MoyaPay API integration for community moderation

cbunicef commented 1 year ago

Documentation: https://docs.moyapay.app/#http-request

This looks like simple API structure to "pay customers":

Example Request

  curl --location --request POST 'https://gateway.payments.moyapayd.app/customers/pay' \
  --header 'Authorization: Bearer YourSecretToken' \
  --header 'Content-Type: application/json' \
  --data-raw '[
  {
    "username": "27123456789",
    "reference": "Price Money",
    "amount": 50,
    "beneficiaryName": "Example Name"
  }
]'

We would need to get the Moya username from each user, and also get an authentication token which would be set in the Admin Panel.

Ideally an Admin could add multiple authentication tokens in the Admin Panel, and they can select one of the tokens for use in community moderation. Each token has a nickname which does not include the authentication string.

These settings should have a separate permission to access in the Admin Panel.

The integration with community moderation should trigger a payment to the IoGT user's Moya username when they moderate a comment for the first time.

How do we prevent abuse?

An Admin should optionally be able to limit the number of payments a single user receives in a day. Should this be by IoGT user or Moya username?
How do we prevent a user from making comments with account A, and then being paid to moderate those comments with account B?

cbunicef commented 1 year ago

Transformation for the phone number for South Africa: "Remove the plus, and if it starts with 0 replace that 0 with 27. Then remove any non-number characters."

Also consider validating the user's phone number input via a separate endpoint: https://docs.moyapay.app/#checking-customers

cbunicef commented 1 year ago

When we make the payment through the endpoint we will receive a response with a definitive answer on whether the payment was successful. There's no need to make additional calls to validate the payment, eg as there would be if the payment response was "pending".

Users are sent a notification instantly on their smart phone via the Moya app. The Moya app on a single phone can only access a single Moya account, you need to clear data or delete/download the app

cbunicef commented 1 year ago

Recommendation from Moya on best practice for abuse prevention:

Ndeshi has looked into the 'abuse prevention' point raised by IoGT and has the following advice to be implemented by IoGT / Yoma when rewarding customers (point 6): • Store the request bodies made for paying users and keep a consistent form of referencing for paying customers. Additionally store the returned results for this so you can have a cross reference for successful payments and the username's associated with it. This way you can then use this referencing style and the username to ensure that certain customers are only paid once. For this I'd imagine having a check before the pay is run to make sure that the username and reference combination are not ones that have been used before • Create an interval of sorts between payments for usernames. So once a payment is made, have some sort of block from allowing calls to be made to the same username within a certain period of time. Related is to create a timestamp for when a payment is made this way you can have a way to keep track of when certain users were paid and for what.

cbunicef commented 1 year ago

Moya have sent a sandbox token to use in our development: https://dev.azure.com/unicef/ICTD-IOGT/_boards/board/t/ICTD-IOGT%20Team/Stories/?workitem=153637

Alihassanc5 commented 1 year ago

Need the following to make a payment

MoyaPay username
MoyaPay phone number (It will be used for validation, if the user is exist and registered on MoyaPay or not)
Authentication token

Workflow:

Community comment moderator can edit profile and add/edit moyapay username & phone number
Admin will add MoyaPay settings (It can be added on site settings as well as new settings):
1. Number of payments a user can receive per day
2. Time duration to make next payment
3. Authentication token (It could be in env. var. as well)
Approval for payments (if and when)
Can’t detect same person with different accounts as of now
After the moderation of comment, it will trigger the payment process.
The payment validation before calling to the endpoint.
1. The payment will be canceled if a moderator tries to moderate their own comments (status = unsuccessful).
2. The payment will be scheduled if the MoyaPay username or phone number of a moderator is empty (status = pending).
3. The payment will be scheduled if the moderator is not registered and verified on MoyaPay (status = pending).
4. The payment will be scheduled if the moderator exceeds the number of payments a single user receives in a day (status = pending).
5. The payment will be scheduled if a user moderates a comment before the designated time period (status = pending).
Think of generic activities that are tied to payments instead of comments directly.
After the successful validation, we will make the payment through the endpoint, we will receive a response with a definitive answer (successful or not). The response will be stored in a new model MoyaPayPayment.
In case the status is unsuccessful for any reason, such as insufficient funds or system errors it will be treated as a pending payment.

Here is an example model table named MoyapayPayment with its fields and description:

Activity model table to keep the track of the activity related to the payment:

For example: Ali Hassan (Actor) approved (verb) a comment (object) on IoGT site and received payment (target) for his work.

Note: All the pending payments will be processed in the background to ensure their success.

Questions:

Is payment static or dynamic, what happens in batch processing ?
What is the need of adding multiple authentication tokens? If it is necessary then how we can keep track of which token to use?
Could you explain what is meant by "Each token has a nickname which does not include the authentication string"?

unicef / iogt