Difference between Omnipay and Payum - paypal

I was looking for a payment solution for my web-app. I saw that there are APIs like stripe (for credit cards) or PayPal plugins that can deal with certain paying methods.
Then I saw that there are libaries that can deal with all sorts of paying methods like Payum (https://github.com/Payum/Payum) or Omnipay (https://github.com/thephpleague/omnipay).
If I understood it correctly they are both the same type of library: They both process payments of various methods in a standardised way. However I did'nt find any comparison between the two, but solutions to how Payum can include OmniPay. So I got confused. Thus my question:
Does Omnipay cover the same purposes as Payum. If yes, which one has what advantages. If no, what parts of the paying process are they exactly implementing.

Payum vs Omnipay
The short answer is Payum provides same functionality as Omnipay plus some extra features.
Payum works best when you combine a payment model with a convert action. The model must not be only a Payum’s one, I encourage you to use your own or one from a ecommerce platform. The idea is simple: you send a request to Payum to capture your model. In the action you convert the payment model to a gateway specific format, most probably an array. The beauty of this approach is that your code is never changed, and looks like this:
$gateway->execute(new Capture($payment));
All gateway’s differences are hidden inside a gateway. Of course Payum supports a gateway specific format, or a Payum’s Payment model as well. In case of Omnipay you cannot simply replace a stripe gateway to a paypal one, because they behave differently and what is more important they require different data. Stripe require a credit card to be provided where Paypal does not care about it but instead wants return and cancel urls to be set. You have to reflect these differences in your code, is this abstraction? By the way Payum generate cancel and return urls for you and they are secure ones (we talk about it later).
Sometimes you have to get more details about the payment transaction, or a payer, or more info about an error. Payum provides you access to all data that takes part in a communication between your code and a payment gateway. The data format is a payment specific, so if you familiar with Paypal protocol (for example) it would be easy for you to understand what is going on there. Another good example is Klarna Checkout. It returns shipping\billing addresses, gender and date of birth. With Payum you can easily get these out of payment and use for your needs.
Payum gives you a better status handling. Omnipay provides only two statuses success and failed, but it is not enough. For example Paypal sometimes returns pending status because of multi currency issue. In this case omnipay says the payment has failed, but in fact it is not. Or user can cancel the payment at Paypal side, Omnipay will tell you it failed but it is not really true. If you need a status which is not provided by Payum by default, you can easily add it. Do you already have payment statuses, maybe your ecommerce platform provide them and you want to reuse, no problem Payum could be adjust to use them.
Sometimes users want to cheat on you or pay less for the stuff. As a developer you have to think about it and take care of your data. What do you expose to a user? Could it be used the wrong way? You can not rely on an amount given in the url, until you validate it. For example Paypal sends you a push notification to the notify url you previously sent to them. Payum generates for you such an url and when the notification comes back it validates it. You get unique, secured urls out of the box. The payment internally associated with that url, and once you remove\invalidate the url user not able to access the payment behind it. Omnipay does not provide anything to help you solve security issues. There is one good side effect with these secured urls. The secured urls invalidated\deleted once they not needed. This is good, for example user clicks “Back” button in a browser. He would not be able to do a second payment because the purchase url no longer exists, instead he will see a 404 error.
It is not a good practice to store credit cards at your side, isn’t it? There is no excuse for storing it accidentally, or just for few seconds. Payum has a sensitive value object which ensure that nothing is saved accidentally. You still able to store it, but while doing so you are on your own.
Omnipay supports only gateways, that do a redirect to gateway side or require a credit card. But there are bunch of other gateways, and they act differently. For example Klarna Checkout require a snippet (iframe) to be rendered, Stripe.Js requires their javascript to be executed on a purchase page. Stripe Checkout renders its own popup. Payum supports them all, and as we talked at the beginning you can switch from one gateway to another without changes in your code. Payum does not natively supports a gateway you need? I do not think reimplementing every gateway in house is a good idea. That’s why a bridge for Omnipay gateways exists. It allows you to use Omnipay gateways the Payum way.
Payum tries to standardise the payment flow. There are three steps prepare, capture\authorise and done. The first one is called “prepare” and at this step you have to prepare the payment, calculate total prices, taxes, get user or shipping information and so on. Once you are done you can redirect user to a capture\authorise step, From here user could be redirected to a gateway side or asked for a credit card, or something else. It depends on what gateway you chose. At “done” step you have to get the payment status and act according to it. Omnipay only partly solves this task.
With a gateway factories you can easily overwrite\replace any parts of the gateway functionally, or add a custom actions, extensions or apis.
Payum has official extensions for most modern frameworks such as Symfony. Laravel, Silex, Yii, Zend.
At the end lets compare the corner stone interfaces from Payum and Omnipay.
Payum GatewayInterface vs Omnipay GatewayInterface
Payum GatewayFactoryInterface vs Omnipay GatewayFactory ups there is not an interface.
Disclaimer: I am the author of Payum

Related

PayPal client restriction by country

Currently we use WHMCS PayPal payment gateway module but looking forward to develop our own module if we could solve our case.
The case is that we need to have a possibility to restrict clients to make payment from some specific country or countries. In standard payment way PayPal do not provide any payer details take a decision on our server side and not forward client to PayPal to complete the payment if it necessary.
Have anyone experience on solving this case? While after reviewing PayPal API do not found (or missed) the possible solution.
I'd prefer to comment on this, but the char[] is too long. strcpy is always an interesting problem.
You could scrape some site like https://ip-lookup.net/ or ARIN itself by execing curl or using a HTTP library like POCO or libcurl.
There may be some library out there that performs the lookup, you'd find that with Google. It will probably be based on IP in any event.

What is PayPal API for when accepting payments in my website thru a button? Do I need to use API?

I'm in the process of developing a feature to accept payments in my website, and I already did it using a paypal button and IPN (a PHP listener to process data to a DB once the payment is completed, this one actually https://github.com/paypal/ipn-code-samples/blob/master/paypal_ipn.php, properly customized).
I never touched PayPal API and I wonder if I am missing something... I'm kind of new to this kind of development and I want to be sure I'm doing it right and not missing any obvious thing which might compromise the security of the payment or whatever... I already tested things in Sandbox and everything works as expected, but I am concerned about the API and I see many people using it...
So, am I missing anything?
Thanks!
What you've done is accurate and will work just fine so long as it's suiting your needs.
One potential security risk would be if you are not using a hosted button. Did you choose to "Save this button at PayPal" when you created the button? If so, you should see a hosted_button_id included in the HTML for the button. In this case it's protected.
If the button code includes individual parameters for things like item_name, amount, etc. then that code could be adjusted by people in their browser and then the button could be submitted with different pricing, for example.
You could check for this sort of thing in your IPN script and setup an automatic refund if the price doesn't match your database, but I generally try to avoid that sort of thing.
I prefer using the Express Checkout API instead. If you were comfortable getting IPN working with PHP then you should be plenty comfortable using this PayPal PHP SDK to integrate Express Checkout.
The three calls you'll need to work with are SetExpressCheckout, GetExpressCheckoutDetails, and DoExpressCheckoutPayment.
This documentation will cover the general steps and where those calls come into play, and that library will make each of those calls very simple for you.
Express Checkout will eliminate any potential adjustments users could make to code (because they won't be able get to the code at all unlike HTML) and it also has more advanced features and options that PayPal Standard does not have. Most importantly, the ability to force the "guest checkout" experience so that non-PayPal account holders can easily checkout using a credit card without any confusion.
They can do it with PayPal Standard, too, but depending on cookies set in their browser it may make the guest checkout option tough to find. Express Checkout makes it very prominent at all times, and generally results in increased checkout conversion rates.

Best practice for integrating a single PayPal subscription?

I'm new to PayPal and overwhelmed by all the possible approaches for integrating with PayPal.
As a start I want to implement one single subscription with monthly recurring payment. When the user returns to the site after fulfilling the payment, he/she will instantly be upgraded to "premium" member (digital product only - no shipping involved).
The first alternative I've looked into is the Express Checkout API, which looks ok, but is there any simpler way to do it?
Can I for example create a standard button (JS button or the form based), but still be able to verify the payment details when the user returns, using either the REST API, IPN or something else?
Any hints on best practices are appreciated.
Yes, there are entirely too many ways to solve this problem by now.
You can probably satisfy your requirements via buttons (aka Standard), Express Checkout (aka Pro) style APIs, or RESTful APIs, but there are a few gotchas to know:
First, PayPal has several products to do recurring payments; these products have functional differences and are tied to different integration styles. So (for example) PayPal's product called "subscriptions" (tied to Website Standard aka buttons) has different (and generally less flexible) capabilities than "recurring payments" (tied to Express Checkout) which in turn differs from "billing agreements" (tied to REST APIs, although the term "billing agreements" is also used in the express checkout recurring payments product). Oh, and there's another similar product tied to the Adaptive Payments suite of APIs.
Confused yet? Sorry. But it is important to determine whether the specific product you want to use will satisfy your requirements first before you do any integration, or you might end up redoing that integration work later (and potentially have to migrate customers, if you have already opened your business) in order to get access to specific features of another product later on. E.g., the subscriptions product has very limited ability for sellers to modify the subscriptions after they are set up. If that is OK, then great, use it -- it's simple to integrate. If I can oversimplify a bit: the Standard subscriptions product is the oldest and most limited; the Pro recurring payments is more flexible and mature; the REST billing agreement product is the newest, very flexible, but not yet as widely used; it may lack a feature you need today, but is the most likely to be continually improved going forward. I would not personally recommend the Adaptive product, although it also has its benefits.
Now, to your integration question: fortunately all these PayPal products can use IPNs. Unfortunately, IPNs are not instant. They generally arrive quickly (1-2 seconds) but delays can happen and it is quite awkward to be unable to process the customer. I would use IPNs only when shipping physical goods, not for immediate access to digital goods or in other cases where customers are waiting for a page from you. Fortunately, each of the other methods has a way to instantly determine the success of a PayPal action without waiting for an IPN:
Website Standard Payments will include GET or POST variables when it posts the user back to your site that will tell you about the outcome. If you use the Payment Data Transfer feature, these variables will include signature information so that you can post them back to PayPal & PayPal will verify their validity (so that a would-be thief could not fool you by engineering a post that looks like a PayPal success redirect).
The two API-based methods are even easier: the APIs themselves return all the information you need in the API response. So wherever in your code you make the call to create the subscription/agreement, if you get back a success then do your work to make your user premium.
There is the odd case of a user successfully paying and then getting "lost", as it were, e.g. the redirect failing/browser closing before they return to your site, or your site choking while trying to turn on the user. For this reason many people advise using IPNs, which PayPal will attempt to redeliver until you verify them back to PayPal. Not a bad idea, depending.
And of course you can call search & get details type APIs to get information about your transactions & agreements at PayPal -- although again, you will need to integrate with the right API that matches the product you are integrated with (e.g. Standard-based subscriptions won't show up if you ask the REST interface for billing agreements).
Hope this helps.

Sending information using paypal API without creating a complete payment

Is there a way to use the paypal API to send basic details of a payment without actually creating the payment itself? What I mean is, I'm working with a non profit organization that does not currently employ SSL. They want to use paypal to accept donations, but they want their own branded form on their page, they don't want to use the simple donate button. I had thought I might be able to send basic details, such as name and address along with the amount they wish to donate and a few other details using the paypal API, and then have the actual payment information processed on paypal's secure servers. All the examples I can find on how to use their API however are creating complete payments and sending them to Paypal, something I'm not able to do for obvious reasons. Short of employing SSL, something that we should probably do anyways, and capturing a complete payment, is there a way of sending just select information over the API and handling the rest on paypal's end?
If you want to control the form itself you don't have any choice but to go SSL. Any other route would require sending the user to PayPal, where you would no longer have that control.

Is it possible to automate payments through someone else's gateway?

Suppose some online retailer uses XYZ Bank's payment gateway. Is it possible to do the job of filling in card details and proceeding through the entire process using a script? If yes, is it legal?
Update:
To make the question more clear, I'll give a scenario.
Suppose the retailer we're talking about is Amazon, and I wan to use a card/netbanking (not PayPal). I want to be able to place an order on Amazon using a script which does the job of filling my cart and making the payment. Say the cart thing has been taken care of. How do I automate the payment process now? If it's allowed that is. Card details etc will not of some user, but my own, so no security issues with that I suppose.
The payment API would usually support something like this. For example, if we look at Paypal's direct payment api, they provide secure means for you to pass credit card numbers, etc to Paypal to process the payment.
If you are thinking to do this to process recurring payments, then you are doing it the wrong way. You should never store any credit card details unless you are PCI-DSS compliant. This takes a lot of work and auditing, so it is somewhat rare for small and medium companies to do it. For recurring payments, store the credit card numbers with your payment gateway (most should provide a means to do this) and the gateway should return a token to store. Every time you want to charge the card, simply pass the token to your gateway.
Given the new information:
What you are trying to do is to automate the browser (that's the best way to do it). You could write a script that connects to Amazon, loads the page, fills in the POST variable, send it back, get results and so on, but it is not very robust. For example, if amazon changes the name of a few post variables or even the markup, then your script would fail.
The best way to do this is to use a Browser Automation framework. Selenium is prbably the most popular and most well known. It is often used to automate testing user interfaces, but it is also useful for doing something like you are suggesting. You can use Selenium IDE which is a Firefox addon to quickly reproduce and replay recorded actions. For something more advanced and highly scriptable, try Selenium WebDriver.
As for whether this is legal or not, I don't see why it shouldn't be legal if you are using your own credit cards and what not.
If you are using your own credit card details it's at your own risk so very minimal legel issues. But it's always a good idea to store & transmit(SSL) card details encrypted for some peace of mind. But if it's for wider public you will need to look into PCI guidelines and matching class requirements.