Security of paypal smart buttons, reverting hacked payments
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using PayPal Smart buttons, with JS code like:
paypal.Buttons({
// Set up the transaction
createOrder: function(data, actions) {
return actions.order.create({
purchase_units: [{
amount: {
value: amount
}
}]
});
},
// Finalize the transaction
onApprove: function(data, actions) {
return actions.order.capture().then(function(details) {
jQuery('input[name="paypal_id"]').val(details.id);
jQuery('button[type="submit"], .paypal_confirmation_notice', 'form.order_confirm').show();
});
}
}).render('#paypal_button_container');
However, since the payment amount is sent via JavaScript, it is not secure. To rectify this, I would like to check the amount on the server side when the token is submitted. When the user submits the form, the server-side script confirms the payment via a call to https://api.sandbox.paypal.com/v2/checkout/orders/<token from buttons> . From the response, I can check the payment amount against the amount from our server. If there is a discrepancy, how do I revert the payment at that point?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have only created the orders ("authorize" or "capture"), you don't have to do anything further as no funds have been committed.
If you have completed a payment request with an intent of "authorize", you can void the authorization.
https://developer.paypal.com/docs/api/payments/v2/#authorizations_void
If you have completed a payment request with an intent of "capture", you would need to refund the payment.
The payment "intent" can be specified within the request body, as shown in the example at the URL below :
https://developer.paypal.com/docs/api/orders/v2/#orders-create-request-body
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Security header is not valid error message in woo commerce in PayPal Payments Standard
- Need Help Upgrading to PayPal complete payments in PayPal Upgrade Community
- Error: Payment gateway is unavailable in PayPal Payments Standard
- Error when payment done. Inline events violates Content Security Policy directive. in PayPal Payments Standard
- Drupal 7, Ubercart, credit card payment Issue: 10002: Security header is not valid in NVP/SOAP APIs