When using express checkout in both paypal/stripe/others, data is passed to the payment gateway(paypal/stripe) using javascript in the browser.
Since this happens in the browser using javascript, I am assuming it can be easily tampered so the end user can change price before sending data to payment gateway.
Any solutions on how to fix this ?
Related
I'm attempting to conduct financial transactions with the paypal api using what their documentation describes as 'in context, express checkout'. I have everything working properly when I use USD as the checkout currency but I'm having trouble using HKD and I will outline my situation below.
Given a normal in context express checkout flow of
get express checkout token
give user a link that paypal checkout.js detects the click of
user authrorizes the in context transaction
paypal post the token/payer_id back to my server
USD FLOW - everything ok
get express checkout token,
POST TO PAY PAL
"USER=hidden-facilitator_api1.gmail.com&PWD=NWhidden3TK&SIGNATURE=Arhidden3tCjMfqZyNAlfdDvZ6YAyktOYxObIAzKBgV0N2&METHOD=SetExpressCheckout&VERSION=109.0&PAYMENTREQUEST_0_PAYMENTACTION=SALE&PAYMENTREQUEST_0_AMT=2000.00&PAYMENTREQUEST_0_CURRENCYCODE=USD&RETURNURL=http://localhost:3000/checkout/complete?cartId=126&CANCELURL=http://localhost:3000/checkout/cancel&LANDING=Billing&ADDROVERRIDE=0&NOSHIPPING=1"
Returns Express checkout token
EC-8GN42843W29871826
Which I then embed in the browser as
https://www.sandbox.paypal.com/checkoutnow?useraction=commit&token=EC-8GN42843W29871826&ul=0
Which works fine, initiating the in context checkout flow as referenced here,
https://www.dropbox.com/s/nbigq78achl0xsy/Screenshot%202015-08-05%2011.43.12.png?dl=0
HKD FLOW - everything BROKEN
GET express checkout token
POST TO PAY PAL
"USER=hidden-facilitator_api1.gmail.com&PWD=NWXhiddenTK&SIGNATURE=ArOphiddenzfdDvZ6YAyktOYxObIAzKBgV0N2&METHOD=SetExpressCheckout&VERSION=109.0&PAYMENTREQUEST_0_PAYMENTACTION=SALE&PAYMENTREQUEST_0_AMT=2000.00&PAYMENTREQUEST_0_CURRENCYCODE=HKD&RETURNURL=http://localhost:3000/checkout/complete?cartId=126&CANCELURL=http://localhost:3000/checkout/cancel&LANDING=Billing&ADDROVERRIDE=0&NOSHIPPING=1"
Returns Express Checkout Token
EC-4JK68416ST774680H
Which is embedded as get in the browser as
https://www.sandbox.paypal.com/checkoutnow?useraction=commit&token=EC-4JK68416ST774680H&ul=0
Which when clicked actually totally hijacks and pretty much breaks the checkout process, the in context browser 'modal' opens but then something bad happens, the browser modal window closes itself and the parent browser context appears to be in some kind of redirect loop.
https://www.dropbox.com/s/y2snlujy8mtljwv/Screenshot%202015-08-05%2011.47.18.png?dl=0
I've contacted PayPal merchant/technical support crew and their answers were so bad it was almost like they either weren't reading my email, didn't care about my problem or just generally were incompetent and I hesitate to criticize someone professionally, but if paypal is taking a cut of transactions, I expect the supporting api and documentation to not be terrible.
What can I do in this situation to gain further insight into the problem that I'm having ?
Cheers and thanks,
JD
UPDATES:
The process is failing specifically related to HKD when I attempt to launch the in context browser window with paypal.checkout and I can successfully complete this process with other foreign currencies including (but not limited to) 'PLN' (polish zloty), 'DKK' (danish krone) but fails for 'HKD' (hong kong dollar) and 'THB' (thai baht), so maybe paypal checkout.js doesn't like certain regions ?
It would appear that the devil was in the details but PayPal express checkout and pay pal checkout support HKD but in context checkout using checkout.js does not support this and my troubles were tied to erroneously believing the the false parts.
https://www.dropbox.com/s/g7s0i5g0y718c8r/Screenshot%202015-08-05%2013.44.27.png?dl=0
I've been asking myself if there is a possibility to use the standard payment page of paypal to redirect user to "Authorize" a payment using their Credit card (using "paymentaction" : "authorization" in the redirect form).
Having IPN setup i could receive the auth_id.
Then later on "Capture" an amount (equals or less) using the Paypal REST API but using the "auth_id" received through IPN ?
It seems the "authorization_id" received through Paypal REST API "Authorize" is the same length. Somehow i suppose it is the same value.
Before implementing such i wonder if anyone tried this before ?
Thank you
You can do this using the standard (Website Payments Standard) page to creat the authorization paired with the "classic" authorization API, but you cannot mix the classic and REST APIs as you described.
The REST APIs store different/additional information on PayPal's server side, so in general you cannot manipulate transactions created through classic APIs via REST APIs (and vice versa is also complicated and generally not advised).
I have attached a screenshot of an example Paypal Express Checkout payment page which include some currency conversion information (indicated with a blue arrow). I am trying to replicate this implementation of Paypal Express Checkout on my own app. What parameters or settings are used to set whether to show this information or not? It is not clear in the documentation. Note: I am using Classic APIs
Only PayPal Adaptive Payment have Currency Conversion API.
Express checkout does not have.
If you really want to use PayPal Currency Conversion, you can still use this API. But, additionally you need to send "APP-ID" in your request. For Sandbox APP-Id is constant which isAPP-80W284485P519543T.for live, you need to create a APP from apps.paypal.com to get the APP-ID and then send the request.
Is there a way to use the paypal API to send basic details of a payment without actually creating the payment itself? What I mean is, I'm working with a non profit organization that does not currently employ SSL. They want to use paypal to accept donations, but they want their own branded form on their page, they don't want to use the simple donate button. I had thought I might be able to send basic details, such as name and address along with the amount they wish to donate and a few other details using the paypal API, and then have the actual payment information processed on paypal's secure servers. All the examples I can find on how to use their API however are creating complete payments and sending them to Paypal, something I'm not able to do for obvious reasons. Short of employing SSL, something that we should probably do anyways, and capturing a complete payment, is there a way of sending just select information over the API and handling the rest on paypal's end?
If you want to control the form itself you don't have any choice but to go SSL. Any other route would require sending the user to PayPal, where you would no longer have that control.
I have finished designing a program, and am ready to create a commerce system. Ideally, I would like to use Paypal to handle all the transactions for me, how ever I want this to be done on my own website, and have the information securely sent over to Paypal. I understand how to do this entire process, how ever I do not understand where I would add code to have my server generate a serial code and store it alongside customer information in a database.
The Paypal API isn't very helpful, so I am wondering if there is a variable passed back to the merchant website by PayPal, via a POST or similar, that can be checked to verify that a payment was accepted, and then react depending upon that status.
I understand that I can have it send the user back to the merchant website, but I would like it to generate a page along the lines of...
Thank you for your purchase (NAME)! A copy of your serial for (LICENSE_COUNT) licenses has been sent to your e-mail at (EMAIL).
And then have a script run to automatically generate the serial, send it to the user, and save it in a database.
Any language is acceptable.
Are you working with Payments Standard or Express Checkout?
If you're using Payments Standard you would need to use PDT + Auto-Return to get data back to your page for display. That said, I wouldn't rely on it to deliver the necessary details to your user because they're not always guaranteed to make it back there even with Auto-Return enabled.
Instant Payment Notification (IPN) is recommend for this sort of thing. It will POST transaction data to a listener script you have on your server. This happens separate from the checkout system itself. You can automate tasks like updating your database, hitting 3rd party web services, sending email notifications, etc. from within this script. It also allows you to handle e-checks correctly (only delivery the e-goods when the payment clears.)
If you're using Express Checkout you can handle this within the checkout flow rather than using IPN if you want to because the user is always guaranteed to make it back to your site. That said, if you're accepting e-checks you'd still want to use IPN instead. If you've disabled e-checks then this would work just fine.