Unlock Premium Features in a Chrome Extension

Question

I would like to offer some premium features within a Chrome extension. The idea is to make available the latter additional features whenever a user has donated a certain amount via PayPal.

Currently, my strategy is as follows:

1/. The user fills in the PayPal form.

2/. When the form is submitted, a return URL is generated containing some key parameters such as user ID, time of request, amount of donation. Everything is encoded via base64. For example:

var returnURL = 'https://subdomain.main.com/?params=';

// On Form Submission
function SubmitForm(type) {

    var paramURL = '?user=' + userID + '&time=' + now + '&type=' + ptype;

    // base64 encoding via btoa
    $('#donate [name=return]').val( returnURL + btoa(paramURL) );
    // Reday to submit form
    $('#PayPalForm').submit();

}

3/. Paypal donation is done and user is redirected to a subdomain of the extension's website with https enabled.

4/. Once on my website, some PHP code checks the referrer (i.e. is the user coming from PayPal?), and if the referrer looks good, it decodes the base64 string and gets the parameters (id, time, type...). For example:

// Retrieve URL parameters
$paramURL = parse_url(base64_decode($_GET['a']));
parse_str($paramURL['query'], $query);

$id_user = $query['user']; // ID of the user
$time_req = $query['time']; // Time of request/donation
$type_req = $query['type']; // Type of Premium license w.r.t amount donated

5/. At this stage, the idea is to create a new URL pointing to the options page of my Chrome extension with some existing and new parameters, among them the key that decrypts a part of the code encrypted by default when the user installs the extension. The first issue I meet is that I wish to find a way to encrypt those parameters in PHP and be able to decrypt them in Javascript in my extension.

What kind of symmetric encryption/ciphering method available both in PHP and JS should I use? AES256? On the JS side, I looked at the Crypto-JS and SJCL libraries. On the PHP side, AES encryption seems a bit tricky...

6/. Once the user is back to the extension's options page and that the URL parameters are decoded+decrypted, what would be your strategy to unlock specific features in a Javascript-written extension in order to limit cheating and free-riding coming from users, knowing that obfuscation is a very poor choice.

Answer 1

The key you are looking for is the 'custom' attribute in your paypal button form. Something like so:

<input id="customField" type="hidden" name="custom" value="SENT_FROM_addon_form">

If you have created a developer button in paypal developer, and set a validation URL, that custom variable will show up in the $_POST in PHP.

You do not need encryption during this step as paypal requires you to use https which is automatically encrypted. However if you do want to use encryption purely server-side, you should check out crytpo.js