Security of paypal smart buttons, reverting hacked payments

Yirmi
Contributor
Contributor

I am using PayPal Smart buttons, with JS code like:

 

    paypal.Buttons({
        // Set up the transaction
        createOrder: function(data, actions) {
            return actions.order.create({
                purchase_units: [{
                    amount: {
                        value: amount
                    }
                }]
            });
        },

        // Finalize the transaction
        onApprove: function(data, actions) {
            return actions.order.capture().then(function(details) {
                jQuery('input[name="paypal_id"]').val(details.id);
                jQuery('button[type="submit"], .paypal_confirmation_notice', 'form.order_confirm').show();
            });
        }


    }).render('#paypal_button_container');

 

However, since the payment amount is sent via JavaScript, it is not secure.  To rectify this, I would like to check the amount on the server side when the token is submitted.  When the user submits the form, the server-side script confirms the payment via a call to https://api.sandbox.paypal.com/v2/checkout/orders/<token from buttons> .  From the response, I can check the payment amount against the amount from our server.  If there is a discrepancy, how do I revert the payment at that point?

Login to Me Too
1 REPLY 1

abir43
Contributor
Contributor


If you have only created the orders ("authorize" or "capture"), you don't have to do anything further as no funds have been committed.

If you have completed a payment request with an intent of "authorize", you can void the authorization.

https://developer.paypal.com/docs/api/payments/v2/#authorizations_void

If you have completed a payment request with an intent of "capture", you would need to refund the payment.

The payment "intent" can be specified within the request body, as shown in the example at the URL below :
https://developer.paypal.com/docs/api/orders/v2/#orders-create-request-body


Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.