coinbase / coinbase-commerce-node

Coinbase Commerce Node
MIT License
147 stars 54 forks source link

custom webhook URL/recipient ID when creating a checkout object to ensure good deliveries on payment platforms #58

Open quiquelhappy opened 2 years ago

quiquelhappy commented 2 years ago

Hello, as of right now; it is completely unsafe for payment platforms to trust merchants on payment platforms using just the api key as the authentication method with the current features.

imagine the next situation:

this could be easily solved by being able to specify a forced webhook url upon the creation of a checkout, such as:

Checkout.create({
    'description': 'Mastering the Transition to the Information Age',
    'local_price': {
        'amount': '1.00',
        'currency': 'USD'
    },
    'name': 'test item 15 edited',
    'pricing_type': 'fixed_price',
    'requested_info': ['email'],
    'notification_url': 'https://webhook.api.shopify.com/coinbase',
}, function (error, response) {
    ...
});

note the notification_url field: this is the webhook url that will receive all events regarding this checkout object. the platform can then be sure that the webhook will be delivered to their endpoint, without having to use the api key to periodically check on the checkout status, which is translated into an unnecessarily high api usage that could be simplified by using webhooks.


Additionally, trusting the user input for an API key can lead to unexpected results when generating objects, and doesn't make it 'know your customer' eu regulations compilant. A way of creating an oAuth token with a login screen would allow to use standard oAuth endpoints such as /me to get merchant data.

As far as I'm aware this feature isn't planned on coinbase commerce, but it is available on coinbase. Therefore, a platform could use their API key and just specify the coinbase account where the funds should be redirected, such as:

Checkout.create({
    'description': 'Mastering the Transition to the Information Age',
    'local_price': {
        'amount': '1.00',
        'currency': 'USD'
    },
    'name': 'test item 15 edited',
    'pricing_type': 'fixed_price',
    'requested_info': ['email'],
    'recipient': 'coinbase_account_id_of_merchant',
}, function (error, response) {
    ...
});

(note the recipient field)


any of the two mentioned feature requests (which is security critical since this is an actual issue on all platform integrations as of 23-3-2022 that can lead to customers not receiving goods) would greatly improve the coinbase commerce platform. We think the second option (recipient coinbase account) would be best, since it would make it regulation-compilant (the current oAuth implementation on coinbase is already know-your-customer friendly) and would ensure payment notifications are delivered; the only throwback is: the API key usage threshold should be recipient independant or considerably higher.


Since we consider this to be a critial security issue for buyers, we reported this to the team on coinbase a month ago, but we didnt get any reply on the multiple communication channels we used, hence why we are making it public here. We are afraid we will have to drop coinbase support and offer just bitpay if this doesn't get resolved/planned soon.

quiquelhappy commented 2 years ago

https://github.com/coinbase/coinbase-commerce-node/issues/37

Aeroverra commented 2 years ago

I have been researching how Shopify handles this integration and I have some input on this. Surely Shopify can't be making api calls until its complete or cancelled right? That seems unsustainable at their size. I'm wondering if they have access to some undocumented feature that allows a webhook to be created with a charge like you recommend here.

I have an ecommerce platform myself with merchants and currently I have them type in the api key and set a webhook url. I would like to eliminate that point of failure so they don't have to do that. I don't know that we need a full oauth setup but ill take whatever I can get to resolve this odd way of integrating.

As for your concern with EU compliance, as far as I know this doesn't violate that because the wallet belongs to the merchant and they are simply providing an easy way to interact with the public blockchain. I'm not a lawyer but that's my understanding.

quiquelhappy commented 2 years ago

Thanks for the feedback on the initial report. I completely agree and forcing a webhook URL is a MINIMUM for platforms. There can be many errors just because of a non working webhook that can indeed lead to bigger very important problems if not handled accordingly.

oAuth integration would be much better since it would make the process intuitive and I wouldn't need to store api keys on the database which is IMO a big problem too, PayPal and stripe do that and you only need to store the merchant ID with no credentials needed.

Please coinbase team, make this happen, I can't understand how this is still a thing: at least let us force the webhooks 🥺.

@Aeroverra ill follow you so you can let me know if you find any updates about this. I'll also tell you something if I hear about it, I posted this privately by other contact means to the coinbase team. Sadly they don't seem to be too attentive on this gh repo

Aeroverra commented 2 years ago

Yeah unfortunately It seems this is just a gateway to get people to use their normal service and or data mine which I completely understand and still highly appreciate this free option. Great point on the Oath for convivence, my first thought is security which isn't really needed here because you can't do anything but make addresses but for onboarding it definitely simplifies things. I will write them myself and write back if I get a meaningful response.