PayPal Payouts with encoded user id - paypal

I need some help with Paypal Payouts. I am currently using Java SDK and working in sandbox environment.
I am trying to implement a button in my webapp that will enable users to receive monetary awards in their paypal accounts. My first idea was to ask for their email and then - using the SDK create a payout item and send that. All works well, except that when someone types (unintentionally I assume) wrong email, then money are not going to be transferred. That is why I decided that asking the user to login with paypal and then using their paypal id will be much more error-proof.
So I followed the steps described here.
I am successfully able to exchange the authorization code and receive access and refresh tokens. Then I use those to load user info that contains only user_id (login scope is openid).
When I try to create a PayoutItem with recipient type PAYPAL_ID and value - user_id from Userinfo object - the operation is unsuccessful (no error - just the batch result is null).
We do not have and we do not expect to have any transactions from this user - so there is no way to use getTransactionDetails in order to retrieve payer id.
I suspect that user_id is not the correct property to use. However, I cannot find any information on how I can integrate payouts with recipient type PAYPAL_ID combined with paypal login.
Help, please!

Related

PayPalExpress Processor Declines my order says Security header not valid

I have got a Paypal order, with a order id (O-123213XXXX) from Paypal. I am trying to Authorize it via Hybris Storefront. Hybris will pass the payload to third party when user clicks on place order button, that third party will authorize the payment by communicating to PayPalExpress processor.
My payment is reaching till the processor and I am getting the response like [cart] 10002 Security Header not valid. I searched online and came to know that its something related to invalid API Credentials. They are suggesting not to get confused with live Paypal credentials with sandbox credentials.
I have cross-checked everything,
1) I have a Paypal button at my Hybris Storefront which user click when they wish to pay using Paypal. This will create the order.
2) After which, I am logging in using my sandbox test user account of type personal to approve the order via Paypal popup window.
3) Next, I execute that order. Before that, I need the bearer access-token using my online store's "Sandbox" Client ID and Secret Key combination in another REST call. (Just to mention... this online store/app is associate with a sandbox account of type "Business")
Once I get the token, I execute the order via another REST call using that access-token.
4) Now I get the Order Id from Paypal so that once the order is placed in Hybris, it will be Authorized and then Captured at a later stage. (Thats the plan...)
I have noticed in the Paypal developer account that the Business account associated with my online store/app has some credentials such as Username, Password and Signature.. But I am not using them anywhere in my flow.
(Those are for SOAP/NVP Calls that what they say in docs..)
and now I am getting 10002 Security header invalid response from processor.
As per my understanding I am not using any live credentials anywhere but the sandbox.
or am I missing something related to those mentioned credentials I am not using anywhere??

What should I do for a reliable checkout flow with Paypal?

A listener on my website 'listens' for successful purchases made via Paypal. Data retrieved by the listener includes a post variable that I can set before initiating the purchase. This is possible with Paypal's IPN(Instant Payment Notification). I am trying to get the IPN to recognize the users account on my website upon purchase. Every account on my website has a unique user ID number.
I have tried passing the accounts unique ID through Paypal's "Custom" variable so the IPN can listen for that. Though I think this is a bad idea because then people can purchase things for another account if they passed their unique ID. Though this is a guaranteed purchase handler, hackers can take advantage of this with social engineering.
I see that some people instead pass the session_id with php, but this isn't safe because the listener would have no way of recognizing the user's website account if the session_id were to disappear. I also see that people will pass a cookie tied to the user's unique account. I don't think this is a good idea because the cookie could be cleared.
It is to my impression that I can not send a refund or cancel a purchase if the user's account could not be identified(Without doing it manually). What checkout flow should I do?
I would create a local invoice record in your system, and this invoice would get a customer ID associated with it.
Then you can use the INVOICE parameter to pass the invoice ID to PayPal, and that would come back in IPN where you can then lookup the customer ID based on that invoice ID.

Where would I find a PayPal users PayPal_id?

I am working with the PayPal Node.js SDK and I am trying to payout a user. In order to do that I can use either their email, phone number or encrypted PayPal ID. We would prefer to work with encrypted data as much as possible. Where would we find a users paypal_ID?
If any of our code would help us find this information, we can post it just tell us what you need. Thanks in advance to all.
It should be displayed in the account overview page or in the profile. It typically shows your PayPal account email and merchant account ID.
It can also be obtained via the GetPalDetails API, but that's not REST. I'm not sure if REST has an equivalent API yet or not.

Paypal custom variable solution using php

I'm trying to using paypal as payment for my site.
My site only sell a virtual currency, like "Diamond" in Online game.
So after reading i starting to use Express Checkout for Digital Goods, Is that right ? or i must other payment method ?
Then my question is when using Express Checkout for Digital Goods, how to pass custom variable ?
Let say i want to pay user_id, diamond_id, and some other variable from my database to the paypal api. It seem like paypal don't support custom variable to pass on the api call. I want after user complete the payment, then Paypal notify my server that the payment is complete by user_id and some other variable that i pass, so easy for me to know the detail.
after searching i find some solution,
First solution is to store "TOKEN"(Generated from "SetExpressCheckout" Method) and my custom variable which is belong to the TOKEN in the database, Then after payment complete paypal will notify my server the same TOKEN saved before. So i will query based on the TOKEN.
Second Solution is using get style in RETURNURL variable http://www.mysite.com/successpayment.php?user_id=13&diamond_id=88 So i will easy to grab the GET variable.
Which solution is right ? Is there any solution ? and how to secure the payment confirmation, i mean if someone know and hack my returnurl.
Thanks in advance
There are two parts to be able to successfully identify your order in the whole process:
To identify your order when the user is redirected back via the success or cancel URL, just pass the order id via the query string of the URL.
To identify your order when Paypal sends notifications about the transaction and associated events (refunds, reversals, disputes etc.) via IPN: Paypal does support a pass-through variable, which allows you to associate IPNs to the order record in your DB.
For express checkout you set PAYMENTREQUEST_0_INVNUM in the SetExpressCheckout call
In case you are creating a recurring profile, the parameter is named PROFILEREFERENCE in the CreateRecurringPaymentsProfile call
When you receive an IPN the invoice is passed as 'invoice' or 'rp_invoice_id' respectively
(My general advice, though: use Paypal only if you really have to)

Identity Token is NOT required for PayPal's Payment Data Transfer (PDT)?

I've setup a PayPal site which uses IPN and I was having trouble getting PayPal to send the GET variables to the return URL that I had specified. It was sending the user's browser to the return URL, but nothing was being passed via GET or POST.
I changed one setting in the PayPal business account: "Payment Data Transfer (optional)" to On which generated an "Identity Token" on the PayPal website.
I also got an automated email from PayPal saying:
---------- Forwarded message ----------
From: service#paypal.com <service#paypal.com>
Subject: Payment Data Transfer (PDT) Has Been Enabled
This email is to inform you that you have successfully enabled Payment Data Transfer.
PDT's primary function is to display payment transaction details to buyers when they are redirected back to your site upon payment completion. However, there are cases, such as with pending transactions, where you won't receive notification of all transactions. For this reason, PayPal strongly recommends that you also enable Instant Payment Notification (IPN).
To learn more about enabling and setting up IPN:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/ipn-intro-outside
To learn more about Payment Data Transfer, including setup instructions and a complete list of variables:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/pdt-intro-outside
Sincerely,
PayPal
Clicking on the second link and clicking on "Technical Overview" (https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/pdt-techview-outside) shows:
Your POST should be sent to
https://www.paypal.com/cgi-bin/webscr.
You must post the transaction token
using the variable "tx" and the value
of the transaction token previously
received (e.g.
"tx=transaction_token"), and the
special identity token using the
variable at and the value of your PDT
identity token (e.g.
"at=identity_token"). You will also
need to append a variable named "cmd"
with the value "_notify-synch", for
example "cmd=_notify-synch", to the
POST string.
However, I am NOT passing the Identity Token at all, yet everything is working fine!
(a) Is this a problem?
(b) Why is it working if the documentation implies that it shouldn't?
(c) Is this a consequence of specifying an outdated API version (58.0)? What is the value I should be using?
In my opinion the identity token should be a required param since it is the only way Paypal can verify that the request you're making is valid. Otherwise, other people can simply guess a transaction id (even though it is not intended for their accounts) and get details for that transaction from Paypal.
I'm guessing this is a bug you're experiencing. Are you testing in the Paypal sandbox or in a live environment?
Realizing that the OP probably no longer needs an answer after 9 years, but others still might:
The POST of the transaction ID and identity token is purely for the purpose of verifying that the original transaction notification (relayed via the GET method to the merchant's Return URL) actually came from PayPal.
It is as if to say to PayPal, "My website just got this supposed confirmation that a customer paid. Here is the transaction ID and my seller ID again. Is this a legitimate match?"
In fact, at https://developer.paypal.com/docs/api-basics/notifications/payment-data-transfer/, when talking about setting up for testing, it only talks about getting your script ready to receive, parse and display the GET data. It doesn't mention the POSTing back to PayPal (though that is mentioned elsewhere). So, yes, the PDT function should work without doing the POST back to PayPal afterward and waiting for that response of SUCCESS or FAIL, but...
Anyone who knew what they were doing could go to a seller's URL and append a query string with the right combination of variables to fake the same kind of GET request that the PayPal PDT system would initially send, whether or not the transaction ID were a real one.