Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Prevent client-side tampering when using Google Pay JavaScript API

Tags:

javascript

google-api

android-pay

google-pay

I am trying to integrate Google Pay into our online store using the Google Pay API, and in the tutorial, there is this snippet which set the amount to pay, and currency code in a JavaScript object like this:

paymentDataRequest.transactionInfo = {
  totalPriceStatus: 'FINAL',
  totalPrice: '123.45',
  currencyCode: 'USD'
};

This looks awfully insecure, in that anyone can tamper with the values on the client-side before eventually clicking on the "Buy With Google Pay" button.

Of course, I can also check that values eventually sent back from the payment gateway, and then flag the order as fraud, but I'd also like to prevent this as early into the process as I can, if possible..

Thanks.

like image 867
ckng Avatar asked Jan 23 '19 06:01

ckng

2 Answers

I can also check that values eventually sent back from the payment gateway

This is the only approach that will work.

I'd also like to prevent this as early into the process as I can, if possible.

It isn't possible. The client belongs to the visitor and, ultimately, is completely under their control.

You can make it harder, with obfuscation, but that makes your code harder for you to debug and doesn't stop someone from just looking at the final HTTP requests and recreating them without using your code at all.

like image 147
Quentin Avatar answered Nov 02 '22 19:11

Quentin

Any data written to a device is subject to be read. When referring to secret in the technological sense, this principle is more prominent on user-facing devices, because these are typically more exposed to other agents and individuals than machines that act as servers.

The transaction information you are passing to loadPaymentData never determines the amount that will finally be charged. What you get back from this call is a payment method that is encrypted with a key that only your processor has, and hence, the payment processor (on the server side) is the only agent who can access this information. The final request to issue the charge continues to happen through a secure call between your server and your processor's.

In essence, using Google Pay to retrieve payment information to issue a charge is equivalent to how it's done without Google Pay except for the fact that the payment information is never exposed on the client side (since the user does not need to type it in), and thus, the process occurs with an additional layer of security in this aspect.

like image 1
Jose L Ugia Avatar answered Nov 02 '22 21:11

Jose L Ugia
Sign in to Comment

Related questions

JS Object Query Syntax
Angular 6 Testing Jasmine Karma: Override Provider Not working
Which renders first child or parent in reactjs
Pino: default level undefined
JSHandles can be evaluated only in the context they were created / Cannot find context with specified id
AJAX error: "No multipart boundary param in Content-Type"
Rxjs angular 6/7 mergeMap delay http request
Dynamic layout of React component from JSON
Using JavaScript Reduce to generate an object
New tab window gets blocked when tried to open it after some amount of time
How to implement recurring event with all day set to true?
how to achieve this motion blur shader effect?
Project nested document to root level without using $project
Remove high frequency sound from streaming audio node js
Is there a cross browser event for activate in the browser?
How to use React in multiple places in a normal website
Typescript: Make tsconfig emit one folder but not the other folder
How to make multiple read more buttons in same page using one jquery?
Hidden Bootstrap notification blocks buttons
PixiJS: not drawing round rectangle correctly

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!