When I log into my merchant account, in the Settings tab I can set the callback URL.
The problem is that, without HTTPS, the only option is to send back a serial number to the callback URL.
Callback contents:
[x] Notification Serial Number
e.g. serial-number=123-456-7
[ ] Notification as XML (Requires an HTTPS URL)
e.g. 123...
[ ] Notification as HTML (name/value pairs) (Requires an HTTPS URL)
e.g. google-order-number=123&...
So from this serial number, is it possible for my server-side script to get the status of the order?
I need to get the payment status of the order (paid or not, amount paid) & the order number sent back to my (custom) cart so that I can update my database.
(I can't get HTTPS at the moment because the person whose website it is doesn't want to get it)
I would caution you regarding your accepted answer.
continue_url is not an "auto-redirect". You are fully dependent on the user actually clicking that link instead of any other link in the page - notably, Google's own link to go the user's Wallet page where he/she has access to all his/her orders.
You are therefore risking your operations by possibly not having all the orders in your own system.
All Google Checkout orders have order statuses that you should really be aware of. You are already making an assumption in #1 that the user will actually click your continue_url link - additionally, you have also opened yourself up to the possibility that you are tracking orders that may not actually be approved by Google, or fails some monetary/risk authorization or check.
If a user does in fact click the link you provide, but Google has issues with the order, your system has "money" where it shouldn't.
The only reliable method of implementing Google Checkout API and integrating it with your systems is to follow documentation/instructions - in this case you must implement Notification API.
SSL is only required (on your end) if you opt for XML/name-value (data) notification
SSL is not required if you opt for serial number notification.
Yes, you can obtain all order data without installing/purchasing SSL cert for your server using serial number notification - which is what you describe.
XML/name-value notification is a "push" model - Google will "push" data to you. You will authenticate Google's basic auth request (which is why SSL is required).
serial number notification is "pull" model - you will "pull" data from Google (given a serial number - and that is why SSL is not required on your end - you will authenticate your pull request and send your request with SSL). Google isn't sending you any data, just a serial number. You will use this serial number to obtain data associated with it and provide authentication to Google - your request will use SSL.
You will use serial number notification with Notification History API to obtain data.
The links above should lead you to complete documentation/reference. If you have questions, comment here, or post it at Google Checkout Product Forums.
Hth....
Related
I'm trying to implement Twilio ip messaging. I've got a problem - when another tab with the chat is opened, chat stops recieving any messages in original browser tab. How can be this problem handled?
This likely has to do with the fact that your endpoint_id value is the same for all the endpoints. This causes the problem that IP Messaging cannot disambiguate the endpoints (subscribed and connected) to send the message (and other) events to.
This guide describes how to generate endpoint_id values, and why it is important: https://www.twilio.com/docs/api/ip-messaging/guides/identity
An excerpt highlighting the specific area to focus on:
About Endpoint IDs
An "endpoint" in IP messaging is a unique app, device, and user
combination that can receive a message.
For example, "alice#example.com" using "SquareChat" on her iPhone is a
different message delivery destination (endpoint) than
"alice#example.com" using "SquareChat" on her Kindle Fire tablet.
The endpoint ID you generate on the server - while it can be a string
in any format you want - should integrate at least these three
dimensions.
Once your client receives an Access Token from your server, you can
initialize the Twilio IP Messaging SDK and start sending and receiving
messages.
Please note that if the same user logs in from 3 different endpoints - they should all have the same identity - but each of the endpoints should have a different endpoint_id - where the identity portion of the endpoint_id would be the same, but the other elements (application and device ids) should be different.
I want to integrate my application with Authorize and I need to get the transaction ID to save this information in database. The question is, can I do this with SIM? I know you can set a URL to get back to you homepage, but is it possible to send the transaction ID back to homepage?
You have two options:
Relay Response
Relay Response is a feature available to merchants using Server Integration Method (SIM) or Simple Checkout. It instructs the payment gateway to return transaction results to the merchant using an HTML form POST to a specified URL on the merchant's Web server. A script or program at the URL can be used to create a custom receipt page using the transaction information. The custom receipt page is then relayed back to the customer's browser. Relay Response does not redirect the end user back to the merchant’s server, but relays the page content to the end user instead of displaying the Authorize.Net default receipt page.
Silent Post
This feature allows you to specify a URL, or Web address, to which the payment gateway should copy the transaction response that is sent to the configured Relay Response URL. If you are not using Relay Response, the feature allows you to specify an additional URL to which transaction responses can be posted.
If you're looking for sample PHP code I wrote an article that includes that here.
My recommendation is to use Relay Response as it gives you an opportunity to customize the receipt page your user's see. (Although you can use both as they do not conflict with each other).
(I am the author of both Silent Post articles)
In PHP, when handling the postback from Google Wallet confirming a purchase, it's possible that the server will not reply within the ten second time limit--this is sometimes completely undetectable serverside.
What should I do to prevent this? Is there a way to confirm the purchase was successful?
Google Wallet for Digital Goods will fail for both you (merchant) and the user/buyer if you don't respond to the postback as required.
Important: If you specify a postback URL, your server must respond promptly and correctly to the HTTP POST messages that Google sends for each transaction. Otherwise, the transaction will be canceled.
REF: https://developers.google.com/commerce/wallet/digital/docs/postback
If you're saying your system may think the trnx is "good" and it just took time to respond (at which point Google already canceled) - there is a "verification step" that occurs on successful transactions - success handler. You can use that to "confirm" the order on your end. So if Google canceled the transaction, your system will not get this final (re)confirmation (because your success handler will not be called).
I guess you could also use the failure handler for this, though it won't have an "orderId"
Hth...
As a side note on the comments, Google Checkout was also renamed Wallet at some point. If memory serves, it was really more for buyers than for merchants...so yes, do check on what API you are referring to.
This answer is specific to Wallet For Digital Goods (it is completely separate from Google Checkout/Wallet, which also included some support for digital purchases).
See this link announcement
I am implementing Google Wallet for Digital Goods in a website, using PHP and HTML/JavaScript.
Google will wait 10 seconds for the postback.php to respond with 200/ok and to output the order ID. If that has happened, it will charge the Credit Card and call the success_handler function. After 10 seconds of no response however it will cancel the transaction and trigger the failure_handler function.
I want to protect myself from my server being slow and only want to deliver the digital good if the success_handler has been called. To prevent fraud i need to verify if the order ID was correct (because the successhandler is client side).
How do I get the order ID of the transaction into the success_handler, so that I can verify it in my system and if all matches be sure that I received the money and deliver the digital good?
As you point out, to prevent fraud, you need to check with your server that the transaction calling the success handler matches a corresponding postback call made to your server.
You will need to match the order Ids returned by the two callbacks. The order Id is part of the jwt returned in the success handler or server postback (under "response"->"orderId"):
https://developers.google.com/commerce/wallet/digital/docs/jsreference#successhandler
I was following these articles: Verifying Back-End Calls from Android Apps and Stopping Vampires using License Verification Library (from 24:57 to 25:34) to implement an In-App Purchase verification system for our Android apps.
I am a bit confused about how this works end-to-end and what we can assume about the generated token from calling GoogleAuthUtil.getToken() with the first email address found--when AccountManager returns more than one account. My questions are as follows:
Should we assume that any e-mail address used by the user to buy our
app will generate the same token (i.e., same user + app ==> same
token)?
If the answer to question 1 is no, is there a way to launch in-app
purchase for a particular account/email?
It looks like Google is picking the first e-mail address returned by
AccountManager for its in-app purchase dialog. Can we assume that
this won't be changed by the user after in-app purchase dialog is
launched? How do we find out if this changed after the in-app
purchase returns?
What should we store in our database to identify this user? Is email
address and/or token allowed? When does the token expire?
The java-client library looks very promising and powerful at first
read. But, a number of things remains confusing. Is there an article
that describes the end-to-end scenario--from an app initiating a
call to a back-end server through launching the in-app purchase
dialog, getting the result and closing with commits on the server?
What articles are the most useful for accomplishing this on Android?
The main issue we are trying to solve is to to get the full picture.
We've gotten the idea that we can avoid requiring userid/password by using the java client features and using tokens. We have registers our project (both the web app and android app on the same project) per the instructions for Google API Console. We have the php java-client for Google Play Service on our back-end server. We got our Android app to generate a token using the first email address and then call the in-app purchase dialog and handle the user response at the end of the dialog. We've got the parts. Now, we need to glue everything together. We are at the point of integrating with the back-end server. E.g., What is Redirect URi supposed to point to in our server? We've got a php url that we do http post messages to for our server app. We've included the code example for Google API client example--with client-id, secret, simple api key, etc. filled in--as an include to our php. But, what should we put in the redirect uri (we are missing a usage instruction for the example code)?
Also, we want to avoid having the e-mail used for the in-app purchase be different from what we log on our server database as the address the user used to buy our app; if the address is the correct thing to track, we want it to be the same as what was used for the purchase. This could be frustrating for our user if we make this mistake and prevent them from the features they paid for. We don't want to make this mistake and need some clarification on how Google Play Service works. If we initiated the server part of the workflow to get app Nonce / Payload / Credentials for the first e-mail address on the Android device, we would want that address to be used throughout the workflow. If the user changed this along the line, we want to be aware of this and gracefully recover. So far the articles have been helpful but incomplete. Any insight/suggestion is appreciated.