Reading the documentation at developer.paypal.com/docs/classic/ipn/gs_IPN, I see the following picture about the
PayPal IPN authentication flow that I can't attach.
However, the IPN payment notification system of Paypal has recently changed a bit for security reasons: look here. And I suspect that the documentation above is not updated accordingly (but maybe I'm just wrong)
With respect to that picture and that PayPal change, I'd like to understand the following:
1) Is the connection in Step 2 now done via HTTP or HTTPS?
2) Is the connection in Step 3 now done via HTTP or HTTPS?
Thanks in advance.
It would actually be Step 4. When your URL POSTs data back to PayPal for verification of the data you will need to make sure you're using https:// on that URL and not just http:// or PayPal won't accept the request at all.
Related
I'm working on creating a REST API and one feature is to allow users to register. The general flow is the following:
The user specifies his email and password using the client application (SPA application) and presses the submit button.
A request to the API is made. The API adds the user to the database, generates a verification token and sends an email to the user.
The user verifies his email and clicks a confirmation link.
The API marks the user account as verified.
My question is regarding the confirmation link.
Should the link point to the client SPA application? In this case, the client application will make a POST request to the API with the verification token and the user email.
Also, how should the API know the link to the client application (the link needs to be added in the email and this is done by the API). Should the API store this link, or should the SPA client send the verification link to the API when sending the request to register the user?
Another approach would be for the link to go to an endpoint defined by the API. In this case a GET request will be made with the user email and verification token and the API will set the account as verified and inform the user that his account is now active.
I have read that this approach doesn't conform to the REST principles because a GET request should never change the state of a resource. In this case, the user resource will be modified.
I'm not sure which of the 2 solutions is better or if there is a better solution, so my question is what is the best approach?
Thanks!
Should the link point to the client SPA application?
If your 'Client SPA application' is the sole frontend for end-users, then yes: it should point there. Some people deploy a separate oauth2 / authentication server but that doesn't sound like it's the case here.
The client application will make a POST request to the API with the verification token and the user email.
The token should be enough. I'd avoid sending email addresses through urls.
Also, how should the API know the link to the client application (the link needs to be added in the email and this is done by the API). Should the API store this link, or should the SPA client send the verification link to the API when sending the request to register the user?
Both seem like really valid designs. If you want the API to be completely unaware of the front-end and support a multitude of frontends, it would make sense to me that the client sends their own endpoints. There is a security concern though, you don't want arbitrary clients to register arbitrary urls.
If you're just building a single frontend, I don't see a problem with the API knowing the activation url. It also sounds like it would be easy to change if your requirements change later.
I'm not sure which of the 2 solutions is better or if there is a better solution, so my question is what is the best approach?
Ultimately it doesn't really matter that much. Neither approach sounds like you're really painting yourself into a corner. Either you have a standard endpoint that uses a javascript HTTP request to activate a user, or you have a separate endpoint that redirects a user after activation. Both will work.
Sigh. The header says it all, really. I'm trying to go to paypal.com through a proxy of mine. And the result is a 502 error. There's a long waiting time before that happens. And it's the same on some other secure sites. Yes, of course, paypal uses https. So does stackoverflow, but I have no trouble going to SO through my proxy. What's going on here? I suspect paypal uses a firewall and tries to detect bots accessing from web servers. But is it somehow against the rules to access through a proxy? How does paypal see the difference between a person surfing from a browser and a script running on a server? I mean I can't even get at the home page; this has nothing to do with logging in.
I haven't investigated much so far because I'm hoping that some hacker out there already knows all about this and can guide me along. I'm only speculating. Are the request headers sent to paypal somehow incompatible? I impersonate a user agent that possibly contradicts some header that the server adds without my knowledge? Does paypal check the ip address and decide that it's a web server? Can you see that even from the headers? The proxy uses https - it doesn't tunnel. Does that lead to paypal seeing the certificate of the web server?
I'm sure paypal has lots of protective software sniffing at the requests coming in. To prevent DDOS attacks? To defeat hackers? To exclude bots? A proxy is not exactly a bot, it just relays requests from a human user. Anyway, what's the difference, as seen by paypal, between a request from a browser and from a proxy?
I'm trying to integrate PayPal PayflowPro / PayflowLink within our system, and in testing everything is working as expected. When we switched over to live credentials, we are able to create a secure token, using the live merchant details; but when attempted to redirect to a hosted checkout page, we are receiving a new error, which we haven't seen before.
Error invalid Required Domain
We have searched for hours, with no reference in PayPal's official documentation or the internet. Can someone who has worked with PayPal, explain what this error means?
Willing to give up some rep to figure this out.
Please check your referrer URL, see if it is valid domain.
They generally check if incoming host url is valid or not.
Trying to get login with PayPal into prestashop, all seem to be done corectly accorting to installation guide but getting this error:
Relying Party Validation error: redirect_uri provided in the request
does not match with the registered redirect_uri. Please check the
request.
What is the problem?
There are two modes for any application on Paypal developers website (i.e. Live and Sandbox mode), please confirm that you are using the same API data that you have configured.
Yes, taking all data from live mode of the app.
I am trying to add the paypal gateway to spree, but am a bit confused what the different fields mean: server, login, password, signature. are login/password supposed to be those that i use to login to paypal? what about server and signature?
Found some info here:
http://guides.spreecommerce.com/payment_gateways.html
server can either be "test" or "live". Not sure why they have this here (as well as a tickbox) but thats the rule anyway!
The signature you get from paypal, as an API signature. If your using developer.paypal.com its pretty easy to get one. After logging in just click "API Credentials" on the left.