I am trying to implement PayPal REST API.
When I create PayPal Payment using request from my server, the payment is created successfully, and payment id is passed to PayPal.
Next, the user must approve payment.
PayPal window is opened in user's broswer, and user is prompted to login or pay with credit card.
The problem is:
When I login with my sandbox customer account, PayPal is not showing any available attached credits cards or paypal wallet balance, it only prompts to add new credit card to sandbox account.
If I login with this sandbox account in new a separate browser window, I can see that it has a wallet balance and attached credit card.
If I create a Payment with client-side JS request instead of server, the issue is not reproduced and PayPal is showing both wallet balance and credit card.
So, I assume the issue lies in the payment's format. The server Payment's format is:
{
"intent": "sale",
"payer": {
"payment_method": "paypal"
},
"transactions": [
{
"amount": {
"total": "10.00",
"currency": "USD"
},
"description": "silver membership",
"custom": "account_id:1"
}
],
"redirect_urls": {
"return_url": "https://example.com/return",
"cancel_url": "https://example.com/cancel"
}
}
The format of payment that created with client-side JS is way more simple, I took it from one of examples in developer's manuals. If I use the same simple format in server request, it would not allow me to create payment (I think client-side checkout.js just add missing required fields silently).
payment: function (data, actions) {
return actions.payment.create({
transactions: [{
amount: {
total: '10.00',
currency: 'USD'
}
}]
});
},
Would be very grateful for any hints on this topic.
Related
I want to use zoho subscriptions to make recurring payments on my website.
I use webhooks to send data for creating membership.
Now I want to validate the data from webhook to check if the webhook was really sent.
You should read webhooks data and validate by Zoho signature after that, check the event_type which indicates the event, it could be subscription_cancelled, subscription_cancellation_scheduled, new_subscription. Also, you should get a subscription id, customer id inside of data->subscription->. Below a sample webhooks body
{
"created_time":"...",
"event_id":"...",
"event_type":"...",
"event_source":"...",
"event_time":"...",
"data": {
"subscription": {
"subscription_id": "...",
"created_time": "...",
"customer_id":"...",
"...": "..."
}
}
}
Now, you have a subscription id, customer id, you can call Zoho subscription info API to get subscription details for cross-checking. Another way, you have event_id so, now, you can retrieve event details to validate that webhooks really comes from Zoho.
I integrated Paypal Plus in my page and everything worked well in "Sandbox" mode, now I changed the mode to "live" and the Pay upon Invoice selection in my Payment wall somehow disappeared.
My js code for Payment wall is
var ppp = PAYPAL.apps.PPP({
"approvalUrl": "<?=$approvalUrl?>",
"placeholder": "ppplus",
"mode": "live",
"country": "DE",
"language": "de_DE",
useraction: "commit",
buttonLocation: "outside"
I'm little bit confused about this whole Invoice thing... do I have to change something in my PHP code to use it or do I actually have to create an new Invoice() instead of new payment()? Until now I just created a new Payment() and filled all information (prices, shipping adress) into it and used the approval_url to render the payment wall. Where is my error?
Thank you very much
I guess that "pay upon invoice" is not unlocked by paypal for your account. You have to apply for it.
I'm currently implementing the BitPay API (in PHP). All works fine but I'm a bit worried about a possible security risk when receiving notifications.
The BitPay API sends these notifications with status updates using a POST request to a given notification url containing a JSON string like this:
{
"id": "123BitPayInvoiceID",
"url": "https://bitpay.com/invoice?id=123BitPayInvoiceID",
"posData": "6G38ZL",
"status": "paid",
"btcPrice": "0.0512",
"price": 29.14,
"currency": "USD",
"invoiceTime": 1407881291063,
"expirationTime": 1407882191063,
"currentTime": 1407882058099,
"btcPaid": "0.0512",
"rate": 568.69,
"exceptionStatus": false,
"bitpay":
{
"id": "123BitPayInvoiceID",
"url": "https://bitpay.com/invoice?id=123BitPayInvoiceID",
"posData": "{\"paymentID\":\"123PAYMENTID\",\"orderID\":\"123ORDERID\"}",
"status": "confirmed",
"btcPrice": "0.0512",
"price": 29.14,
"currency": "USD",
"invoiceTime": 1407881291063,
"expirationTime": 1407882191063,
"currentTime": 1407882058099,
"btcPaid": "0.0512",
"rate": 568.69,
"exceptionStatus": false
}
}
When I lookup the payment in our database I want to change it to 'confirmed'.
It seems to me this is a security risk, since anyone can send fake notifications; someone who started the payment and wants that payment to be confirmed can send this request with status set to 'confirmed'.
My questions:
Should I be worried in the first place? I could check where the request is from, use a notification Url that is not easy to guess etc. but I still would not feel comfortable security-wise;
I could always distrust any notification and send a status request to the API when a notification comes in. Would this be a good practice?;
Are there any other (better) ways you know of to safely use these notifications?
Thanks in advance!
All the advice you are looking for is in their docs...
https://bitpay.com/docs/invoice-callbacks
We would advise you to open a non-standard port and specify that port
within the notificationURL instead of white listing BitPay IP
addresses as they are subject to change without notice. Since we are
not yet signing these notifications they should not be trusted
outright. We recommend verifying these notifications against our API
when they are received to make sure the data presented is authentic.
For example when an invoice paid notification comes in, you should
make a request to our API to check the status of that invoice to make
sure it was actually paid. This provides additional security in
verifying paid orders.
There are a lot of discussions about similar issues but I couldn’t find the exact answer.
Here is the problem:
I’m trying to integrate in-app payment in Android OS using the latest PayPal MSDK library. The integration was straight forward, I could make successful single payment, receive proper response and the things was OK until I have to verify the mobile payment
In the mobile app(using PayPalConfiguration.ENVIRONMENT_SANDBOX), I receive the following response:
{
"client": {
"environment": "sandbox",
"paypal_sdk_version": "2.2.2",
"platform": "Android",
"product_name": "PayPal-Android-SDK"
},
"response": {
"create_time": "2014-08-05T19:49:19Z",
"id": "PAY-0D205735ER3716140KPQTKPY",
"intent": "sale",
"state": "approved"
},
"response_type": "payment"
}
As you can see, the transaction ID is: PAY-0D205735ER3716140KPQTKPY
When I try to verify the payment by making request with this transaction ID from my server to PayPal, the response is always the same:
{
"Errors":
[
{
"L_ERRORCODE":"10004",
"L_SHORTMESSAGE":"Transaction refused because of an invalid argument. See additional error messages for details.",
"L_LONGMESSAGE":"The transaction id is not valid",
"L_SEVERITYCODE":"Error"
}
]
}
When I check in PayPal Sandbox test account site -> Notifications, the test transactions ids are completely different. For the above transaction, the transaction id is:
5DY75733624918945
If I use this transaction ID in my verification request – the response from the PayPal is OK.
According the documentation, I should use the id from the mobile app response (moreover – I do not know other way to retrieve a transaction id…).
I'm using a test sandbox account, tried with different type of payment (PayPal button and CC), tried even with real transactions - the result is the same.
Do you guys know why they are different?
Please take a closer look at https://developer.paypal.com/webapps/developer/docs/integration/mobile/verify-mobile-payment/
The SDK returns a payment ID which can be used to retrieve a payment resource using GET. The payment will contain one or more transactions (in your case, a single sale transaction) in the related_resources section.
I am using the Paypal API (Website Payments Pro) to set up recurring payments with customers, and am currently testing in the paypal-sandbox. Paypal requires me to set up both Express Checkout and Direct Payment.
Express Checkout: Works fully with recurring payments. I get a 'success' response, and I can see the payment profile in my test account. To do this, I use SetExpressCheckout to have a user be able to get to Paypal, sign in, and be redirected to a page of my choice. I then use 'CreateRecurringPaymentsProfile' to actually create the profile with the required information.
Direct Payment: I do get a 'success' response as outlined below, but I cannot see the recurring payment profile in the test account. I am simply gathering the information on my site and sending it off to Paypal with 'CreateRecurringPaymentsProfile'.
Here is the 'success' output of my attempt at creating a recurring payment:
ACK: "Success"
AMT: "1%2e00"
AVSCODE: "X"
BUILD: "2075688"
CORRELATIONID: "bbfe83b685c0a"
CURRENCYCODE: "USD"
CVV2MATCH: "M"
TIMESTAMP: "2011%2d09%2d12T14%3a27%3a58Z"
TRANSACTIONID: "62214391KD595633B"
VERSION: "54%2e0"
I can try to provide any other details! Any help is appreciated.
Edit: Thanks for the help thus far. I am, however, receiving a success message once again with no proof of the transaction in the test account. The JSON output is this:
ACK: "Success"
BUILD: "2085867"
CORRELATIONID: "3e84486e74e80"
PROFILEID: "I%2d4Y707DELPFKD"
PROFILESTATUS: "ActiveProfile"
TIMESTAMP: "2011%2d09%2d12T20%3a13%3a15Z"
VERSION: "78%2e0"
Thanks a lot,
Daniel Moniz
You're not seeing a profile because you're calling DoDirectPayment (which is only for one-off payments).
If you want to set up a recurring payment against a card (rather than a PayPal account) you would call CreateRecurringPaymentsProfile as well, but simply specify the card details rather than the token. From the response you're showing, you're not doing this.
See also https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_CreateRecurringPayments - "Credit Card Details fields".
A sample call would be:
METHOD=CreateRecurringPaymentsProfile&
PROFILESTARTDATE=YYYY-mm-ddTH:i&
DESC=Test&
BILLINGPERIOD=Month&
BILLINGFREQUENCY=12&
AMT=0.01&
CREDITCARDTYPE=Visa&
ACCT=4111111111111111&
EXPDATE=102012&
CVV2=111
Edit: I followed it and got a 'start date is required' error which got solved on replacing space with a T between date and time in PROFILESTARTDATE
i.e. PROFILESTARTDATE=YYYY-mm-ddTH:i