The new paypal check makes me feel insecure, can the user initiate a fake payment on the chiller side?
The presented code is as follows
paypal.Button.render({ env: 'sandbox', client: { sandbox: 'AapGZeCaaDK_q_KPeG19DHnD_kd18vr6BxNe4P6uuhfTKPjIedtNEI9plyDgmzfyI-xGhbxjpv0k-Ha9', production: 'xxxxxxxxx' // u expose the key to client side? is this ok? }, payment: function() { var env = this.props.env; var client = this.props.client; return paypal.rest.payment.create(env, client, { transactions: [{ amount: { total: ($scope.number_of_uses * 9) + '.00' , currency: 'USD' }, item_list: { items: [{ "name": "example", "quantity": $scope.number_of_uses, "price": "9.00", "currency": "USD" }] } }], redirect_urls: { "return_url": $location.absUrl(), "cancel_url": $location.absUrl() } }); }, onAuthorize: function(data, actions) { return actions.payment.execute().then(function() { actions.payment.get().then(function(data){ // here I will save data detail to db to record sales // $http something something }); }); } }, '#paypal-button');
In the strip, I have to transfer the token to the back, and then check this token on my server side, if everything starts recording sales normally. But in paypal, it seems that this is the only thing I need to implement in order to have an express check. Is it even safe?
source share