I’m using the paypal_adaptive gem with Rails 3.1 to make chained payments. However, after watching http://railscasts.com/episodes/143-paypal-security I’ve become concerned that I should perhaps add security measures to my payment request. Specifically, I don’t want someone to be able to manipulate the prices of the items which I send in my request. Of course, I’m using the standard paypal_adaptive gem request:
pay_request = PaypalAdaptive::Request.new
data = {
"returnUrl" => "http://testserver.com/payments/completed_payment_request",
"requestEnvelope" => {"errorLanguage" => "en_US"},
"currencyCode"=>"USD",
"receiverList"=>{"receiver"=>[{"email"=>"testpp_1261697850_per@nextsprocket.com", "amount"=>"10.00"}]},
"cancelUrl"=>"http://testserver.com/payments/canceled_payment_request",
"actionType"=>"PAY",
"ipnNotificationUrl"=>"http://testserver.com/payments/ipn_notification"
}
pay_response = pay_request.pay(data)
if pay_response.success?
redirect_to pay_response.approve_paypal_payment_url
else
puts pay_response.errors.first['message']
redirect_to failed_payment_url
end
My question is: do I need to encrypt this request to prevent people from changing prices like Ryan does in his rails cast? If so, how can I manipulate this code in order to do so?
IPN validation is definitely good practice. But with regards to encrypting the variables sent across; no, that’s not necessary.
The example listed on http://railscasts.com/episodes/143-paypal-security uses Website Payments Standard, in which case it is good to encrypt it.
But Adaptive Payments is a series of server-to-server API calls (the ‘Pay’ API), from your server to PayPal’s. The only part exposed to the buyer is the payKey, a temporary token which the buyer can’t manipulate.