I am using Paypal for payments on my site and when someone successfully completes a purchase Paypal calls the notify_url that I specified and passes it some POST data. From POST I only use item_number and txn_id.
The URL that I am using for the notify_url is a public URL and anyone can visit it. How do I ensure that only Paypal can request this URL and everyone else is blocked?
Allow only POST, and implement the callback validation described in the IPN documentation.
As #EJP mentioned, sending the verification back to PayPal will allow you to validate that the data came from PayPal so that you know it's legitimate, but others could still hit the URL.
If you want to completely block them you could do that through your .htaccess file on your server (assuming you're running Apache) or using your firewall. You'll just need to block all traffic except for PayPal's IPN IP addresses.
64.4.248.8
64.4.249.8
173.0.84.40
173.0.84.8
173.0.88.40
173.0.88.8
173.0.92.8
173.0.93.8
Related
I want to use the payout interface of paypal. Using curl in sandbox mode has been called. However, I dont know how to use returnUrl, because I need to know whether the payment of paypal is successful. This should be an asynchronous operation. I filled in the callback address in the location shown in the figure, but I checked the access log and found that no callback was received. Who can help me and how to solve this problem?
The URL you speak of in REST App settings really only applies to things like Connect with PayPal or OpenID integrations, and has nothing to do with Payouts.
To be notified of Payouts status, see the API response of your Payouts request, or register for Webhook events that have to do with Payouts.
I am updating my Paypal Integration from good old NVP to the new Script.
With the old ExpressCheckout, returnURL's where handed over from my backend server through paypal for success or failure. These URL's could carry a random parameter and thus protect against someone faking the paypal responses (as I could verify that these responses carry the same parameter as given to paypal at order creation time from my server).
The current Javascript from Paypal just calls a onApprove() method and its up to me to tell this approval to my server.
As there are no returnURL's handed over anymore, there is also no way to protect the callback from being faked. Someone inspecting my (clientside javascript) code or observing the traffic from the browser can just handcraft that call and tell my server that paypal successfully authorized.
Is my reasoning wrong?
Is there any other way to prevent this scenario?
I have set an IPN notification URL in paypal website. When I checked the IPN history in my merchant account, it shows the attempt failed. Also I logged the first line of my notification method . But there is no log for the method trigger.
What might be the posssible reason for this.
I also tried checking the URL with IPN simulater , but it says
"We're sorry, we could not connect to this URL. Please make sure it was entered correctly."
And most annoyingly paypal customer support is responding to my ticket very slowly. Please help.
Even if you get through to paypal technical services, they would tell you the same thing: PayPal can't connect to your listener. I'd recommend checking the listener from outside of your own network environment and making sure it responds with a http 200.
Payflow supports a Silent Post URL, which is a page that will be notified upon completion of a successful transaction (payment, refund, etc...). The Silent Post URL can be configured via the PayPal manager.
Most similar payment systems implement the notion of a "post back" where the receiving software can post back the results to make sure that the transaction information is legitimate and not originating from a hacker. Payflow doesn't appear to support a post back and the Payflow Pro documentation doesn't mention any other way of verifying the transaction data received at the Silent Post URL.
All valid PayPal notifications originate from 173.0.81.65. Simply ignore any notifications that don't come from this IP.
The answer is hidden away in the depths of the PayPal knowledge base: https://ppmts.custhelp.com/app/answers/detail/a_id/445. More information can also be found at https://ppmts.custhelp.com/app/answers/detail/a_id/883/kw/payflow%20ip%20address
I have choosed different approach, by passing authentication token within my request to PayPal, which I validate after receiving POST request
Using the PayPal permissions API can you receive notifications from payments made after a customer clicks on a payment button, proceeds to PayPal, and then pays?
I notice they have IPN, but will this work with the permissions API?
Thanks!
You can include NotifyURL in your API requests to set a URL for IPN to POST data to. It's not something that technically "works with the permissions API" but any transaction that is made would indeed trigger the IPN.
If you're building an app for 3rd parties to use, though, and you're passing NotifyURL in your API requests, that will override any IPN configuration each individual merchant using your tool might have setup on their own. This can cause frustration for such users because then their own IPN solution doesn't get hit when they take payments through your app.
If you're going to do that I recommend setting up a way for your users to enter their own IPN URL in your app settings, and then if they have a value, forward the POSTed data to their URL when PayPal sends it to yours. That way both IPN scripts will get hit and process the data accordingly.