paypal快速结账安全与cilent ajax电话 [英] paypal express checkout security with cilent ajax call

问题描述

PayPal的新结账让我觉得不安全，用户不能在无声的一侧触发假付款吗？

The new checkout of paypal make me feel insecure, can't a user trigger a fake payment on the cilent side?

提供的代码看起来像这样

The code provided look like this

paypal.Button.render({  
    env: 'sandbox',
    client: {
        sandbox: 'AapGZeCaaDK_q_KPeG19DHnD_kd18vr6BxNe4P6uuhfTKPjIedtNEI9plyDgmzfyI-xGhbxjpv0k-Ha9',
        production: 'xxxxxxxxx' // u expose the key to client side? is this ok?
    },
    payment: function() {
        var env    = this.props.env;
        var client = this.props.client;

        return paypal.rest.payment.create(env, client, {
            transactions: [{
                amount: { total: ($scope.number_of_uses * 9) + '.00' , currency: 'USD' },
                item_list: {
                    items: [{
                        "name": "example",
                        "quantity": $scope.number_of_uses,
                        "price": "9.00",
                        "currency": "USD"
                    }]
                }
            }],
            redirect_urls: {
                "return_url": $location.absUrl(),
                "cancel_url": $location.absUrl()
            }
        });
    },

    onAuthorize: function(data, actions) {
        return actions.payment.execute().then(function() {
            actions.payment.get().then(function(data){
                // here I will save data detail to db to record sales
                // $http something something 
            });
        });
    }

}, '#paypal-button');

在条带中，我必须将令牌传递给后面，然后验证我服务器端的令牌，如果一切正常，继续记录销售情况。但是在paypal中，似乎这是我需要实现的唯一表达结账的东西。这甚至是安全的吗？

In stripe, I have to pass a token to the back, then verify that token in my server side, if everything ok proceed to record the sales. But in paypal it seems like this is the only thing I need to implement to have express checkout. Is this even secure?

推荐答案

你说这是不安全的更新数据库。这是一种安全的付款方式，但是，您无法与客户验证付款是否成功，然后使用onAuthorize方法更新您的数据库。

You are correct that this isn't secure to update your database. This is a secure method of payment, however, you cannot verify with the client that the payment was successful and then update your database with the onAuthorize method.

验证付款您的数据库成功，您必须使用服务器端REST API 。可悲的是，PayPal的文档非常缺乏，但有 SDK 记录更多，更容易实现。 （节点SDK的快捷方式）。

To verify the payment was successful for your database you must use the Server Side REST API. Sadly, the PayPal docs for this are very lacking, however there are SDKs which are much more documented and easier to implement. (Shortcut to Node SDK).

我建议您使用这些来实现数据库的更新。 PayPal返回一个参数，告诉您付款成功。

I would recommend that you use these to implement an update to your database. PayPal returns an parameter that tells you payment was successful.

这篇关于paypal快速结账安全与cilent ajax电话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！