Reputation: 2514
PayPal and Microsoft WebAPI: best security approach
I'm creating a WebApi project that aims to handle payments in my project. Actually, my approach is like:
- CreatePaymentMethod(creates the payment, contact paypal and redirect the user to the payment page. If payment is done, redirect to PaymentApprovalMethod)
- PaymentApprovalMethod (confirm the payment on my system, allowing the user to access the content)
What I'm wondering is... What if an users directly creates a message to invoke the PaymentApprovalMethod?
Suppose: - CreatePaymentMethod is called, user sniffs with Fiddler the Transaction ID of the redirect - Creates and adhoc call of the PaymentApprovalMethod like.
I see two possibles scenario to handle this situation:
- Restrict (I don't know how) the calling of PaymentApprovalMethod to the messages from Paypal only
- Cross Check the payment inside the PaymentApprovaMethod (ok, user, you said the transaction ID 123 is done, I'll contact paypal to verify this before trust this call)
The second one seems more safe but also more "time / resource" problematic..
Do I'm missing something? Is there something else I can do to avoid this problem?
Upvotes: 0
Views: 86
Answers (1)
Reputation: 26036
Take a look at Instant Payment Notification (IPN). PayPal's system will POST transaction data to a listener script that you setup for all transactions on your account, be it a payment, refund, dispute, cleared payment (from pending), etc. You can use this to completely automate many post-payment procedures.
Part of your IPN listener will include a call back to PayPal's server to verify that the data actually came from them. You can then log IPN's separately, and only process verified IPN's, which means you know somebody didn't just POST directly to it on their own.
Some people do go a step further and only accept traffic to that script from PayPal's IP addresses, however, they do change their addresses quite a bit and I think that just becomes a hassle. The verification has always been enough for me.
IPN is definitely what I would recommend for you.
Upvotes: 1
Related Questions
- PayPal Integration with ASP.NET / C#
- Paypal integration with asp.net,C#.net E-commerces Website
- PayPal - ASP.NET Medium Trust
- paypal integration suggestion for asp.net mvc app
- PayPal + RESTful API + WebHooks + Self Signed Certificates
- PayPal Integration - what options are recommended
- Paypal API Request with MVC3
- Most reasonable solution to encrypting my paypal API credentials?
- Which PayPal API should I study for this scenario?
- Basic workflow issue with Paypal + ASP .NET web app integration