I'm currently implementing the BitPay API (in PHP). All works fine but I'm a bit worried about a possible security risk when receiving notifications.
The BitPay API sends these notifications with status updates using a POST request to a given notification url containing a JSON string like this:
{
"id": "123BitPayInvoiceID",
"url": "https://bitpay.com/invoice?id=123BitPayInvoiceID",
"posData": "6G38ZL",
"status": "paid",
"btcPrice": "0.0512",
"price": 29.14,
"currency": "USD",
"invoiceTime": 1407881291063,
"expirationTime": 1407882191063,
"currentTime": 1407882058099,
"btcPaid": "0.0512",
"rate": 568.69,
"exceptionStatus": false,
"bitpay":
{
"id": "123BitPayInvoiceID",
"url": "https://bitpay.com/invoice?id=123BitPayInvoiceID",
"posData": "{\"paymentID\":\"123PAYMENTID\",\"orderID\":\"123ORDERID\"}",
"status": "confirmed",
"btcPrice": "0.0512",
"price": 29.14,
"currency": "USD",
"invoiceTime": 1407881291063,
"expirationTime": 1407882191063,
"currentTime": 1407882058099,
"btcPaid": "0.0512",
"rate": 568.69,
"exceptionStatus": false
}
}
When I lookup the payment in our database I want to change it to 'confirmed'.
It seems to me this is a security risk, since anyone can send fake notifications; someone who started the payment and wants that payment to be confirmed can send this request with status set to 'confirmed'.
My questions:
Should I be worried in the first place? I could check where the request is from, use a notification Url that is not easy to guess etc. but I still would not feel comfortable security-wise;
I could always distrust any notification and send a status request to the API when a notification comes in. Would this be a good practice?;
Are there any other (better) ways you know of to safely use these notifications?
Thanks in advance!
All the advice you are looking for is in their docs...
https://bitpay.com/docs/invoice-callbacks
We would advise you to open a non-standard port and specify that port
within the notificationURL instead of white listing BitPay IP
addresses as they are subject to change without notice. Since we are
not yet signing these notifications they should not be trusted
outright. We recommend verifying these notifications against our API
when they are received to make sure the data presented is authentic.
For example when an invoice paid notification comes in, you should
make a request to our API to check the status of that invoice to make
sure it was actually paid. This provides additional security in
verifying paid orders.
Related
I am trying to fetch order status in real time in php but not able to find proper way or documentation so I can go ahead.
In sales api I am getting details of sold subscription, but I want payment pending and cancelled orders too.
In Documentation I got below link
https://developers.google.com/android-publisher/api-ref/rest/v3/monetization.subscriptions/list
Gets below output when I run it in Try this method
{
"error": {
"code": 403,
"message": "The project ID used to call the Google Play Developer API has not been linked in the Google Play Developer Console.",
"status": "PERMISSION_DENIED"
}
}
But i am not able to implement it in PHP.
I had the same question so I raised a ticket and got reply that google play does not provide any API for order status, its available for kotlin and java only,
I'm trying to allow customers to change their Stripe plan via the API, but 3D Secure test cards are failing even though they should be authenticated for future use.
My API call is as follows:
$stripe->subscriptions->update(
$subscription_id, [
'items' => [
[
'id' => $subscription->items->data[0]->id,
'price' => $new_plan_id,
],
],
]);
This works absolutely fine with a standard card number (e.g. 4242 4242 4242 4242)
However for 3DS cards it returns a 402 error:
{
"error": {
"code": "subscription_payment_intent_requires_action",
"message": "Payment for this subscription requires additional user action before it can be completed successfully. Payment can be completed using the PaymentIntent associated with `subscription.latest_invoice`. Additional information is available here: https://stripe.com/docs/billing/subscriptions/overview#requires-action",
"type": "card_error"
}
}
I'm using test card numbers which require authentication the first time (which is done when the subscription is created), but should succeed subsequent times according to this page https://stripe.com/docs/testing.
I've also tried the Javascript route as an alternative, in order to check the response of the API call and then trigger the stripe.ConfirmCardPayment() routine if authentication is required, but the fatal PHP error kills the script before it even gets to that point.
Any ideas how I could resolve?
Which card specifically are you using? What is the exact flow you're using for the initial setup?
If you're talking about the 3155 card, you need to explicitly set it up for future use with either a Setup Intent or using setup_future_usage with a payment intent. It is not automatically set up for future usage simply by authenticating the first time.
You may wish to use the 0446 card to simulate this setup, but I encourage you to ensure you've got the implementation ready for real world scenarios by actually going through the setup flow.
I am creating a Shopify app using PHP. For starting I am following this skeleton and after some debugging I am able to setup it and install.
I need to register some web-hooks through my app installation but I can't find any reference for the same.
I need to register the webhooks like when some new customer register, order place etc. How can I register those webhooks through the app?
I know we can register the web-hooks form Shopify admin manually, but I need to register them through app.
Just make a POST request to the "/admin/webhooks.json" endpoint with following data:
{
"webhook": {
"topic": "orders\/create",
"address": "http://www.example.com/create-order-webhook",
"format": "json"
}
}
this will register the webhook and fire the webhook to http://www.example.com/create-order-webhook address with order details whenever a new order is created.
you can get the number of registered webhooks:
GET /admin/webhooks/count.json
Hide Response
HTTP/1.1 200 OK
{
"count": 2
}
Also note that you need to quickly respond with status of 200, so whatever task you need to do, do in background and also you may need to verify that webhook was fired from shopify only.
I have developed a script using the Google Calendar API for PHP that recovers the event data of a managed business account with GSUITE, it recovers practically all the data except the colorID and the creator-> displayName that delivers them in null.
I tested this same script with my personal gmail account and it recovers me absolutely everything.
What should I consider in this case?
This is the intended behavior. If you perform this API call on the events that you yourself have created, it will return the colorId and your creator. But if you didn't create the event, you wont have access to these properties.
Here's a sample response from my own event:
{
"colorId": "5",
"creator": {
"email": "bruceWayne#marvelstudios.com",
"self": true
}
Additional Note:
The creator.displayName isn't always available.
The creator's name, if available.
There are a lot of discussions about similar issues but I couldn’t find the exact answer.
Here is the problem:
I’m trying to integrate in-app payment in Android OS using the latest PayPal MSDK library. The integration was straight forward, I could make successful single payment, receive proper response and the things was OK until I have to verify the mobile payment
In the mobile app(using PayPalConfiguration.ENVIRONMENT_SANDBOX), I receive the following response:
{
"client": {
"environment": "sandbox",
"paypal_sdk_version": "2.2.2",
"platform": "Android",
"product_name": "PayPal-Android-SDK"
},
"response": {
"create_time": "2014-08-05T19:49:19Z",
"id": "PAY-0D205735ER3716140KPQTKPY",
"intent": "sale",
"state": "approved"
},
"response_type": "payment"
}
As you can see, the transaction ID is: PAY-0D205735ER3716140KPQTKPY
When I try to verify the payment by making request with this transaction ID from my server to PayPal, the response is always the same:
{
"Errors":
[
{
"L_ERRORCODE":"10004",
"L_SHORTMESSAGE":"Transaction refused because of an invalid argument. See additional error messages for details.",
"L_LONGMESSAGE":"The transaction id is not valid",
"L_SEVERITYCODE":"Error"
}
]
}
When I check in PayPal Sandbox test account site -> Notifications, the test transactions ids are completely different. For the above transaction, the transaction id is:
5DY75733624918945
If I use this transaction ID in my verification request – the response from the PayPal is OK.
According the documentation, I should use the id from the mobile app response (moreover – I do not know other way to retrieve a transaction id…).
I'm using a test sandbox account, tried with different type of payment (PayPal button and CC), tried even with real transactions - the result is the same.
Do you guys know why they are different?
Please take a closer look at https://developer.paypal.com/webapps/developer/docs/integration/mobile/verify-mobile-payment/
The SDK returns a payment ID which can be used to retrieve a payment resource using GET. The payment will contain one or more transactions (in your case, a single sale transaction) in the related_resources section.