The site has implemented payment through applePay. The problem is that the payment amount is set in javascript, i.e. can the user open the code and change the amount? How to implement verification on the server?
Apple Pay doesn't actually process the payment. It provides your site with a payment credential that you use to send to a payment processor.
Yes, a user can change the amount in the browser, but it only impacts what that user sees, not what is ultimately charged. The amount in the sheet is for user feedback where you can display a breakdown of the price, etc.
The best way to verify the amount is by doing this on the server side. If your site processes orders, use the items in the order to calculate the total, shipping etc. You should be able to ignore the amount coming from the client altogether.
Related
I am making PayPal payment via redirection to PayPal. This means that payment will take place in the user's browser and get me the details of the payment on the front-side. After the payment happened, I need to store details so for later use, I will know that the user has paid already. As soon as the payment happens on the front-end, I make an API call to my server to store the details of the payment.
Question: What if payment takes place on the front-side and when making an api call to my server after that, it goes to error. I'm left with the scenario that the user hasn't paid for the product, even though he did. What can I do in this situation?
Implement IPN (Instant Payment Notification).
From the documentation:
PDT has a major weakness: it sends order confirmations once and only once. As a result, when PDT sends a confirmation, your site must be running; otherwise, it will never receive the message.
With IPN, in contrast, delivery of order confirmations is virtually
guaranteed since IPN resends a confirmation until your site
acknowledges receipt. For this reason, PayPal recommends that you
implement IPN rather than PDT.
[...]
Note: If your site must be notified of payments immediately, you can implement both IPN and PDT. However, if you do, your site will
receive two order confirmations for each sale. As a result, you must
be careful to take action (say, ship a product) on just one copy of a
given confirmation message.
Instead of IPN, you can also implement Web Hooks which are basically a reworked variant of IPN that uses more modern technologies and a more streamlined interface. See also When to use IPN and when WebHooks in PayPal as a notification mechanism?
I'm developing a simple JavaScript application for an insurance company, where users can calculate their monthly fee on one website and then will be redirected to another website where they can fill their insurance application. The calculator app will run on the websites of multiple resellers, eg www.reseller.com. If a user presses "calculate", an ajax request to www.insurance.com calculates the results and generates a hash as a unique identifier for the calculation and sends it back to www.reseller.com. If the user agrees to the result, he can go to www.insurance.com/order, where he can place the application.
What's the best way to share the calculation hash with both domains without using get parameters?
I've already tried to set the hash value as a cookie in the ajax result on reseller.com, but since the cookie is placed on the same domain, the final order form on insurance.com can't read it.
Is there any way?
I'm doing an Apple Pay WEB integration (using JS) and Braintree as a payment provider.
I need to calculate some taxes (US sales tax) for the order.
Current flow: The user clicks Pay with Apple Pay button, the Apple Pay payment sheet is displayed (we require shipping address containing the postal address,zipcode,name and email).
After that the payment sheet is displayed -> I call the session.onshippingcontactselected function, but at this point I can only get the locality,administrativeArea,postalCode,country and countryCode values from the shippingContact, so I'm not getting the addressLines containing the street name and its number. I need these values as well to accurately calculate my tax.
I know that Apple says in docs that they only provide the full address after the user authorizes the payment, meaning after the payment was done (this is too late for me, cause I need to know the tax amount before the order is being placed/before the user authorizes/pays the order).
Is there a workaround through this?
Full disclosure: I work at Braintree. If you have any further questions, feel free to contact support.
As this information is delivered by Apple directly, there isn't a means by which you could circumvent the redacted shippingContact information provided in the pre-authorized session using Braintree's integration. If you need the full address to calculate tax you'd need to collect that from your customer earlier in the payment process or use a different means to calculate tax using the information provided in the shippingContact object. I'd recommend sending our support team an email to discuss this further.
When a user logs in using PayPal on my website, how can I verify he has paid using the PayPal APIs alone? I don't want to store customer data on my side, as I only need to check with PayPal whether the user has paid in order to grant him access.
Can I use just a JavaScript script client-side to:
authenticate the user with PayPal
check whether his account matches my payment records on PayPal
authorize those who have paid and block those who haven't?
Looking at #2 in your question, I think that you'll have to store some customer data on your website (Username / Password) at the very least.
So, since you already have a database, I would recommend that you at least store a few things regarding payment, such as:
1) Exact date and time of payment
2) If payment was completed successfully
3) (optional) if payment was refunded / cancelled
Paypal is just a way of transferring money, but not a subscription manager. If you don't keep some of the information stored on your end, it could lead to problems like this: Paypal subscriptions IPN - problem with users subscribing multiple times
Thankfully, you don't have to store any sensitive information.
I'm creating a very simple store with literally one product where the user can choose different options and, dependant on the options selected, this will generate the total cost for the item. So for example, if the user selects the red variant, the price will increase by 5%, if the user selects the blue variant then the price will increase by 10%.
Currently I'm making the calculations with jQuery and then passing them to an empty field which is then posted to a payment gateway. Is this method safe? Theoretically, a user could open up Firebug or Chrome Developer Tools and edit the value (to zero) before posting it to the gateway but couldn't this apply to similar methods of product variation calculations? I'm trying to figure out whether or not this is an issue, but is there a better way?
This is definitely an issue, as you said yourself a user can modify the values.
So, you would show a price to the user on the client side, it doesn't matter how the value is generated because it will never be trusted by the server and will never be passed to the payment gateway.
User presses "buy now", is redirected to the payment gateway, but via your own server first. The server should validate the product and calculate the price.
The final price (calculated by your own server) will be shown to the user at point of payment.
On the client side you could either continue to generate the values with JQuery, or have the server return them via an AJAX request. But this would only be for user experience, the values could not be trusted.
If you choose this method, you sholud probably store product configuration (like string represenetaion od JSON or comma delimited field, etc.) in a hidden field, calculate the price (client or server side) and show price only as an information to a customer.
When he submits the configuration, validate it and calcuclate pice again on server.
That way customer could change the configuration (trough Firebug or so), but could not change the price since it is calculated based on a configuration.
Well, that is how i would do it.
After a PayPal payment been proceed, PayPal sends IPN(Instant Payment Notification) message to the url you specify.You have to resend it to verify if the message is original from paypal. After that, to be sure the user payed the right amount of money you get the values from IPN (it may come with user Id. transaction ID and so on...) and check them with your DataBase.
Some useful links:
More about IPN
Paypal Developers Guide
Pyapal IPN
Rule number one in e-commerce website: Never trust Users
So, this is the right process:
After calculations with jQuery and then passing them to an empty field which is then posted to a payment gateway, store the user name/id, transaction, and amount in database. Create method that verify, the stored values with the IPN response from paypal.
If values match, payment succeed. Else, mark it for later hand verification(you should store the id so it is easier to find on paypal).