cancel
Showing results for 
Search instead for 
Did you mean: 

How do I know my Access Tokens are secure?

Options
awf825
Contributor
Posted on

Hello,

    I am integrating PayPal buttons into an existing ecommerce service. I have successfully implemented a PayPal integration into my app: an AngularJS SPA (1.8.2) fronting a Joomla (PHP) backend, where here I need to process orders in my database. I was originally using a PHP SDK to try and capture orders (https://github.com/paypal/Checkout-PHP-SDK/tree/1.0.1), but I realized I didn't need this entire library and opted for a simpler solution. Here is where the order is created and approved, from my angular controller:

 

 

 

$scope.opts = {
createOrder: function (data, actions) {return actions.order.create({...})},

onApprove: function (data, actions) {
  return $order.processPayPalOrder(data).then(function(res) {
      console.log('$order.processPayPalOrder(data): ', res)
   })
},

 

 

 

The angular service method that calls the PHP backend, where I'm appending sensitive PayPal information to the request:

 

 

 

this.processPayPalOrder = function(data) {
      this.order.payment.paypal = {
        facilitatorAccessToken: data.facilitatorAccessToken,
        orderID: data.orderID,
        payerID: data.payerID 
      }
      return $http.post("/xxxxxxxxx.savePayPalOrder", this.order);
}

 

 

 

 And finally, the PHP, where I make a curl request to get the order that was just made from the sandbox api:

 

 

 

    public function savePayPalOrder() {
	$app = JFactory::getApplication();
	$this->order = $app->input->json->getArray();
        $accessToken = $this->order['payment']['paypal']['facilitatorAccessToken'];
        $orderID = $this->order['payment']['paypal']['orderID'];
        $payPalRequestUri = "https://api-m.sandbox.paypal.com/v2/checkout/orders/" . $orderID;
        $curl = curl_init($payPalRequestUri);
        curl_setopt($curl, CURLOPT_URL, $payPalRequestUri);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        $headers = array(
            "Content-Type: application/json",
            "Authorization: Bearer " . $accessToken,
        );
        curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
        $resp = curl_exec($curl);
        curl_close($curl);
        // THIS IS WHERE I'LL EVENTUALLY APPLY THE LOGIC TO STORE WHAT I NEED FROM THE ORDER OBJECT IN MY DATABASE
        echo $resp;
    }

 

 

 

This works like a charm in development: I'm able to get the payload back to the frontend by way of onApprove (in the first code snippet). However, I'm afraid this approach may be too naked.
Is it unsafe to be sending the faciliatatorAccessToken variable unencrypted to my own backend? Should I even be using this variable for what I'm trying to do?
Would it be a better approach to make a request for a PayPal access token in the PHP code?
Should the curl request for the order be sanitized further, or is this fine as is?

For what it may be worth, I verified that the angular $http service is making the request over https.

Any help on this would be greatly appreciated; it works, but I'm a little worried about the security of this approach.

Thank you!

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.