How to validate a sale with PayPal REST API and IPN - php

I currently have a fully working cart and checkout process through PayPal _xcart method, but I want to migrate it to REST API, mainly because I want to mitigate the possibility of price-jacking. Currently my IPN does check for price jack and sets the according flags so the product doesn't get downloaded (selling digital products only). Anyway more to the point, I found the PayPal documentation very confusing and I'm struggling to get the full grips of it.
This is what I have understood and worked out till now.
Using my PHP script (let's call it page A) I create the cart content, then I create a new PayPal sale and redirect the client to PayPal for authentication
Client authentication on PayPal, then it's redirected back to my site to page B (page B is defined in page A)
Page B needs to get the PaymentID (from page A) and use it to effectively complete the transaction. Once competed finalize the checkout.
Now here are my problems:
a) I had read quite a few forums and tutorials and they all mention that I should use a session to store the PaymentId from Page A and then use it in Page B to finalize the transaction. Some threads on SO suggests that PayPal should actually include the PaymentID in the call to page B, along with the token and the PayerID. Those are almost 3 years old posts and during my testing I see that PayPal now does return the PaymentID as well.
Is this a new thing, did PayPal really started to send the PaymentID as a GET variable? OK I found this on PayPal SDK documentation (not PHP of course some other language) that they return the PaymentID as well as a GET.
Is there any disadvantage on using the GET presented by PayPal compared to storing a session from page A to B? I don't really wan't sessions, so GET will be ideal for me. I guess if it is on PayPal documentation it's safe to use.
Will this work on the live page as well or only in Sandbox?
b) On Page B when I execute the Payment I get a nice JSON as response, but in the same time my IPN listener also gets called, and this is what confuses me big time. Can/Should I just trust all the data which is in the JSON response and more or less ignore the IPN listener? This will make sense for instant download, for example, much more easier to process, or should I still rely on the IPN for data validation?
If I use only the JSON returned to Page B, which are the correct fields to look for and what values? For example, there is a state field which is approved and another (Transactions -> related items -> state) which is competed. Which one do I need to check?
If I rely on the JSON do I still need to check if the paid amount matches the original amount or can I trust that the payment is equal to the amount I have requested in my call?
If I use the IPN how can I pare it with the transaction? The PaymentID doesn't show up in the variables posted to the IPN. The only way I could think of is to get the txn_id from the JSON response, but somehow that feels odd, plus how can I know if the JSON response hit the server BEFORE the IPN?

Can/Should I just trust all the data which is in the JSON response and more or less ignore the IPN listener?
Yes, and no. In that order.
In a nutshell, you can't trust the payment ID in the call to "Page B" (it could be forged, faked, repeated etc) but you can trust the response YourServer->PayPalServer as it can't be intercepted and faked by the end user.
So your process is (as you describe above)
Page A: Create a sessionID (cookie), amount, cart details etc and store in a local database/storage. You can also create a "custom" field to store your own saleID
Send off amount etc to Paypal, which returns you to ....
Page B: Grab the PayPal TransactionID and send back (server->server) to PayPal. Paypal returns the amount, state etc. Then check your database that the amount is the same and that it belongs to the sessionID. If you also use custom fields, check that too. If everything marries, you're good. If not, it's up to you how to handle.
The status should be "complete" for a simple sale at this point; but (as with IPN below) you should verify this.
Do check the amounts, just in case. They should match, but if not, the PayPal one will be what you receive and it's up to you to accept it, flag it (and phone up) or refund through the API and reject the order etc.
So why have IPN?
It is possible that the user completes the transaction on Paypal and then closes their browser before "Page B" is called. In this case, the only way you know about the order is through the IPN.
If you get an IPN notification going to your IPN handler, IPN can still be faked, but there's a slightly different way of verifying.
You actually send the IPN information back to Paypal (server to server) and Paypal confirms it's correct or wrong (https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNIntro/). Your IPN handler will then check the transaction ID (yes, that's what you use) and verify everything matches in the database (just like you do in "Page B"). If it does, mark the order as complete if the status is complete (and if not already marked as complete in "Page B").
Obviously you can't display anything to the user at this point as they are not the ones that called the page.
The docs above warns you that you can get multiple IPNs for the same transaction so you also need to check status.
(Note: you could use the APIs to verify the transactionID as you do in "Page B").
So why not reply on IPN?
Paypal warn that the IPN may not arrive. Paypal explains it best:
Although PayPal usually processes IPN messages immediately, IPN is not synchronized with actions on your website. Internet connectivity is not always 100% reliable and IPN messages can be lost or delayed. The IPN service automatically resends messages until the listener acknowledges them. The service resends messages for up to 4 days.
Because IPN is not a real-time service, your checkout flow should not wait for the IPN message before it is allowed to complete. If the checkout flow is dependent on receiving an IPN message, processing can be delayed by system load or other reasons. You should configure your checkout flow to handle a possible delay.
So back to the original question
Yes: rely on the JSON (server->server) call you make to verify the parameters to "Page B" (and in and the IPN handler if you choose)
No: Don't ignore the IPN in case Page B never gets called. But still run the verification checks here too.
Yes: Check state = complete for both "Page B" and "IPN handler"
Yes: Use the Paypal TransactionID, but mix into your own database with either custom fields or sessionID.
Yes, you can/will get both Page B and IPN notifications, I'd suggest ignoring the IPN if the payment is already marked as completed, otherwise process and handle appropriately. They should be using the same database.

Related

How to verify PayPal Express Checkout details on the server?

I'm just now trying to get up to speed with PayPal Express Checkout (i.e. checkout.js), using the client-side REST integration described here. I see that when payment is complete, my onAuthorize function is invoked with a "payment" object.
I can't find any documentation on this object, but some poking at it reveals the following properties (at least today):
paymentToken
payerID
paymentID
intent
returnUrl
Now I need to redirect the user to the next step on my website, where I show a receipt confirming they've paid, etc. I guess I send the above data to the server, but since that step could be easily spoofed by a malicious user, I will need to verify those details in the PHP code, server side.
How do I do that?
You can make a GET call on your server side to /v1/payments/payment/PAY-XXXXXX with the paymentID and the payerID to get the payment details, and verify those details there.
https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/advanced-payments-api/show-payment-details/
See https://developer.paypal.com/docs/api/overview/#make-your-first-call for some basics on calling the REST api from your server
Assuming you are using PayPal Encrypted Buttons, you don't actually need to verify the amounts sent through server-side. Although a user could indeed manipulate the $_POST data, PayPal's got you covered, and won't allow the transaction to go through. This is because PayPal Encrypted Buttons are generated with your variables such as price built-in to the ID. If the variables don't align with those used to create the button, the transaction is denied.
Alternatively, if you are simply using your own code to make the request, you can secure the payments with PayPal's Instant Payment Notification. Again, this allows any $_POST data to be sent through for the payment. Afterwards, PayPal makes a call to your IPN page in order to validate that the parameters are correct. This is demonstrated in the following workflow:
When communicating with your IPN, if PayPal finds that the values don't match up, the order is cancelled. Assuming that the values match up, you can safely redirect them to your confirmation page.
Hope this helps! :)

Paypal IPN - Getting + then losing data?

I am currently using the following library:
https://github.com/paypal/adaptiveaccounts-sdk-php/tree/master/samples/IPN
And Paypal IPN seems to be working fine... I can successfully checkout and all of the POST data from Paypal is logged to my server, only problem is - How do I check against it when the user is back on the site?
I currently have the return URL set to the same as the IPN url (look in github for code) and after I get all of the valid data, the user gets returned to the IPN page and it says invalid.
Not quite sure, any thoughts?
IPN should NOT be used as the return URL.
Return URL brings the buyer back to your site. The page at the return URL should display either a generic thank you page, or a page indicating the status of the buyer's order. Which one of the above to choose, depends on the PayPal product you select, your integration and your purchasing flow.
The script URL of the IPN listener is used to automate your order handling process. The IPN listener gets the IPN messages, processes your order in your own defined way.
IPN listener should post back very specific data to PayPal IPN endpoint with HTTP Status 200. If it also outputs a page, it makes things too complicated. You would need to differentiate between a buyer visit and a PayPal IPN message, and need to do corresponding display or IPN verification. To make things simple, separating the two things into two pages / scripts would be better and more logical.
I think this is the reason why your buyer gets "invalid": your IPN listener gets the request data when a buyer returns to your listener, and uses the data to verify IPN with PayPal. PayPal returns "invalid" as the data are not from valid IPN messages and thus cannot be verified.
Not a Php dev and haven't looked, but if you really want to use the same URL (I wouldn't - they serve different purposes), then the difference would be the (http) request method:
GET for a redirect and
POST for IPN
That would be one way you'd determine what kind of Request that url is getting and handle as you deem fit.

Paypal IPN and PHP: handle the order before and after Paypal operations

I have already done a small e-commerce with Paypal and it works, but I feel like it is done wrongly.
Because the page that handles the IPN response from Paypal can't read $_SESSION variables, before the user submits the form and is redirected to Paypal, I get all the cart items and store them in a table in the database and also I register a new order with the user information but with the status 0 ( not completed ).
Then, after the user pays and I get the IPN response, I check if the status is completed, check if the amount paid is correct, currency and the usual checks to make sure the payment is successful.
The problem with this approach is that if the user once redirected to Paypal, decide to leave/close the browser/Paypal tab, I will have a failed order registered in the database and I can't delete it but manually.
How can I handle this kind of situation, and is it correct to register the order/cart before the user pays ?
Thank you and sorry for the long post.
If you want to check if the transaction occurs rely on the IPN messages. Depending on which api you are using you have several way to customize the IPN message with useful information for you, ie:
using paypal custom field
define dynamically the IPN url with extra parameter ie www.yoursite.com/ipn?myvar=myval
That way you can have a hook between the payment and the actual user in your application.
Obiusly the php session attributes of the user is not available when the http post comes from paypal.

Paypal: Get Buyer ID before IPN received (Express checkout, PHP)

Payal say that IPN can take a while for orders to be relayed. I am wondering if there is a way with the other Paypal APIs to instantly fetch information about an order, the moment the user is redirected to the success URL of my site.
The problem is that only two variables seem to be relayed in the querystring to my success page: token and PayerID.
The reason I want to do this is I want to allow users to complete the checkout process without logging into my site, but then once the order is complete and they're sent to my success page, I want my site to be able to link them to their previous orders as well as this one, which would be extracted from my database.
Can this be done using token and/or PayerID? If so, how? (I'm using the PHP scripts that the Express checkout wizard provides)
IPN is generally pretty much real-time. There are times when it gets a little lagged and can be kind of slow, but it doesn't seem to happen all that much.
That said, the API calls along within your checkout will indeed return lots of good info in the actual response. Your URL only has the parameters you mentioned (token and Payer ID), however, the GetExpressCheckoutDetails response would have all the buyer info you need, and DoExpressCheckoutPayment will return the transaction ID, payment status, payer status, etc. So the DECP probably has the majority of what you're after.
You can use session variables to save GECD response data and DECP response data accordingly and then update your database, send out email notifications, etc. after calling DECP.
The thing is, the payment could end up being "pending" for various reasons. As such, IPN would still be the best way to handle this sort of thing so that you can update your DB and send out one notification for the pending payment being received, and then another update/email once that payment actually clears.

Correct PayPal Adaptive Payments flow in crowd-funding site. I'm stuck

I am developing a crowd-funding site (similar to Kickstarter) using the CodeIgniter framework.
I "successfully" implemented PayPal's adaptive payments using this library.
But, I'm just not sure how to correctly and securely check for succesfull/failed payments and witch data is important to save to database.
Note: it's a chained delayed payment, I am the primary receiver, and the secondary receiver is the crowd-funding project creator. The money is transferred to the secondary receiver after a predetermined period of time.
The flow I have right now goes like this:
User click to buy a reward.
I use the 'Pay' API operation to request payment (unique TrackingID included) and save the request in the database.
If the request is succesfull, I save some response data in the session (TrackingID, PayKey, amount, ...) and redirect to PayPal..
In this step the user can: accept payment, cancel, or just close the browser, so I dont really know what happens here... (recommendations?)
If the user accepts the payment, he is redirected back to my site and I use data I saved in the session to request a 'PaymentDetails' API operation to obtain information about the payment.
I save the result in database and check to see if the response 'amount' is equal to the request 'amount' (for security).
If everything went OK I update the database and connect the payment TrackingID with the user and the reward he bought.
Later (can be months later), the 'ExecutePayment' API operation is requested by an admin, and the money is transferred from us to the project creator, and we take a small fee (thats how crowd-funding works...)
Now, I'm sure I'm missing lot of things but I have no idea what:
What about the IPN API? I need it? Where it comes to play inside the flow and checks?
What I do if the user closes the browser window when he is in PayPay (out of my site).
I heard that the PayKey is valid for 3 hours, how can I 'ExecutePayment' after months?
How I handle the enormous amount of error types in the PayPal API?
Any tips or examples of others things I need to take care of? Security? Errors? Others?
Thank you very much, I really need your answer!
IPN will automatically POST data to your "listener" (which you'd need to develop) in order to automate post-payment procedures. For example, you could update a database, hit 3rd party web services, generate email receipts, etc. within IPN so that those events happen automatically any time you receive money in your PayPal account. You can also set it up to handle refunds, disputes, and other events. It's not required, but often very useful.
This is one reason IPN can be useful. IPN will be triggered whether the user makes it back to your site or not. If you're doing post-payment processing procedures within your thank you page or something like that, I'd recommend you move it into an IPN solution.
The PayKey is indeed valid for 3 hours when being used as a token. When you call Pay with an ActionType of CREATE, though, it sets up a delayed payment and the PayKey is then valid for up to 90 days.
The error information will always come back in the same format in the response. You can just log or display errors accordingly based on this standard response.
Sounds like you're pretty much on top of everything for the most part.

Categories