问题
The new checkout of paypal make me feel insecure, can't a user trigger a fake payment on the cilent side?
The code provided look like this
paypal.Button.render({
env: 'sandbox',
client: {
sandbox: 'AapGZeCaaDK_q_KPeG19DHnD_kd18vr6BxNe4P6uuhfTKPjIedtNEI9plyDgmzfyI-xGhbxjpv0k-Ha9',
production: 'xxxxxxxxx' // u expose the key to client side? is this ok?
},
payment: function() {
var env = this.props.env;
var client = this.props.client;
return paypal.rest.payment.create(env, client, {
transactions: [{
amount: { total: ($scope.number_of_uses * 9) + '.00' , currency: 'USD' },
item_list: {
items: [{
"name": "example",
"quantity": $scope.number_of_uses,
"price": "9.00",
"currency": "USD"
}]
}
}],
redirect_urls: {
"return_url": $location.absUrl(),
"cancel_url": $location.absUrl()
}
});
},
onAuthorize: function(data, actions) {
return actions.payment.execute().then(function() {
actions.payment.get().then(function(data){
// here I will save data detail to db to record sales
// $http something something
});
});
}
}, '#paypal-button');
In stripe, I have to pass a token to the back, then verify that token in my server side, if everything ok proceed to record the sales. But in paypal it seems like this is the only thing I need to implement to have express checkout. Is this even secure?
回答1:
You are correct that this isn't secure to update your database. This is a secure method of payment, however, you cannot verify with the client that the payment was successful and then update your database with the onAuthorize method.
To verify the payment was successful for your database you must use the Server Side REST API. Sadly, the PayPal docs for this are very lacking, however there are SDKs which are much more documented and easier to implement. (Shortcut to Node SDK).
I would recommend that you use these to implement an update to your database. PayPal returns an parameter that tells you payment was successful.
来源:https://stackoverflow.com/questions/41144330/paypal-express-checkout-security-with-silent-ajax-call