Client-side patching of server-created order

LorenzoDV
New Community Member

Hi,

I'm starting to integrate PayPal checkouts with a server workflow.

To understand the security implications I'm making some manual tests by calling the API from the server and the client.

 

My basic need is to create an order on the server and ensure that the client can not modify it in any way.

However, I have found that the client can just ab-use the actions.order.patch() method to modify almost every aspect of the order, including the amount and the custom_id that I'm attaching to the purchase_item.

 

This is really surprising. The PayPal docs state that one reason for doing server-side calls is if "You have parameters that you want to pass securely to PayPal", but what's the point if the client can modify everything?

 

Basically, I have absolutely no guarantee on the order contents, even if I created it on the server,  is this correct?
In that case, it means I have to check each order's contents against the orders database of my application. It IS possible, but I was hoping to not have to do that.

Any clues?

 

Thanks in advance for your help.

 

--

Lorenzo

Login to Me Too
0 REPLIES 0

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.