How can vue-paypal-checkout ensure the security?

cocoastorm / vue-paypal-checkout

A simple Vue.js wrapper component for paypal-checkout

MIT License

153 stars 67 forks source link

How can vue-paypal-checkout ensure the security? #39

Open moonshineBoy opened 6 years ago

moonshineBoy commented 6 years ago

I use the vue-paypal-checkout to payment.

<PayPal
    :amount="amount"
    currency="USD"
    :client="credentials"
    :env="paypal_env"

    @payment-authorized="payment_authorized_cb"
    @payment-completed="payment_completed_cb"
    @payment-cancelled="payment_cancelled_cb"

    :items="pay_items"
  >

  </PayPal>

and in the payment_completed_cb I will request a API for change order status or change the account balance.

but I have a question, if someone of customer is evil with technology, he call the payment_completed_cb directly, not pass the paypal payment.

cocoastorm commented 6 years ago

Hey @moonshineBoy,

Sorry for the late response. I definitely agree with you. Someone with the right skills can maliciously call payment_completed_cb to change the order status or charge the account balance.

But for ensuring security I don't think it's under PayPal's or even this component's scope.

If you have access to your own API, I think a sufficient solution would be to send just the PayPal payment_id, (that is available from the callback) and have your API contact PayPal's API directly to confirm and/or retrieve the payment details, before making any changes to the order status or the account balance.

Cheers!

I hope that makes sense. If you have any questions feel free to ask me :)

moonshineBoy commented 6 years ago

Thanks for your response, @khoanguyen96 , can you explain more about the have your API contact PayPal's API directly to confirm and/or retrieve the payment details ? what's the specific method?

renztoygwapo commented 5 years ago

Hi @moonshineBoy, I agree with @khoanguyen96 and since you have the callback and you get the payment ID that data you can pass that to your api and used the Paypal SDK's to get the payment details instead from the callback. So that we make sure that data is correct and accurate base on the paypal server integration like so in PHP syntax.

public function getPaymentDetails ($paymentID) {

    $apiContext = new ApiContext(new OAuthTokenCredential('client_id', 'secret_key'));
    $payment = Payment::get($paymentID, $apiContext);
    return $payment;

}

kslr commented 5 years ago

Make an order comparison in webhook