How can I ensure the security of my payment system via PayPal?

Question

How can I ensure the security of my payment system via PayPal?

I use the vue-paypal-check create the frontend PayPal button for the payment.

the code is bellow:

  <Pay-Pal
    v-if="paypal_live_id && paypal_sandbox_id"
    :amount="amount"
    currency="USD"
    :client="credentials"
    :env="paypal_env"

    @payment-authorized="payment_authorized_cb"
    @payment-completed="payment_completed_cb"
    @payment-cancelled="payment_cancelled_cb"

    :items="pay_items"
  >

</Pay-Pal>

some dota is bellow:

data(){
  return {
    paypal_env: this.$GLOBAL_CONST.PAYMENT.PAYPAL_ENV,

    paypal_sandbox_id: undefined,
    paypal_live_id: undefined,
  }
},
computed: {

  credentials() {
    return {
      sandbox: this.paypal_sandbox_id,
      production: this.paypal_live_id,
    }
  },
},

the callback method of pay success:

  payment_completed_cb(res){
    some method to access API for payment success // there will request the API for change the order status or reduce the balance. 
  },

but I have a question, if someone of customer is evil with technology, he call the payment_completed_cb directly, not pass the paypal payment.

How can I prevent this?

Answer 1

There needs to be a server-to-server communication outside of your front-end checkout flow between Paypal's server and yours.

You can use Instant Payment Notification (IPN) for this.

vue-paypal-check shows you can put an IPN url in (with notify-url)

<PayPal
  amount="10.00"
  currency="USD"
  :client="credentials"
  notify-url="<your-ipn-url>">
</PayPal>

Per Paypal, you shouldn't wait for the IPN notification to complete the checkout flow, but you also shouldn't fulfill the order until you receive it.

The worst someone could do by calling payment_complete_cb directly is get to some meaningless checkout complete page. They would not be able to get goods from you without payment though.