We have a website that have a Donate functionality
So we integrate with Paypal
After the user donates on PayPal , Paypal sends a request to our website that confirms the truncation
So how to check if the request is coming from Paypal , How to check for the certificate provided by Paypal or just check on the Request.Request.Uri
Because if i did not do this check any one can spoof and send a request with the parameters sent by PayPal confirming any fake transactions
You may like to refer to PayPal Payments Standard Integration Guide. On page 344 it talks about setting up certificates. Also refer to page 347 which specially talks about what you want. You can run a command and pass PPCertFile parameter which refers to PayPal public certificate
Only thing you can do is check for REFERER, but that could be empty as well. at the end of the day you can make your page secret, but whoever donates you, they can see your return url. I am sure Paypal sends you some sort of notification via email so you know its not a spoof. even if you try to read header of incoming request..they could be spoofed as well.
Get referrer URL - visitors coming from Paypal (HTTPS)
Related
I have just today realised that the authorisation emails sent from my perfectly legitimate Firebase backend are being flagged as malicious by Microsoft Outlook's "Advanced Threat Protection"
There is no reason for this other than perhaps it was flagged during development due to me sending myself repeated confirmation emails in order to test the functionality.
This warning does not show up in regular hotmail/outlook accounts, but I am an Office 365 subscriber so it appears as though I am lucky enough to get this "advanced" protection which protects me from my own completely non-malicious website.
Should I contact Microsoft or Firebase for a solution?
Thanks a lot!
Update: I contacted Firebase support and received the following:
My name is XXXX from Firebase Support, thank you for reaching out to us, problems on Microsoft services such as this “Advanced Threat Protection” is not in my area or expertise, I would suggest to open a ticket with Microsoft for this issue, I see that there is already a topic on Stack Overflow, please be sure to check other Firebase community channels as well.
I understand that this isn't Google's problem to solve, but it would seem any Firebase app using email verification is going to run into trouble with Microsoft email systems. Which is a lot of corporate and government systems...
Any suggestions on how to get some attention paid to this from either Google or Microsoft?
Cause
This error is caused by having inconsistent domains in the email. By default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain ([project].firebaseapp.com), rather than the the same domain you may be sending emails from (veritification#yourdomain.com).
Solution
Make this “action link” go directly to your website. This will solve the outlook warning, and also make it less likely you'll end up in spam filters in general. On your website, you have 2 options for how to handle the actual validation.
Both solutions below require your domain to be authorized.
This can be done under Authentication -> Sign-In Providers -> Authorized Domains
Option 1 - Use Custom Email Action Handlers (Hard option)
You can setup a custom email action handler so that these actions take place directly on your website, rather than on the firebase hosted page. This is a more integrated experience.
This can handle
Resetting passwords
Revoking email address changes—when users change
their accounts' primary email addresses, Firebase sends an email to
their old addresses that allow them to undo the change
Verifying email addresses
1. Create your custom email handler page
custom email action handler page - firebase docs
2. Update Email Template In Firebase
This can be done under Authentication -> Templates -> Email Address Verification -> Customize Action URL
Option 2 - Just Redirect (Easy option)
Link the email back to a page on your website, that will immediately perform a javascript redirect to the [project].firebaseapp.com authentication page, carrying through the URL parameters required to perform necessary verifications and changes.
For Example
action url for email template: https://www.yourdomain.com/account-action (firebase will attach the appropriate params to the url automatically)
Javascript redirect on your website goes to ”https://project-name.firebaseapp.com/__/auth/action?” + params
I recommend ensuring you implement the continueUrl in your verification email delivery so that the user can easily get back to your website.
If you're using Firebase hosting, and you're serving from their built-in your-project.web.app address, then you can simply use the other built-in, your-project.firebaseapp.com, as your site address instead -- no configuration needed.
The .web.app address is a bit sexier, but the various action emails are actually sent from the .firebaseapp.com, and Outlook is suspicious of the mismatch. Having users originate from the .firebaseapp.com address solves the issue.
I opened a GitHub issue about this: https://github.com/firebase/firebase-js-sdk/issues/5021][1]
I'm using PayPal hosted pages for payments on my site. I pass return url when creating SECURETOKEN used in iframe url. After client successful payment, I get browser postback from PayPal on return url passed when SECURETOKEN was created. What happens from time to time is that user close tab before I get postback, saying transaction is approved, and I can't mark it as approved in my local DB.
Workaround was to create IPN listener, and update my local records when I receive valid IPN request.
Now the issue is, I miss some params that I'm getting in iframe postback, that are mandatory, such as ACC, EXPTIME, PNREF.
As far as I can read, IPN will NEVER send those data in it's request. Can this be overridden within paypal manager? If not, can anyone suggest any solution to this problem?
Thanks
I managed to do this by enabling Silent POST url feature in my paypal manager, so same server to server postback will be fired regardless of client closing browser, after payment is accepted.
I want to integrate my project with Paypal and it requires a URL before enabling the IPN.
I know this URL for receiving notification posts from Paypal "if am not mistaken" but how do i get it? Do i have to implement a page in my website? if yes what is required from that page? Am really LOST here
Please any help would be appreciated
You need to create the IPN Listener on your website, since the IPN URL (Notify URL) is a URL you create on your website.
Make sure that you have an SSL Certificate and the URL Listener is in an https:// format. As of June 2016 all IPN URL Listeners must be in an SSL Format.
Here is the documentation on Instant Payment Notifications
Here is the documentation on Creating an IPN Listener
The documentation will be updated to state that as of June 2016 all listeners must be https://
Here is a link to IPN Sample Code
Here is the IPN Documentation on the updates being made in June
I changed my site to HTTPS but my PayPal now does not work.
It takes me to a page that with an invalid request error and a return to merchant button.
Is there something I need to change, using paypal rest
Thanks
You may file a ticket to the PayPal MTS guys here:
https://www.paypal-techsupport.com/
With detailed errors and maybe access logs, you will get an solution there
Now information about the successful transaction I get with a redirect the user back to my site from paypal. And then I make additional requests to api paypal.
But if the user cancels the redirect to my site, for some reason, I do not get the information about the transaction.
Is there an asynchronous notification from Paypal for Website Payments Standard or Express Checkout?
Instant Payment Notification (IPN) works for all payment methods through PayPal. The Developer.PayPal.com document you linked is a list of variables for the Express Checkout feature and it is telling you that you can only pass the NOTIFYURL variable successfully in the DoExpressCheckoutPayment API call.
In Payments Standard transactions you'll use the notify_url variable.
You can also just enable IPN within your account to have an IPN post sent to your notification page when any payment completes - regardless of whether or not you define a URL in the button code or API request (the URL you define in the code will always override what is set in your account).