasn't entered any instructions".
PayPal: Please, either implement a feature in your new process or remove/hide the feature! Don't do a half-way job. You take 10% of all my transactions, I expect better.
A workaround for this would be to use an "option variable" to create a textbox in your checkout flow. An example of an option variable would be "os0" and "on0".
Here is an example on our website on how you would implement this: https://www.paypal.com/us/cgi-bin/webscr?cmd=_pdn_xclick_options_help_outside
https://developer.paypal.com/sdk/js/reference/#onapprove
paypal.Buttons({
createOrder: function(data, actions) {
...
},
onApprove: function(data, actions) {
// This function captures the funds from the transaction.
return actions.order.capture().then(function(details) {
// This function shows a transaction success message to your buyer
alert('Transaction ' + transaction.status + transaction.id);
window.location.href = 'https://www.yoursite.com/page.php?trnsid='+ transaction.id;
});
}
}).render('#paypal-button-container');
You can do a redirect onApprove.
If the transaction was completed redirect the user to a page with a FORM THAT GET/capture the transactionID (associate the message with a transaction) and ADD a MESSAGE TEXTAREA so user can send some notes after payment.