Does Dwolla's payment button return an oAuth token which can be used such that the user never again has to redirect to Dwolla's website?
Paraphrasing from Dwolla technical support,
"... the payment button uses the offsite gateway... which doesn't deal with oauth and/or tokens at all
plus, if you're gonna be using oauth tokens, you need a minimum level of coding knowledge anyway and the payment button was really just intended for those who dont code at all"
Related
Context
Sign-up form and one of the fields is Instagram account
When the user will finish sing up, there's a link to the person's Insta account
(No integrations)
Goal
I want to make sure the user can only sign up with his own Instagram,
much like e-mail verification
My thoughts
I took a look at the Instagram API documentation and didn't find an option for it. Any thoughts about how to do that?
There would be an option to use the Insta auth basic, allow the user to sign-up via Instagram. Although this seems to be a proper overkill and it's getting deprecated anyways.
Is there any way to integrate PayPal without redirecting user to PayPal's website for payment in case of debit cards or PayPal payment type ?
Yes you can, it is explained by Paypal here : https://developer.paypal.com/docs/classic/adaptive-payments/ht_ap-embeddedPayment-curl-etc/
There are paypal products available in some countries with this functionalisty. I heard that Payflow Pro and Paypal Payments Advanced have such functionality.
But actually from my developer experience, if Stripe platform is avaialble for country where your project is hosted, then better to use Stripe Elements - they found a way to securely place fancy controls to get CC info in a way your website can get just either a token or a payment method object, without redirects, and if necessary, show a popup with 3D secure window during payment flow.
Is it possible to use the stripe modal popup to simply gather billing information and create the token? For example, there would be a detailed form with about 20-25 questions, payment at the end and instead of having fields to fillout - I wanted to use the stripe popup to gather information and make token - but I do not want it to submit. Is this possible and if so does someone have a jsfiddle example?
You can use a "custom integration" to do this. The token callback function you set up will receive the token, and afterwards it's up to you to do whatever you want with it.
I'm wondering what's the best way of accepting payments from credit cards that require 3-D Secure verification. Currently the checkout flow is like this:
Customer submits payment
Payment gateway returns an error stating that the card requires 3-D secure code processing. Returns the ACS URL in the response
I redirect user to the issuing bank's verification site and I pass a callback URL for the ACS to redirect after completion of verification
Customer enters verification code and ACS redirects to the callback URL with an authorization token indicating successful verification
To complete the process, I have to resubmit the original request with the authorization token to the payment gateway
My problem is in the final step. As I need to resubmit the original request (which contains the credit card information of the customer), I need to store it somewhere temporarily so I can retrieve it when the callback URL is called. Is there an alternative to this?
I'm thinking of trying an iframe solution: The original form is never closed and I display the verification process in an iframe. When the process completes, i.e. the callback url is called, I hide the iframe and update the original form with the needed values and resubmit. Has anyone tried this technique before?
As you might already noticed in article you linked, presenting bank's page in iframe is a preferred option. Although if you read in further, it presents other security features, specifically in regard to phishing protection. Because your client won't know to whom is he really sending his password.
But going back to your proposition, if you present it in iframe or popup window, you would be able to store the original form on your base page and then resubmit it with received authentication token. It's a very good idea because you would not need to do any PCI compliance stuff. So not only it's easier for you it is recommended :).
With Sage Pay (and I would assume other payment providers) you don't need to pass the full order information again in the last step, just the response code from the 3D Secure form and a unique transaction reference. Storing the card details is therefore not necessary.
For me the process is:
Card details etc. and unique transaction reference submitted to payment gateway.
Payment gateway responds with 3D secure details (ACSURL and reference codes).
Redirect user to 3D Secure form (passing ref codes and callback URL) where they enter their details.
Verification code passed back to callback URL.
Server must send the verification code and same transaction reference from step 1 to the payment gateway.
Payment gateway responds with success/failure information.
I've done some recent work with 3d secure. From my personal experience:
I pass the credit card information with a forward url to the banks
3d secure url.
The user is redirected to the 3d secure url and prompted to type in his password.
When he clicks continue, the user is passed to the forward url with the authorization token -- the credit card information gets passed along as well.
I want to add Paypal functionality to my app but I'm kind of in the dark about some of the security issues.
Specifically, when the user wants to pay, I have to redirect them to Paypal and then Paypal sends me some kind of token/key to indicate whether the payment took place.
So, on the page where I pass the user to Paypal, do I need SSL? Why/why not?
What about the page where I receive the response token from Paypal?
Is it possible for a hacker, for example, to make up some random token and post it to my app to pretend that he paid?
If so, does this mean I need to make another call to Paypal after I receive the token - to make sure the token is real?
I've done this before using drupal e-commerce to sell app downloads via Paypal and used SSL neither on the redirection nor the landing page. While technically I suppose a hacker could intercept the token of someone who paid for the app and use it to pretend he paid, I don't think this is likely scenario because the average criminal is more interested in credit card numbers than one-time free access to some product/service. Further, one of the main reasons you would use Paypal in the first place is so that you wouldn't have to pay as much attention to security as you would if you had to process the users credit cards yourself since Paypal takes care of this for you (and their system is secured by SSL).
correct me if I'm wrong but I think that without ssl the following two scenarios are possible using a man-in-the-middle attack:
phishing:
the hacker redirects the user to a paypal-like site and receives his paypal user/pw or credit card details.
this attack isn't perfect as phishing sites do get found and pulled down.
hijacking the payment:
the hacker creates his own real paypal token (order data scrapped from your site) but with his own paypal account as the receiver and redirect the customer to that address. in this case paypal's policies might be enough to make this actions pointless.