I am updating my Paypal Integration from good old NVP to the new Script.
With the old ExpressCheckout, returnURL's where handed over from my backend server through paypal for success or failure. These URL's could carry a random parameter and thus protect against someone faking the paypal responses (as I could verify that these responses carry the same parameter as given to paypal at order creation time from my server).
The current Javascript from Paypal just calls a onApprove() method and its up to me to tell this approval to my server.
As there are no returnURL's handed over anymore, there is also no way to protect the callback from being faked. Someone inspecting my (clientside javascript) code or observing the traffic from the browser can just handcraft that call and tell my server that paypal successfully authorized.
Is my reasoning wrong?
Is there any other way to prevent this scenario?
Related
I am integrating PayPal Payments blind, this means I have no means to test, I've researched this more than a lot of times, and I can't seem to find any information about this.
When my client successfully pays me (integrated using REST API), and they are returned to the specified return URL, what are the exact parameters returned, primarily, what are the parameter keys for the Payment ID and the Payer ID.
Thank you for your assistance.
I am integrating PayPal Payments blind, this means I have no means to test
This doesn't make any sense; you should fully test your integration as you develop it, using the PayPal sandbox environment.
Redirecting away from your site is an old way to integrate PayPal, used by old websites. Current integrations do not use any redirects. At all.
Follow the Set up standard payments guide and make 2 routes on your server, one for 'Create Order' and one for 'Capture Order', documented here. Both routes should return only JSON data (no HTML or text). Inside the 2nd route, when the capture API is successful you should store its resulting payment details in your database (particularly purchase_units[0].payments.captures[0].id, which is the PayPal transaction ID) and perform any necessary business logic (such as sending confirmation emails or reserving product) immediately before forwarding your return JSON to the frontend caller.
Pair those 2 routes with the frontend approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server
I have an e-commerce platform where customers are paying for the product. What we did for tracking customers details is auto-returning to our site with PDT (Payment Data Transfer). But recently we saw that some customers are closing the browser after completing their payment. So they are not auto redirected back to us. And we can't do further procedures. So what should we do in this scenario? How can we solve it?
An automatic return from an API-less Payments Standard integration is not guaranteed. Sometimes, notably in the case of a guest checkout, PayPal must show a receipt, and so the customer must manually click to return. Or the network connection could be interrupted, or their browser could crash. So relying on PDT to trigger business logic is a very bad idea.
Alternatives:
Wait for an asynchronous webhook: https://developer.paypal.com/docs/integration/direct/webhooks/ -- or similarly (older solution), an asynchronous IPN: https://developer.paypal.com/docs/classic/products/instant-payment-notification/
Change from Payments Standard to a synchronous API-based server side integration, such as the one shown in this skeleton demo: https://developer.paypal.com/demo/checkout/#/pattern/server . With this, the capture occurs from your server (after the browser executes the fetch command or redirect back to your server), so you get an immediate API response when your server does that API call to PayPal to capture the payment.
We are using SpiceLogic's BuyNowButton control with dedicated IPN_Notified event handler. Our payment processing logic requires buyer's redirection back to shopper site and we are interested to do it from IPN_Notified event handler after all verification there pass. We have noticed that Server.Transfer doesn't work there (gets suppressed) if you try to run it from inside event handler. Response.Redirect works as expected but raises non-braking exception "Thread was being aborted". Our question is: "Is there any known bad in redirecting buyer from IPN_Notified that way? Will it work in real PayPal environment as it works in our dev environment now?"
IPN happens completely separate from the checkout experience. A redirect will not work there because it's an entirely separate server session / communication. It's not anything happening in the browser.
It sounds like you must be working with PayPal Standard, so if you want the user to be returned to a specific page on your site after checking out with PayPal you can look into setting up Auto-Return in the PayPal account. Even with that enabled, though, there is no guarantee the user will make it back to your site because they could simply close the browser before it redirects.
If you want to guarantee the user always gets back to your site you should move to using the Express Checkout APIs instead of PayPal Standard. It will require more coding skill and working with web services, but it will give you much more freedom to do exactly what you want to do with your user experience.
In the SpiceLogic PayPal Control, the IPN_Notified event is completely a service type event, which is triggered by the PayPal IPN Notification service. The consumer of this event is a backend service from PayPal, not your customer. Your customer will never be redirected anywhere whatever you perform in your IPN_Notified event.
When PayPal IPN service calls your IPN URL, the IPN_Notified event is fired from your SpiceLogic PayPal control. But, PayPal does not care about that. PayPal simply calls that IPN Url and Post transaction data and then returns. So, if you issue a Response. Redirect, it will do nothing to PayPal IPN service. Response. Redirect is an instruction for the Browser, but PayPal IPN service is not a browser which will redirect.
If you want your user to redirect or convey a message, you need to use the PayPal_Returned event from the SpiceLogic PayPal Control.
In order to understand better the IPN and event workflow, please check these images.
PayPal has explicitly stated that their IPN service should not be relied on during the user checkout process. I believe the idea here is that IPN should be a tracking mechanism to keep our back end data in sync with PayPal's data. What I want to do is to use express checkout but enforce an "IPN" to hit my server, and for my server to appropriately respond, before anything is finalized.
I can then ensure that I only give out content to users once they've paid, and that if a user does pay for a piece of content they do not have to refresh or wait for the IPN to come in. One of the problems with doing this using a return url and query string, is that i have a single page website on the firefox phone. The phone gets data from our API web service. So i need this endpoint to be hit regardless of the return url.
I know there are some more features with PayPal advanced developer, at a fee. I'm fine with that if that's the case, but i just want to know my options first.
As the name implies, IPN is instant. There are rare occasions where it may be slightly delayed, but that doesn't happen often, especially on the live servers.
You can build your IPN listener to do whatever you need as far as updating a database, generating custom email notifications, hitting 3rd party web services, etc. and those actions will be triggered in real-time.
You just need to get your listener created and configured in the PayPal IPN settings, or you can also pass the IPN URL in the NotifyURL parameter of your Express Checkout API calls.
If you happen to be using WordPress you may be interested in my PayPal IPN for WordPress plugin. It gets you up-and-running with IPN very quickly, and then you can hook into the plugin to trigger your own functions based on different IPN types or payment statuses.
Extra Info from Comments
As mentioned, IPN is a post-transaction thing. What you could do, though, is setup Auth and Capture on your checkout system. When the order comes through you would run it as an Authorization, and when you're ready to "finalize" you would run the capture.
You would get an IPN for both the authorization and the capture. So, one thing you could do, if it suits you, would be to run the order as an Authorization, and then within your IPN script, go ahead and run the capture. That way you could do whatever checks you want to do and only capture if they pass.
In passing cases, the capture would take place "almost" instantly when the order takes place. Cases where it doesn't pass, you could either void the Auth or let it sit there in a pending state.
I'm implementing a simple Buy Now button and I'm using IPN (not PDT) to verify the transaction.
A thing that bugs me is that I don't understand how come only after I set the notify_url field to the button I also get the transaction variables to the success URL, as GET params. It would seem normal to be the other way around.
Since the user could or could not choose to "return to the merchant's website" there's not way I should rely on that data. It does however seem to be identical to the one sent to the notify URL.
Some clarification would help. Thanks!
I know what you mean, after the user has finished paying and chooses to return to the sellers website (button in paypal page) they are redirected to your thankyou page.
I don't think it used to do this back in 2009 but now paypal will issue the redirect with all sorts of parameters in the url query string.
I'm just ignoring this information and relying on the backend IPN post which is verifiable by paypal
In my previous experience with IPN, I defined the location of the notify URL in the control panel. Once the payment is processed, PayPal sends a POST notification to this URL independent of any user behavior.
In any case, even if you define the notify_url parameter in the button, I believe PayPal will still send the payment notification seperate from the user behavior - they spawn a new process to send the data. As to why they are using a GET rather than a POST, that is odd behavior. However, in your IPN script you should still have logic that verifies the call with PayPal before you continue processing.