3D S Payment callback issue - javascript

I'm working on a payment system with React-Native. I want to do research on how to apply 3D payment methods. I want to listen to an event happening on my server on the client side. actually i only need this for the following reason. I feel there is something I got wrong here.
3D Secure Steps
I send the product to be purchased to a service named iyzico with
credit card information.
If the information entered is correct, it gives me an answer as below.
There is a special field here and I need to decrypto it and show it to the user.
In fact, this crypoto information contains an html page.
By decoding this code, I show the user an html page.
The password sent to the user's phone via SMS is entered on that
screen and presses the confirmation button.
The part I don't understand starts here. The person is in a true asynchronous. I want to callback. Because he can enter or cancel the password sent by SMS whenever he wants.
I'm not wondering how the process turned out. How will we inform the client application only in this case?
Should we use push notifications or other push services for this?
The client has to get information about this process. According to the information he receives, I would like to suggest that your payment is successful or your balance is insufficient.
I know that I should avoid making circular calls.
In short, how should I listen to the client for an event that will take place on my server? Which would be the best method?
I am working on React-native and I do not want to include push services in the application just for this. It is costly for me to this. I believe it is a more beautiful solution.
What do you think about this subject?
Thanks.

You either need push notifications or long polling. https://ably.com/blog/websockets-vs-long-polling

Related

Firebase Authentication via "Magic-Link"

I want to send notification mails to users of my community platform coded with react and firebase. I was wondering is there is a way to authenticate the user via a magic link which is contained in his or her personal notification mails.
E.g. You've got 5 new comments on your post click HERE to read them
Clicking "here" should redirect the user to the page and automatically authenticate him without having to enter their individual passwords or usernames.
Due to the cancelation of the privacy shield framework and Schrems II, you might no longer be able to store customer details in the GCP.
A solution for it can be pseudonymization.
I am running an open-source project that can help you with that.
Check out the following article for more information:
https://databunker.org/use-case/schrems-ii-compliance/
I think your question can be divided into 2 different questions.
1. How do I send notification mails to my community platform?
I have never used notification mails in Firebase, I usually use google's SMTP server directly and send a request to the server to send an email on behalf of me. So, in your case, I would search up the library on your tech stack (for me it was Go's gomail), then you can use Google's SMTP server (host:smtp.gmail.com, port:587).
2. How do I make a link that automatically authenticate your users whenever they click the link?
I feel like this is the harder question. I think you need to consider a few things:
Your links need to be short lived. Why? to prevent unauthorized brute force login attempt (this also depends on the structure of your link). However, best practices suggests that links should be short lived (less than 24 hours).
Given that links are short lived, this depends on whether the user checked their email frequently for notification from you! There's a pretty good chance that they will miss that email in the 24 hour window.
I'm pretty much against sending time sensitive notification like that through emails. But if it is something that you still want to do, it is pretty easy to create the link, the simplest way I did it was:
Generate a random uuid for a link.
Associate it to the user who will login with the link. You should save this association in a persistent data storage.
Create an endpoint for magic link, for example /magic/:link_id that takes link_id then checks what user should be logged in.
Voila! You got yourself a magic link!
Finally, you can send the link through email like the first part of the problem!

How can I equip my site with a "vetting" form?

I want to set up a page within my site that contains a form for a prospective client to fill.
I would then manually inspect the form's results to ensure the prospect is qualified, and then send them a temporary link to another page that expires in a few hours, or perhaps after one click.
Any advice that can help me towards this goal would result in me thinking you were very cool.
Thanks!!
ms
This would be done server side. The general flow would be that you would submit the html form to the server. Place the data from the form into a server side database. Send an email to the site admin, notifying them that an entry has been made. Then build a control panel where they can view entries and approve them. This would then send an email to the form submitter, grant them access etc.
It may be an easier better approach to use a form service that does most of this for you.
Take a look at:
https://www.formstack.com
If you want to code it your self. You could use a framework such as:
https://firebase.google.com/ (Js)
or
https://github.com/expressjs/express (Node js)

How avoid multiple POST as complete request information comes in network tab of browsers

We have a form, if a person fills that form, we are hitting POST API.
When user submits the form, complete INFO of API (request url, headers) is visible, I was thinking if someone starts hitting this POST API through server side code, our tables would be filled with junk values?
How can we avoid this bulk data entering the system through API being directly hit by C# client, POSTMAN or any other server side clients?
That's a really open ended question, but I don't think there's a way to do exactly what you ask (detect with certainty if a request originates from a browser or not), nor should you if it were possible - users may have a legitimate reason to use something other than a browser, or someone might want to integrate your API into a larger process, etc.
You should handle this via authentication - require the user to be authenticated with your API, then if they misbehave you can disable their user accounts (either manually or automatically with some sort of abuse detection).
There are times when authentication is not possible or desirable for a web form. At those times a I have used a key generated on the server that I embed in the form.
The form sends back the key along with the rest of the data and you can then make any decisions you need to make based on the key. Like limiting the rate of submissions, allowing only one submission and then expiring the key, etc...
Use a captcha: a challenge is presented to the user to prove being a human, usually an image that contains some garbled text is shown to the person filling the form and (s)he is required to transcribe the text content of the image in the form. If the captcha solution is wrong or missing that POST request to the API will be discarded.
Many types of challenges are commonly used such as audio/visual/logic/mini-puzzles. You can also customize your challenge in a way that fits best with your form. For example Google provides ReCaptcha, a captcha service with js and server api.
This helps you prevent or mitigate bots, as the captcha is a challenge that is very hard for computers but easy for humans.
Using one-time captcha tokens also prevents the replay attacks you are worried about. Also, checking that the ip that received the challenge and the ip resolving it are same helps mitigate other tricks.
This still leaves room for a determined human to spam your form. So you should also keep track of the number of submissions and throttle them by ip.

stripe checkout form and server validation

I´m a Stripe beginner and I integrated the (really nice) Stripe checkout form into my Ionic App. Everything is working, the fields get validated and the I get the token and data in the callback.
I have more of an general question:
When everything is validated and the credit card token is generated, the button changes to green and the form closes.
But that does not mean that the payment was successful.
Depending on a one-time or recurring payment, I need to send the data to my server, create a customer/charge/plan/subscription and there something can go wrong.
But in the end the user thinks everything is fine.
I saw that other people are sending mails if something goes wrong.
What`s the best way to handle such an error?
I got this answer from the Stripe support:
tl;dr
We have to add our own server validation or send an email to the user. I will implement a spinner after the checkout and if the server says OK then redirect the user. Also sending a mail is an option.
Hey there,
Thanks for reaching out to us, I'm happy to help you with this!
When you create a one-time charge or a subscription with Stripe in
your backend, the payment is attempted synchronously, so you could
simply create code to handle exceptions in your backend and inform the
user that their charge failed. You could use this code to send an
email or simply display an error message on the resulting page.
There's an outline of this in our API docs here.
https://stripe.com/docs/api#errors
You can also use webhooks to inform your application of certain events
(such as failed or successful payments) and trigger actions such as
sending emails. More on this here:
https://stripe.com/docs/webhooks
https://stripe.com/docs/api#event_types
https://github.com/boucher/stripe-webhook-mailer
Stripe does not receive any information from you if the token is
created but not processed on your backend, so in this case I'd offer a
customer support email and if a customer writes in, ask them to enter
their card details again through your app and make any adjustments to
your integration to ensure you are charging the token after creation.
I hope this helps and please let me know if you have any other
questions!
All the best

Collecting data from how visitors interact (client-side) with a javascripted form

I'm doing educational research about how students use a web quiz as a study tool. I've set up a web quiz that shows photos of plants and asks students to type in the correct scientific name.
http://www.plantsciences.ucdavis.edu/courses/enh6/quiz/quiz_sn.html
Using something like Google Analytics I can see the number of photos students look at (because each new photo involves a request from the server). But I'd also like to know how many times students type in a correct answer and how many times they type in a wrong answer. The form is all checked client-side using javascript, so giving a right or wrong answer doesn't start any communication with the server.
Is there a way to collect this data using cookies or something? Or can I have the form request a certain single-pixel gif with each right or wrong answer, so the server can record what's happening? Or do I need to reprogram everything and have the form get processed on the server to collect this data?
If you only want to record correct/incorrect answers, the simplest thing to do from what you've already got would be to expose an API on your server where you can send the information you want to store. Then, you can make an AJAX request to it after receiving an answer and your client side application will be nicely decoupled from the server side storage.
At this stage though, your application won't know if an error occurs on the server side of things. This may be what you want to happen if such errors shouldn't affect your application's primary behavior, but you may wish to respond with a success/error (most likely using JSON) to allow your application to react accordingly.

Categories