How do I know my Access Tokens are secure?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am integrating PayPal buttons into an existing ecommerce service. I have successfully implemented a PayPal integration into my app: an AngularJS SPA (1.8.2) fronting a Joomla (PHP) backend, where here I need to process orders in my database. I was originally using a PHP SDK to try and capture orders (https://github.com/paypal/Checkout-PHP-SDK/tree/1.0.1), but I realized I didn't need this entire library and opted for a simpler solution. Here is where the order is created and approved, from my angular controller:
$scope.opts = {
createOrder: function (data, actions) {return actions.order.create({...})},
onApprove: function (data, actions) {
return $order.processPayPalOrder(data).then(function(res) {
console.log('$order.processPayPalOrder(data): ', res)
})
},
The angular service method that calls the PHP backend, where I'm appending sensitive PayPal information to the request:
this.processPayPalOrder = function(data) {
this.order.payment.paypal = {
facilitatorAccessToken: data.facilitatorAccessToken,
orderID: data.orderID,
payerID: data.payerID
}
return $http.post("/xxxxxxxxx.savePayPalOrder", this.order);
}
And finally, the PHP, where I make a curl request to get the order that was just made from the sandbox api:
public function savePayPalOrder() {
$app = JFactory::getApplication();
$this->order = $app->input->json->getArray();
$accessToken = $this->order['payment']['paypal']['facilitatorAccessToken'];
$orderID = $this->order['payment']['paypal']['orderID'];
$payPalRequestUri = "https://api-m.sandbox.paypal.com/v2/checkout/orders/" . $orderID;
$curl = curl_init($payPalRequestUri);
curl_setopt($curl, CURLOPT_URL, $payPalRequestUri);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$headers = array(
"Content-Type: application/json",
"Authorization: Bearer " . $accessToken,
);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
$resp = curl_exec($curl);
curl_close($curl);
// THIS IS WHERE I'LL EVENTUALLY APPLY THE LOGIC TO STORE WHAT I NEED FROM THE ORDER OBJECT IN MY DATABASE
echo $resp;
}
This works like a charm in development: I'm able to get the payload back to the frontend by way of onApprove (in the first code snippet). However, I'm afraid this approach may be too naked.
Is it unsafe to be sending the faciliatatorAccessToken variable unencrypted to my own backend? Should I even be using this variable for what I'm trying to do?
Would it be a better approach to make a request for a PayPal access token in the PHP code?
Should the curl request for the order be sanitized further, or is this fine as is?
For what it may be worth, I verified that the angular $http service is making the request over https.
Any help on this would be greatly appreciated; it works, but I'm a little worried about the security of this approach.
Thank you!

Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Clarification on sandbox (and live) access tokens in Sandbox Environment
- Error Got Http response code 401 when accessing https://api.paypal.com/v1/oauth2/token. in Sandbox Environment
- Error Got Http response code 401 when accessing https://api.paypal.com/v1/oauth2/token. in REST APIs
- Error Got Http response code 401 when accessing https://api.paypal.com/v1/oauth2/token. in REST APIs
- Got Http response code 401 when accessing https://api.paypal.com/v1/oauth2/token. in PayPal Payments Standard