问题
I was looking the PayPal interactive integration demo link.
At some point after the user complete the payment flow, the client reach the code:
// onAuthorize() is called when the buyer approves the payment
onAuthorize: function(data, actions) {
// Make a call to the REST api to execute the payment
return actions.payment.execute().then(function() {
window.alert('Payment Complete!');
});
}
In a real scenario, instead of an alert, I would probably like to send the server a instruction to ship a product or update the user plan. And it would probably be done via an HTTP POST request.
How can the server know that indeed a payment was made and it was not a result of an hacker sending an http post request manually?
回答1:
Your idea is correct, the server cannot know if the payment was really made. This client API is intended for things like donations, where no request to any servers is necessary. The client callback can then be used to display a "thank you" note or similar to the user.
For most cases (like online shops etc.) you will want to use the server API. That way, the PayPal server will send a request to your server, so you can validate that it really is a genuine payment confirmation.
回答2:
After actions.payment.execute() you can call your server and have it make a GET call to verify the payment has been completed: https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/advanced-payments-api/show-payment-details/
回答3:
1) generate a unique reference server side in your database that includes the payment details. For example:
My paypal references table
| Amount: $1.00 | Reference: ECHI5786786 |
2) Pass the payment reference in your transaction object before excuting the payment.
"transactions": [
{
"amount": {
"total": "1.99",
"currency": "USD"
},
"soft_descriptor": "ECHI5786786" //this is your unique reference
]
3) In your PayPal app configuration, on the developers site, set a webhook to your server for "payment sale completed". PayPal will call your url with the transaction details including the unique reference. Record the details in your database. For example
My paypal confirmed completed payments table
| Amount paid: $1.00 | Reference: ECHI5786786 |
4) When PayPal confirms the payment is complete client side, send a request to your server to confirm payment details
// Make a call to the REST api to execute the payment
return actions.payment.execute().then(function() {
//ajax to your server here with "soft_descriptor"
//if ajax success, then all good
});
Serverside confirmation
Confirm that the reference is in both tables and that the amount matches
来源:https://stackoverflow.com/questions/46025678/how-can-a-server-know-a-payment-was-truly-made-via-paypal-client-side-rest-api