There are a lot of discussions about similar issues but I couldn’t find the exact answer.
Here is the problem:
I’m trying to integrate in-app payment in Android OS using the latest PayPal MSDK library. The integration was straight forward, I could make successful single payment, receive proper response and the things was OK until I have to verify the mobile payment
In the mobile app(using PayPalConfiguration.ENVIRONMENT_SANDBOX), I receive the following response:
{
"client": {
"environment": "sandbox",
"paypal_sdk_version": "2.2.2",
"platform": "Android",
"product_name": "PayPal-Android-SDK"
},
"response": {
"create_time": "2014-08-05T19:49:19Z",
"id": "PAY-0D205735ER3716140KPQTKPY",
"intent": "sale",
"state": "approved"
},
"response_type": "payment"
}
As you can see, the transaction ID is: PAY-0D205735ER3716140KPQTKPY
When I try to verify the payment by making request with this transaction ID from my server to PayPal, the response is always the same:
{
"Errors":
[
{
"L_ERRORCODE":"10004",
"L_SHORTMESSAGE":"Transaction refused because of an invalid argument. See additional error messages for details.",
"L_LONGMESSAGE":"The transaction id is not valid",
"L_SEVERITYCODE":"Error"
}
]
}
When I check in PayPal Sandbox test account site -> Notifications, the test transactions ids are completely different. For the above transaction, the transaction id is:
5DY75733624918945
If I use this transaction ID in my verification request – the response from the PayPal is OK.
According the documentation, I should use the id from the mobile app response (moreover – I do not know other way to retrieve a transaction id…).
I'm using a test sandbox account, tried with different type of payment (PayPal button and CC), tried even with real transactions - the result is the same.
Do you guys know why they are different?
Please take a closer look at https://developer.paypal.com/webapps/developer/docs/integration/mobile/verify-mobile-payment/
The SDK returns a payment ID which can be used to retrieve a payment resource using GET. The payment will contain one or more transactions (in your case, a single sale transaction) in the related_resources section.
Related
I am trying to fetch order status in real time in php but not able to find proper way or documentation so I can go ahead.
In sales api I am getting details of sold subscription, but I want payment pending and cancelled orders too.
In Documentation I got below link
https://developers.google.com/android-publisher/api-ref/rest/v3/monetization.subscriptions/list
Gets below output when I run it in Try this method
{
"error": {
"code": 403,
"message": "The project ID used to call the Google Play Developer API has not been linked in the Google Play Developer Console.",
"status": "PERMISSION_DENIED"
}
}
But i am not able to implement it in PHP.
I had the same question so I raised a ticket and got reply that google play does not provide any API for order status, its available for kotlin and java only,
I want to use zoho subscriptions to make recurring payments on my website.
I use webhooks to send data for creating membership.
Now I want to validate the data from webhook to check if the webhook was really sent.
You should read webhooks data and validate by Zoho signature after that, check the event_type which indicates the event, it could be subscription_cancelled, subscription_cancellation_scheduled, new_subscription. Also, you should get a subscription id, customer id inside of data->subscription->. Below a sample webhooks body
{
"created_time":"...",
"event_id":"...",
"event_type":"...",
"event_source":"...",
"event_time":"...",
"data": {
"subscription": {
"subscription_id": "...",
"created_time": "...",
"customer_id":"...",
"...": "..."
}
}
}
Now, you have a subscription id, customer id, you can call Zoho subscription info API to get subscription details for cross-checking. Another way, you have event_id so, now, you can retrieve event details to validate that webhooks really comes from Zoho.
I am trying to implement PayPal REST API.
When I create PayPal Payment using request from my server, the payment is created successfully, and payment id is passed to PayPal.
Next, the user must approve payment.
PayPal window is opened in user's broswer, and user is prompted to login or pay with credit card.
The problem is:
When I login with my sandbox customer account, PayPal is not showing any available attached credits cards or paypal wallet balance, it only prompts to add new credit card to sandbox account.
If I login with this sandbox account in new a separate browser window, I can see that it has a wallet balance and attached credit card.
If I create a Payment with client-side JS request instead of server, the issue is not reproduced and PayPal is showing both wallet balance and credit card.
So, I assume the issue lies in the payment's format. The server Payment's format is:
{
"intent": "sale",
"payer": {
"payment_method": "paypal"
},
"transactions": [
{
"amount": {
"total": "10.00",
"currency": "USD"
},
"description": "silver membership",
"custom": "account_id:1"
}
],
"redirect_urls": {
"return_url": "https://example.com/return",
"cancel_url": "https://example.com/cancel"
}
}
The format of payment that created with client-side JS is way more simple, I took it from one of examples in developer's manuals. If I use the same simple format in server request, it would not allow me to create payment (I think client-side checkout.js just add missing required fields silently).
payment: function (data, actions) {
return actions.payment.create({
transactions: [{
amount: {
total: '10.00',
currency: 'USD'
}
}]
});
},
Would be very grateful for any hints on this topic.
I'm currently implementing the BitPay API (in PHP). All works fine but I'm a bit worried about a possible security risk when receiving notifications.
The BitPay API sends these notifications with status updates using a POST request to a given notification url containing a JSON string like this:
{
"id": "123BitPayInvoiceID",
"url": "https://bitpay.com/invoice?id=123BitPayInvoiceID",
"posData": "6G38ZL",
"status": "paid",
"btcPrice": "0.0512",
"price": 29.14,
"currency": "USD",
"invoiceTime": 1407881291063,
"expirationTime": 1407882191063,
"currentTime": 1407882058099,
"btcPaid": "0.0512",
"rate": 568.69,
"exceptionStatus": false,
"bitpay":
{
"id": "123BitPayInvoiceID",
"url": "https://bitpay.com/invoice?id=123BitPayInvoiceID",
"posData": "{\"paymentID\":\"123PAYMENTID\",\"orderID\":\"123ORDERID\"}",
"status": "confirmed",
"btcPrice": "0.0512",
"price": 29.14,
"currency": "USD",
"invoiceTime": 1407881291063,
"expirationTime": 1407882191063,
"currentTime": 1407882058099,
"btcPaid": "0.0512",
"rate": 568.69,
"exceptionStatus": false
}
}
When I lookup the payment in our database I want to change it to 'confirmed'.
It seems to me this is a security risk, since anyone can send fake notifications; someone who started the payment and wants that payment to be confirmed can send this request with status set to 'confirmed'.
My questions:
Should I be worried in the first place? I could check where the request is from, use a notification Url that is not easy to guess etc. but I still would not feel comfortable security-wise;
I could always distrust any notification and send a status request to the API when a notification comes in. Would this be a good practice?;
Are there any other (better) ways you know of to safely use these notifications?
Thanks in advance!
All the advice you are looking for is in their docs...
https://bitpay.com/docs/invoice-callbacks
We would advise you to open a non-standard port and specify that port
within the notificationURL instead of white listing BitPay IP
addresses as they are subject to change without notice. Since we are
not yet signing these notifications they should not be trusted
outright. We recommend verifying these notifications against our API
when they are received to make sure the data presented is authentic.
For example when an invoice paid notification comes in, you should
make a request to our API to check the status of that invoice to make
sure it was actually paid. This provides additional security in
verifying paid orders.
When using the webhooks simulator, I get: Got Http response code 500 when accessing https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-6W4482673W002281V-61985753LP2332451
JSon info is being sent back to my site and I can parse it, but when trying to validate (validateAndGetReceivedEvent) - I get the above 500 error.
Also - when I try submitting an actual sandbox sale, the success return url shows me the sale went through, but a hook is never triggered. (I created a hook that has all events checked)
When I trace with error logs along the way (FYI -I use Codeigniter and I don't have the greatest debugging skills), things seems to come to a stop in PapPalRestCall->Execute
$connection = new PayPalHttpConnection($httpConfig, $config);
The event samples which you get from Simulator are sample payloads and does not correspond to actual transactions. If you try to fetch an event from sample payload, you won't be able to retrieve that.
{
"name": "INTERNAL_SERVICE_ERROR",
"details": [],
"message": "Internal service error"
}
This is correct and expected behavior. You may refer to this Response for Sample Webhook Event Retrieval