Open moonshineBoy opened 6 years ago
Hey @moonshineBoy,
Sorry for the late response. I definitely agree with you. Someone with the right skills can maliciously call payment_completed_cb
to change the order status or charge the account balance.
But for ensuring security I don't think it's under PayPal's or even this component's scope.
If you have access to your own API, I think a sufficient solution would be to send just the PayPal payment_id
, (that is available from the callback) and have your API contact PayPal's API directly to confirm and/or retrieve the payment details, before making any changes to the order status or the account balance.
Cheers!
I hope that makes sense. If you have any questions feel free to ask me :)
Thanks for your response, @khoanguyen96 , can you explain more about the have your API contact PayPal's API directly to confirm and/or retrieve the payment details
? what's the specific method?
Hi @moonshineBoy, I agree with @khoanguyen96 and since you have the callback and you get the payment ID that data you can pass that to your api and used the Paypal SDK's to get the payment details instead from the callback. So that we make sure that data is correct and accurate base on the paypal server integration like so in PHP syntax.
public function getPaymentDetails ($paymentID) {
$apiContext = new ApiContext(new OAuthTokenCredential('client_id', 'secret_key'));
$payment = Payment::get($paymentID, $apiContext);
return $payment;
}
Make an order comparison in webhook
I use the
vue-paypal-checkout
to payment.and in the
payment_completed_cb
I will request a API for change order status or change the account balance.but I have a question, if someone of customer is evil with technology, he call the
payment_completed_cb
directly, not pass the paypal payment.