带有无声ajax调用的PayPal快速结账安全 [英] PayPal express checkout security with silent ajax call

问题描述

paypal的新结帐让我觉得没有安全感，用户不能在客户端触发假付款吗?

The new checkout of paypal make me feel insecure, can't a user trigger a fake payment on the cilent side?

提供的代码如下

paypal.Button.render({  
    env: 'sandbox',
    client: {
        sandbox: 'AapGZeCaaDK_q_KPeG19DHnD_kd18vr6BxNe4P6uuhfTKPjIedtNEI9plyDgmzfyI-xGhbxjpv0k-Ha9',
        production: 'xxxxxxxxx' // u expose the key to client side? is this ok?
    },
    payment: function() {
        var env    = this.props.env;
        var client = this.props.client;

        return paypal.rest.payment.create(env, client, {
            transactions: [{
                amount: { total: ($scope.number_of_uses * 9) + '.00' , currency: 'USD' },
                item_list: {
                    items: [{
                        "name": "example",
                        "quantity": $scope.number_of_uses,
                        "price": "9.00",
                        "currency": "USD"
                    }]
                }
            }],
            redirect_urls: {
                "return_url": $location.absUrl(),
                "cancel_url": $location.absUrl()
            }
        });
    },

    onAuthorize: function(data, actions) {
        return actions.payment.execute().then(function() {
            actions.payment.get().then(function(data){
                // here I will save data detail to db to record sales
                // $http something something 
            });
        });
    }

}, '#paypal-button');

在条带中，我必须将令牌传递到后面，然后在我的服务器端验证该令牌，如果一切正常，则继续记录销售额.但在贝宝中，这似乎是我唯一需要实现快速结账的东西.这甚至安全吗?

In stripe, I have to pass a token to the back, then verify that token in my server side, if everything ok proceed to record the sales. But in paypal it seems like this is the only thing I need to implement to have express checkout. Is this even secure?

推荐答案

您是对的，更新数据库并不安全.这是一种安全的付款方式，但是，您无法与客户确认付款是否成功，然后使用 onAuthorize 方法更新您的数据库.

You are correct that this isn't secure to update your database. This is a secure method of payment, however, you cannot verify with the client that the payment was successful and then update your database with the onAuthorize method.

要验证您的数据库付款是否成功，您必须使用 服务器端 REST API.遗憾的是，这方面的 PayPal 文档非常缺乏，但是有 SDK有更多的文档记录并且更容易实现.(Node SDK 的快捷方式).

To verify the payment was successful for your database you must use the Server Side REST API. Sadly, the PayPal docs for this are very lacking, however there are SDKs which are much more documented and easier to implement. (Shortcut to Node SDK).

我建议您使用这些来更新您的数据库.PayPal 会返回一个参数，告诉您付款已成功.

I would recommend that you use these to implement an update to your database. PayPal returns an parameter that tells you payment was successful.

这篇关于带有无声ajax调用的PayPal快速结账安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！