如何制定严格的PayPal REST API付款周期?

时间:2014-08-15 18:08:59

标签: paypal flask paypal-rest-sdk

我在我的Flask应用程序上摆弄paypalrestsdk,这是支付的顺序。任何人都可以指出周期是否严格吗?

  1. 使用适当的重定向网址创建付款。

    payment = paypalrestsdk.Payment({
    "intent": "sale",
    "payer": {
        "payment_method": "paypal"
    },
    "redirect_urls": {
        "return_url": url_for('.payment_success', _external=True),
        "cancel_url": url_for('.payment_cancel', _external=True)
    },
...})
if payment.create():
      ...

  2. 如果成功,请将以下付款响应详细信息保存在数据库中。

    class PayPalPayment(db.Model):
    __tablename__ = 'ediket_paypal_payment'
    id = db.Column(db.Integer, primary_key=True)
    user_id = db.Column(db.Integer, db.ForeignKey('ediket_ediketuser.id'))
    payment_id = db.Column(db.String(30))
    amount = db.Column(db.String(10))
    state = db.Column(db.String(10))
    redirect_url = db.Column(db.VARCHAR)
    created_at = db.Column(db.DateTime)
    updated_at = db.Column(db.DateTime)

  3. 然后,使用HATEOAS链接重定向。

  4. 交易在PayPal中进行。重定向以返回网址。

  5. 使用数据库中的“已创建”状态查找当前用户的上一次交易。

    pending_payment = PayPalPayment.query.filter_by(user_id=user_id).filter_by(state='created').first()

  6. 使用payment_id和payer_id执行付款

    payment = paypalrestsdk.Payment.find(pending_payment.payment_id)
if payment.execute({"payer_id": request.args.get('PayerID')}):
    #We are done!
    #Update Payment model for completion

    7. 一切正常,但我不太相信这种流程对于现实世界的应用是否安全。由于返回网址仅包含PayerID和令牌,因此找到要执行的相关付款的唯一方法是使用当前用户ID和状态='已创建'对付款表进行盲查询。

    有改进的余地吗?

1 个答案:

答案 0 :(得分:1)

此后的任何修改都是我存储了名为token的额外字段,该字段与HATEOAS链接一起传递。通过存储此令牌,我能够找到用户的待处理付款以继续执行。

<强>更新

以下是实施细节。它可能不完美,但它现在就成功了。

class PayPalPayment(db.Model):
    __tablename__ = 'paypal_payment'
    id = db.Column(db.Integer, primary_key=True)
    user_id = db.Column(db.Integer, db.ForeignKey('user.id'))
    product_id = db.Column(db.Integer, db.ForeignKey('product.id'))
    payment_id = db.Column(db.String(30))
    amount = db.Column(db.String(10))
    state = db.Column(db.String(10))
    token = db.Column(db.String(30))
    redirect_url = db.Column(db.Text)
    created_at = db.Column(db.DateTime)
    updated_at = db.Column(db.DateTime)

    def __init__(self, payment, product_id, user_id):
        self.user_id = user_id
        self.product_id = product_id
        self.payment_id = payment.id
        self.amount = payment.transactions[0].amount.total
        self.state = payment.state

        self.created_at = datetime.datetime.strptime(payment.create_time, "%Y-%m-%dT%H:%M:%SZ")
        self.updated_at = datetime.datetime.strptime(payment.update_time, "%Y-%m-%dT%H:%M:%SZ")

        for link in payment.links:
            if link.method == "REDIRECT":
                self.redirect_url = link.href

        parsed = urlparse.urlparse(self.redirect_url)
        self.token = urlparse.parse_qs(parsed.query)['token'][0]

@payment_view.route('/paypal', methods=['POST'])
@login_required
def paypal_payment():
    user_id = current_user.get_id()
    product = Product.query.filter_by(id=request.form.get('product')).first_or_404()
    past = datetime.datetime.utcnow() - datetime.timedelta(minutes=3)
    count = PayPalPayment.query.filter_by(user_id=user_id).filter_by(state='created').filter(PayPalPayment.created_at >= past).count()

    # To prevent a spam where user creates Payment and never comes back to it
    if count > 4:
        return Response(render_template('payment/overflow.html'), mimetype='text/html')

    payment = paypalrestsdk.Payment({
        "intent": "sale",
        "payer": {
            "payment_method": "paypal"
        },
        "redirect_urls": {
            "return_url": url_for('.payment_success', _external=True),
            "cancel_url": url_for('.payment_cancel', _external=True)
        },

        "transactions": [{
            "amount": {
                "total": product.amount,
                "currency": "USD"
            },
            "description": product.description
        }]
    })

    if payment.create():
        new_payment = PayPalPayment(payment, product.id, user_id)
        db.session.add(new_payment)
        db.session.commit()
        return redirect(new_payment.redirect_url, code=302)
    else:
        return Response(render_template('payment/cancel.html'), mimetype='text/html')

@payment_view.route('/success')
@login_required
def payment_success():
    user_id = current_user.get_id()
    payerID = request.args.get('PayerID', None)
    token = request.args.get('token', None)

    pending_payment = PayPalPayment.query.filter_by(token=token).filter_by(state='created').first_or_404()

    try:
        payment = paypalrestsdk.Payment.find(pending_payment.payment_id)
    except paypalrestsdk.exceptions.ResourceNotFound:
        abort(404)

    template = 'payment/error.html'
    if payment.execute({"payer_id": request.args.get('PayerID')}):
        pending_payment.state = payment.state
        pending_payment.updated_at = datetime.datetime.strptime(payment.update_time, "%Y-%m-%dT%H:%M:%SZ")
        template = 'payment/success.html'

    db.session.commit()
    return Response(render_template(template), mimetype='text/html')

请随意批评。

相关问题
最新问题