PayPal Checkout:仅使用客户端代码接收付款是否安全? [英] PayPal Checkout: Is it safe to receive a payment with only client-side code?

问题描述

我正在使用 PayPal API 向我的网站添加付款选项.在他们拥有的教程中，他们正在渲染按钮并完全设置交易在客户端使用 JavaScript.这是示例代码:

I'm using the PayPal API to put payment options to my website. In the tutorial they have, they are rendering the button and setting up the transaction entirely at the client side with JavaScript. Here is the sample code:

<script>
  paypal.Buttons({
    createOrder: function(data, actions) {
      // This function sets up the details of the transaction, including the amount and line item details.
      return actions.order.create({
        purchase_units: [{
          amount: {
            value: '0.01'
          }
        }]
      });
    },
    onApprove: function(data, actions) {
      // This function captures the funds from the transaction.
      return actions.order.capture().then(function(details) {
        // This function shows a transaction success message to your buyer.
        alert('Transaction completed by ' + details.payer.name.given_name);
      });
    }
  }).render('#paypal-button-container');
  //This function displays Smart Payment Buttons on your web page.
</script>

这样安全吗?

用户只需在自己身边的代码中更改支付金额即可减少支付.即使我设置客户端代码以在交易成功后发送交易 ID(即在 onApprove 发出 POST 请求)，以便我可以通过服务器端代码检查发送的金额是否正确，客户端仍然可以更改他的代码以发送假交易ID.

The user can just change the payment amount in the code on his side and pay less. Even if I set up client-side code to send transaction-id once the transaction is successful (ie. make a POST request at onApprove), so that I can have a server-side code check if the amount sent is correct, the client can still change the code on his side to send a fake transaction-id.

在交付产品之前，我基本上需要一种机制来检查我是否确实收到了正确的金额.我显然需要在服务器端进行此检查，但我无法找到一种安全的方法来执行此操作，因为我需要从客户端获取一些信息，这些信息可能是假的.如何防止用户通过发送过去的交易 ID 等方式假装已付款?

I basically need a mechanism to check if I definitely received the right amount, before delivering the product. I obviously need to make this check at the server-side but I can't figure out a secure way to do it because I need to get some info from the client-side which might be fake. How do I prevent the user from pretending to have paid for example by sending a past transaction-id?

推荐答案

您是正确的，用户始终可以在客户端代码中更改金额，并以较低的金额发送付款.这就是客户端付款的工作方式.

You are correct that the user can always change the amount in client-side code, and send a payment for a lower amount. That's how client side payments work.

任何用于跟踪哪些付款是真实的以及正确金额的逻辑都必须在您的服务器上.

Any logic to keep track of which payments are real and for the correct amount must be on your server.

对于 PayPal Checkout，您应该使用以下前端 UI:https://developer.paypal.com/demo/checkout/#/pattern/server

For PayPal Checkout, here's the front-end UI you should use: https://developer.paypal.com/demo/checkout/#/pattern/server

您的服务器上需要两条相应的路由，一条用于创建订单"，另一条用于捕获订单"，此处记录.

You'll need two corresponding routes on your server, one for 'Create an Order' and one for 'Capture Order', documented here.

这篇关于PayPal Checkout:仅使用客户端代码接收付款是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！