In my flask web application, I am trying to update user’s credits immediately after user has made payment through paypal. To make it secure, I want to make sure that user doesn’t modify the amount of payment. I also want to ensure that I credits to the correct user who made the payment.
Because when paypal returns, the user session is detached. So I cannot update database using session. So I want to send a ‘custom’ variable assocaite to the user who is going to make the payment. And on the payment is captured/successed, the custom variable can be read back from the payment confirmation, so that I can identify which user made the payment. After that, I can update database and update user credit.
My biggest question is that I can’t find an appropriate place to create the custom variable and send to paypal in the creataion of the payment.
I searched for a tons of tutorials for flask, but they are deprecated: such as the github one paypal-python-sdk at this link: github paypal-python-sdk or they are written in another language: such as in nodejs from the official paypal developer doc paypal official doc with html&nodejs example
I can’t get my head arround when reading the official nodejs example. But I know that I have to create two routes in my flask server side dealing with create_order and capture_order capture order rest api from paypal official doc. But then I failed with my 1st big question, how do I update user’s credit immediately after user has paid?
If anyone could give me any suggestions, I’d really appreciate it. Complete flask code example will be highly apprecaite it.
Thanks in advance
ps: in the old tutorials, I saw some solutions to verify payment using paypal ipn. But it does not seem to appear in the new paypal integration api (ie. the notify_url).
2
Answers
I have tested so many times and found that the session does not get detached in the capture_payment() server function. Therefore, I can simply save the returned payment information from paypal using session['username'] as the keyword.
The reason that I stuck was because in the old tutorials, which I saw a lot. They submit to paypal directly from front-end form. And the most secure way to check and verify if user has paid correct amount (not 1 penny for instance) is to wait for ipn() call. But since paypal posts to the ipn() therefore, user session gets detached in the ipn() function. Hence in the old way, one has to use the method like in my original question.
When the create route is called to create an Order ID, the call should have context to indicate what user is initiating the checkout. Add a body parameter to any JS fetch call, for example.
When the capture route is called to capture an Order ID, the Order ID being captured might be all the context you need, but if it’s useful you can have the fetch include an additional body parameter.