I have a jquery mobile app that uses ajax to make calls to my asp.net web methods written in C#. These methods query a SQL Server database and return data. At this point no user registration is necessary. I also have some facebook integration using the javascript sdk, in terms of likes, comments, and posting to a user’s wall/timeline.

The next step in my development is that the user will be able to pay a fee to essentially get data entered into my database. I would like to avoid getting into user/password management, and instead rely on a facebook login (and later maybe other social networks, for now let’s stick with facebook).

So the workflow that I see is:

1. I prompt the user to login to facebook if not logged in already
2. user clicks ‘buy’ on my website, which is a paypal button
3. user gets sent to a secure paypal page, makes the payment, and is returned to my site
4. with a successful payment, I call a web method to insert the new data, which is marked as being entered by this facebook user. The web method will connect with the same sql server account that does all the fetching, there will not be sql server user accounts for individual visitors.

I see some interesting security holes here. Like someone writing code to directly call my insert web method, without having made any payments. I’m looking for guidance on how to tie all these steps together in a secure way so that in the end, I am guaranteed that any data that is entered was
a) paid for
and b) entered by the currently logged in facebook user

I have read the facebook login developer docs, the paypal developer docs, and the microsoft asp.net application services docs. I can mostly understand each one, but I am getting lost tying them all together in a single, secure transaction. Any tips would be much appreciated!

Thanks in advance…