I use paypal button in a spring boot web application with thymeleaf, that work fine.
In the js script of the paypal button there is an
onApprove: function(data, actions) {
return actions.order.capture().then(function(orderData) {
// Full available details
console.log('Capture result', orderData, JSON.stringify(orderData, null, 2));
// Show a success message within this page, e.g.
const element = document.getElementById('paypal-button-container');
element.innerHTML = '';
element.innerHTML = '<h3>Thank you for your payment!</h3>';
// Or go to another URL: actions.redirect('thank_you.html');
});
},
I need to know if payment was ok to activate subscription of the user.
I could use this onApprove to send value to the backend but don't think is very secure.
I checked key paypal and it seem webhook exist. Maybe it's the way to go?
Don't know if I need to check
PAYMENT.CAPTURE.COMPLETED
or
INVOICING.INVOICE.PAID
to know if the payment made by the user was ok
For regular one-time PayPal payments (not subscriptions), use a server integration. There is a full stack example in node at https://developer.paypal.com/docs/checkout/standard/ , but the server side of it can be implemented in any environment. You can use the Checkout-Java-SDK to communicate with the PayPal API from your server, or implement your own HTTPS functions for v2/checkout/orders create and capture.
On the client, the approval flow will use its JS functions to call those two routes on your server as needed: the first happens when the button is clicked, to create the order, and the second after a payer approves the payment, to capture the order. The capture route of your server in particular should check the API response received directly from PayPal and verify the totals are as expected before marking the payment as successful.
For PayPal Subscriptions (payment that recurs automatically), the webhook to listen for PAYMENT.SALE.COMPLETED.
Related
This is my current understanding of recaptcha (using v2 invisible)
We load the api.js script onto our site
We add data attributes to the button
User clicks button
A listener somewhere in the api.js script fires because it's listening for an event on a tag with those data attributes
This is where it gets fuzzy and I start guessing:
api.js gathers browsing info from the user's cookies and information about how they interacted with the site. Based on this it determines how likely you are are to be a bot and if you are below a certain threshold it gives you a test. Whether you pass the test then gets further factored into your score and all of that gets encoded into a token, which we receive in our callback that we specified on the button's data attribute.
We pass this token to the back end with the rest of our form
From the backend, we make an API request to Google to convert the token into usable information about whether the user passed or failed.
At this point I get confused about why this wasn't just what the api.js script returned in the first place. Does this step only exist in order to give Recaptcha information to further improve it? I just don't understand why this step is here, unless I'm misunderstanding what is going on earlier in the process. Am I getting these we steps wrong? Thanks.
The whole point for captchas is that your server (instead of client in the browser) can verify that the (HTTP) request it received was generated from a real person's actions, when interacting with your application.
This is why your client sends a recaptcha token to your server and your backend consults with the captcha provider about this token and receives trusted information about the original client. In this scenario, your server does not trust the client, so it receives only a token from it. Then it communicates with the trusted captcha provider server-to-server and validates that the token it received from the client is valid and the user behind it is legitimate.
If your client sent the original response from the captcha provider to your backend server, there would be no way for your server to know whether this was a legitimate response from the captcha provider, or a fake one from the client.
I have been trying to warn the user that their session is about to end using dialogflow CX. But I can't get it to respond to me, without the user making a request first.
Is there any way to do this without the user making a request first?
For your use case, if you’ve integrated your agent to your custom application, you can do your own implementation to create a timer that tracks the session time of the user and display a warning on your custom application that the user’s session is ending soon. This approach must be done on your custom application’s side and does not require the use of Dialogflow.
Alternatively, you can use the timer that tracks the session time of the user on your custom application to send a detectIntent request containing the current session ID of the user to your agent to trigger an event. This lets your agent send a response to the user within the same session without having the user to first send a request.
Inside your flow, select the page you want to add a custom event to. Then, click the “Add route type” button to add the Event handlers if not yet added.
Click on the + sign beside “event handlers” field and select any event.
Tick the check box beside “Use custom event”.
Add the name of the custom event you want to use.
Here’s a sample detectIntent request that triggers a custom event using REST API:
Sample URL for detect intent API:
POST
https://dialogflow.googleapis.com/v3beta1/projects/project-id/locations/us/agents/agent-id/sessions/session-id:detectIntent
Make the following replacements for the URL:
project-id: your GCP project ID
agent-id: your agent ID
session-id: your session ID
Sample JSON Request Body should look like this:
{
"queryInput": {
"event": {
"event": "custom-event-name" // custom event to be triggered
},
"languageCode": "en"
},
"queryParams": {
"timeZone": "America/Los_Angeles"
}
}
You can refer below for more information on:
Sessions
Custom events
For more samples on detect intent calls, please refer to this link.
To integrate your agent with your own application, you can use Dialogflow CX’s Client Libraries, Rest API, or RPC API.
I have more conteptual question, how exactly should I handle social login in my project.
The use case is that I would like to allow user to login with Facebook, and keep on my backend information about this user (email, firstname, lastname)
I have some proposal Flow, but I'm not sure if it's a proper approach.
Let's say that I have application architecture as above. Now I would like to explain step-by-step full success flow.
Client (Vue application) make a call to AuthProvider (Facebook)
AuthProvider returns access_token
Client after reciving access_token make a call to backend endpoint like /fb_profile with access_token and userID (?)
Backend make a call to AuthProvider to check if given by client access_token is valid or not.
AuthProvider returns information about user. Backend after getting information about user, save it to database and generate new JWT token
Backend returns generated token to user
Now my question is - Is this good approach? Or should i handle it in other way? Like keep more logic to backend part? Instead of make a call to Facebook from Client, maybe should I make a call to backend, and backend make a call to Facebook?
You seem to be on right track. There could me many ways to do the same thing, here is the way which is working for me using vue/laravel/passport/socialite/github.
Trigger redirect in controller from frontend,
Provider(here github app) is triggered in browser with its url using client id/app name saved in back end config/env. Fill out your login details
It will redirect as created in provider and configured in backend-> show it on frontend, in my case its
http://localhost:8080/authorize/github/callback
From frontend now trigger callback in controller, it will check if user details already exist and will insert if its first time user as per logic. Then it will send back access_token to frontend which can be used in frontend for all the operations
DB
The above will be the sequence of the request flow ( same as yours ).
This would be the standard practice we used to integrate with Facebook. In this case, I strictly advise you to use the JavaScript SDK for Facebook.
Refer below link in case if you run into the following issue:
Vuejs component wait for facebook sdk to load
I started a project using the Google API signin mixed with an angularJS+Firebase app.
What I would like to do is to be able to send an e-mail from one person to another programmatically.
Example: John is logged in, clicks on a button which sends an email to Rachel. But that email is sent using the stored token from Ted, not John's account.
It seems possible using the php library which is not an option here.
So far, I get the token easily using these few lines:
var GoogleAuth = gapi.auth2.getAuthInstance();
GoogleAuth.grantOfflineAccess({
scope: 'https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/drive https://mail.google.com/ profile email'
}).then(function(resp) {
console.log(resp);
this.storeToken(resp.code);
});
Is it actually possible ?
A quick search just got me results for php or about how you get a token with the JS library... not how to use it !
From my understanding you want to use a refresh token ( offline access ) to send an email from Ted's account via Javascript.
Sadly this is not possible client side. What your code gives you is a 'code' that you can send to your server using a $http.post () and trade with Google server side for a refresh token.
Here is a guide for how to change that code into a refresh token.
While you can do this client side it would involve exposing your client secret which you should never do.(https://developers.google.com/identity/sign-in/web/server-side-flow)
Every time John wants to send an email from Ted's account your application will have to send a request to your server that:
Sends a request to google with the refresh token and generates an access token (https://developers.google.com/identity/protocols/OAuth2WebServer#offline)
Sends a seccond request to google using the access token to send the email from Ted's account
I hope that this helped.
I am writing a refund function for our ecommerce site and I'm getting error code 3033 : The RelatedSecurityKey is required.
I have checked and the documentation says this key should be returned when the original transaction was made. We save the details without any modifications to the database, but I can't find it. The return values for my test transaction are:
VendorTxCode=241****
&VPSTxId={EBA625AB-955E-75C8-4409-*********}
&Status=OK
&StatusDetail=0000 : The Authorisation was Successful.
&TxAuthNo=763****
&AVSCV2=SECURITY CODE MATCH ONLY
&AddressResult=NOTMATCHED
&PostCodeResult=NOTMATCHED
&CV2Result=MATCHED
&GiftAid=0
&3DSecureStatus=NOTCHECKED
&CardType=VISA
&Last4Digits=0006
&Amount=25.00
Any suggestions?
SecurityKey - Only present if Status is OK.
To register the initial transaction, you post to Sage Pay via the Transaction Registration URL (A1).
Sage Pay send a server reponse to the tranasction registration POST in the Server protocol (see A2 in Sage Pay Server Protocol). The response includes the following - VPSProtocol, Status, StatusDetail, VPSTxId, SecurityKey and NextURL.
[A Security key which Sage Pay uses to generate a MD5 Hash to sign the Notification message (step A3 from the Sage Pay Server protocol, which is the example you are providing in response to the Notification post via the Notification URL). The signature is called VPSSignature. This value is used to allow detection of tampering with notifications from the Sage Pay Server. It must be kept secret from the Customer and held in your database. Only present if Status is OK.] You need the SecurityKey incase want to refund against the transaction in future as this will become the RelatedSecurityKey.
The NextURL redirects the customer/shopper to the Sage Pay payment page.
Sage Pay then notify you via the NotificationURL with the VPSSignature. (A3)
You then acknowledge receipt of the post and the customer is redirected via the RedirectURL back to a page on your website.