Client-side patching of server-created order
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm starting to integrate PayPal checkouts with a server workflow.
To understand the security implications I'm making some manual tests by calling the API from the server and the client.
My basic need is to create an order on the server and ensure that the client can not modify it in any way.
However, I have found that the client can just ab-use the actions.order.patch() method to modify almost every aspect of the order, including the amount and the custom_id that I'm attaching to the purchase_item.
This is really surprising. The PayPal docs state that one reason for doing server-side calls is if "You have parameters that you want to pass securely to PayPal", but what's the point if the client can modify everything?
Basically, I have absolutely no guarantee on the order contents, even if I created it on the server, is this correct?
In that case, it means I have to check each order's contents against the orders database of my application. It IS possible, but I was hoping to not have to do that.
Any clues?
Thanks in advance for your help.
--
Lorenzo
- Labels:
-
PayPal Buttons
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.