I am working on my first Paypal site. I have a form on the site that the customer fills out with custom information. I want to take that information the user fills out and have it send a message to my email along with the payment confirmation that Paypal sends. Any Idea on how to do this? I'm using Angular and Ajax for the front-end and php for the email service. Thanks
What you want is Instant Payment Notification (IPN). It will automatically POST data about any transaction that hits your PayPal account (ie. sales, refunds, disputes, etc.) to a URL that you specify so that you can receive that data and process it accordingly.
Within your IPN script you can update your database, generate email notifications, hit 3rd party web services, etc.
It's a very powerful tool for automating lots of post-transaction processing tasks.
While demanding a custom email to you as the payment receiver, what you didn't mention is the business needs behind it, or put it in other words, what you are planning to do with the custom email.
(I think this topic could turn into a big essay... My conclusion is I'd recommend IPN or EC with IPN. But below is what was on my mind when I got the conclusion.)
The emails to receiver can be used as a primitive way to notify sellers about payments they received or other transaction events. However this requires either a person's manual work to check the emails, or a program to parse the emails and get info out of the emails. Manual work is error prone and once your business grows bigger the number of emails will be overwhelming. A program to parse the emails costs a lot to develop, is unreliable because emails by nature may be delayed (applies to the manual way above too), and as PayPal doesn't consider emails as the preferred way of notification, sellers shouldn't either - maybe the content / format may change. PayPal provides a few better ways, I'll mention later.
Thus, if you want to start small, checking your emails manually could work for a while, until it becomes overwhelming. Unfortunately this email from PayPal isn't customizable.
So here are the ways I know, starting from manual to automated:
Downloaded transaction log from your PayPal profile. This works best if you don't have to check transactions very often. If you only check transactions daily, weekly or even monthly, this works. My nonsense thinking is, it would work if someone really wants to check transactions every minute... but this is really funny.
Transaction detail report. This works only if you have a business account. It's generated daily and you have to download through sFTP. It's mainly used for end-of-day transaction checking. This can also be automated.
Instant payment notification (IPN). Sent automatically once a payment is made or transaction status changes. You need a script at an accessible URL to listen to this notification, and this script should process the IPN once it arrives, for example updating your order status. https://developer.paypal.com/webapps/developer/docs/classic/ipn/integration-guide/IPNIntro/
EC with IPN. If you use Express Checkout (EC) to receive payments, EC returns transaction status immediately with the response of your API call. But, you still need IPN because there are cases which are not triggered by API calls. This is a big topic so please check below page: https://developer.paypal.com/webapps/developer/docs/classic/products/express-checkout/
For other products, similar to #3 and #4 above.
All points above can be explained in a loooong article, or many loooong articles. I'm just too lazy to explain them here.
So conclusion again, do try #3 IPN or #4 EC with IPN.
And, all those ways above may be very confusing for people who just came into this topic. If you write down your business needs instead of demanding the email, people may be able to help in a more specific way.
Related
I'm using server-side generated firebase's oob codes (like email verification and password reset) for implementing an organization/member pattern within my application.
I want to be able, as an organization owner, to invite members, who will receive an email containing a link so they can sign-up for the first time for my application, getting its email verified and performing a first-time-sign-in password reset.
My problem is, the oob codes have too little validity time for my use, and my invited members are getting "action code has expired" errors 99% of the time.
I want to know if there is a way to increase the expiration time for the oob codes, avoiding me having to reengineer the whole auth stack. Also, any suggestion for better ways to achieve this would be very welcome. =)
Thank you in advance!
I'm developing a server that will detect PayPal payments to a specific PayPal account.
I've started looking into the PayPal SDK and got lost... I saw that V1 is deprecated, so I probably should use V2.
The only thing that I need is that PayPal will call my server webhook once the account receives money.
How should I do this?
The only thing that I need is that PayPal will call my server webhook
Don't do that. Use a proper server integration.
You need two routes on your server, one for 'Set Up Transaction' and one for 'Capture Transaction', documented here: https://developer.paypal.com/docs/checkout/reference/server-integration/
The best approval flow for the customer to go through is: https://developer.paypal.com/demo/checkout/#/pattern/server , as your site stays loaded in the background, and it does not redirect away from your page.
When your capture transaction API call runs successfully and completes the order, you will have an immediate response with a payment object and transaction details. Thus, there is no need for the extra asynchronous step of waiting for a separate webhook call (which is prone to errors or exceptions), and your integration will be more robust.
Is it anyhow possible to check from a website with paypal js client lib and API's whether a user/customer has already payed for a digital downloadable good?
Is it possible to check whether the user has a valid subscription (which is payed)?
Is it possible to allow a purchase only once and paypal redirects the user back with a notice he already has purchased it?
What I like to achieve:
If the user has already payed for a document/subscription, he should not need to
pay a second time but rather directly get the download. My idea, if
the user previously payed for it, I'd like to replace the paypal pay
button with a download button.
The whole check should happen from the Website and not
server-to-server communication.
Download must no be secured if not payed. I do know this may NOT be secure and the user may be able to download the document without paying. That is okay, because this is a test whether the user is willing to pay for something and implementation should be as simple as possible for now.
I lack to find the functionality within the PayPal API's. I found the list payments, but for me this seems more like a server to server API or?
How do you know who the "user" is when they visit your site? Are you proposing having them log in to your site with their PayPal account? (Connect with PayPal integration?). That would be very unusual, and unsuitable for people who paid with PayPal as a guest.
So what you are proposing is somewhere between impractical and not possible.
Instead, you need to authenticate the user yourself -- provide them with a username/password to login, for example, or a unique link, though be warned such links could be shared. Then, once authenticated, check your own database as to whether they paid/subscribed or not. You need to maintain your own records.
Expecting a payment processing service to somehow do any of this for you is a misplaced expectation.
Typical implementations are to send an email with the download link, or to use a digital product delivery service such as for example e-junkie
I have a web application that has form based authentication.
the application has registration functionality also. Since last few weeks, i have observed that some users with specific domain is making fake entries into the website and getting the benefits as We do not have any approval workflow.
this user either do it manually or run some script. We thought that we can restrict the registration process as per IP based, however this is not possible to get the visitor exact IP address using C# (please correct if i am wrong).
Can we do it using some other techniques. our requirement is - single registration from a machine per 2 days.
unfortunately I would call this mission impossible.
Idea 1: IP address. The user can use a proxy to register multiple accounts depending on how many proxy he can find (there are a bunch on the internet for free)
OR they could just fake the ip package by putting a random ip in the header. Since all they need is to register so it doesn't matter if the confirmation message was sent to another random guy
Idea 2: one registration per machine. I could fake as many machines as I want with virtual machine and you will have no way to tell from http request.
Alternatively I could just fake all the information with raw http request and I can do that with a script with no issue.
And from what I know you don't have the system right to read hardware id from js (correct me if im wrong)
No method is guarantee to restrict 2 registration per day but IP based method should work against most normal users. Do keep in mind that everyone using the same router could have the same IP (example school, public wifi in apartment)
You could find out the user's IP address within HttpContext object
Whatever your restriction would be - it will be based on the data the browser sends (as long you restrict a specific computer).
Your main desire is to create a "footprint" on that machine in order to use it later - per request.
Whatever your manipulation would be, you should also obfuscate your JS code.
for example, on pageload code you can request for httpheaders dedicated to that machine and save them in cache, then you generate a guid for the client which it suppose to use in order to register.
another option is to use AES to encrypt the data before sending it "on the wire", that way you won't be able to manipulate it.
the most important thing is that once you "drop" a js code on the client he can do whatever he wants, the question is how hard it would be.
**edit:
a more secured way but more complicated that i have once used is creating a sync-key.
an async ajax call to the server requesting an encryption key.
the server call will save the new guid-key in memory and will generate a new one for each request.
you can use this idea to keep track of user debug and browser behavior.
as debuging will hold the code from running the sync key will be change and you can "catch" him.
Neither cookies nor IP can protect against fake entries.
You should look at it from another side. You get unwanted entries and you don't know if it's an automated bot, or spammer, or someone who just doesn't care about your data. Instead of banning entries you should think how to validate them. For example, if you get "aaaaa" as a name and "bbbbb" as an email address - add, at least, regexp validation on client and server side to ensure you get data in a required format. Next level would be to verify the email address by querying the mail server or sending validation email. This will not only help to stop spammers, but also people who doesn't care. If you think it's an automated bot - add a captcha. In case of emergency - ban IP in the web.config (See ASP.Net How to limit access to a particular IP address to a particular page through web.config file (.htaccess similar)?)
I have a site with a tool on it. The tool is an HTML form that clients will save a local PDF after filing out. The form works. PayPal can be integrated for payment.
All of the code is run on the client side via javascript. I do NOT want to store any data or credentials on my server.
What I don't understand is how to protect this particular HTML file until someone has paid for it. I was hoping for maybe a randomized string for the file name that lasts 48 hours or something. Just not sure what to search for at this point.
The site backend is node.js and using Foundation CSS if that helps.
Thanks in advance.
If you use a unique/random filename as you mentioned, and have it expire after x amount of time, that will obfuscate, but not protect/secure. Obfuscation is probably more than enough for your needs, but not something that we should be providing as an official StackOverflow answer... so I continue.
It roughly sounds like you have one of those, excuse my wording here, "cheap self-help/how-to/etc pdf for sale that should really be free and probably is somewhere" type of websites. I am sure your product is fantastic and is of the utmost quality, but if you know the sites i'm referring to, and my assumptions are correct, the information below should be helpful.
As far as I understand your needs, you want a version of business logic similar to this:
User fills out form on your site
User gets redirected to paypal, or is "called to action" with a paypal button.
User pays or doesn't pay
User downloads/accesses file only if they paid.
There are a few options you can do:
If every user is getting the same file, the below methods should be similar, but simpler
Ensure you set the CUSTOM value for whatever PayPal payment method you're using to the unique ID you created for the user, and an email address if you can collect that from them. Then use PayPal's IPN to wait until a payment has been received. This IPN notification will have the CUSTOM value for the payment, which is unique per user per payment per file, and you just email them the appropriate file.
Use PayPal's Encrypted Website Payments API to create a secure button (pass BUTTONCODE=ENCRYPTED) using node.js. Secure buttons do not expose the form variables, so the client would never have access to the RETURNURL which is where your secret file is at, so there is no way they can attempt to download it. If they did find some way to decrypt the button, it would have taken them much longer than your 48 hour expiration. Either way, I doubt (no offense intended) users would be this interested in your product.
There are more ways to do this without storing user credentials on your server, but no way to do this without storing some type of data (see: code) on your server.