I want to integrate Stripe, PayPal or Braintree into django project, and I want to use 'django-rest-framework`, now I'm confused about one thing and that is - Should I "touch" my database?
What I mean, I want only to charge once to my customers, it's a fee and nothing more, so should I touch 'db' or not? I'm afraid it will distort PCI Compile way of handling things. I don't know where to start beside documentation for those mentioned payments systems.
Can someone help me understand what are best practices for one time payment.
(Disclaimer: I'm a Stripe employee, so I'll only talk about Stripe here.)
Stripe makes it easy to be PCI compliant. With a proper integration, you will never have access to your customers' payment information.
A typical payment flow with Stripe can be divided in two steps:
Collect the customer's payment information, using the prebuilt Checkout form, or a form of your own using Stripe.js.
In both cases, the card information is sent directly from the customer's browser to Stripe's servers, which return a card token. You then send this token to your backend.
On your backend, you use the token to create a charge.
The token represents a card, but hides the PCI sensitive information (i.e. the whole card number and the CVC) from you.
You can find a simple tutorial for creating charges here.
If you don't plan on charging the same customer multiple times (or if you don't mind asking them to provide their card information every time), then you don't necessarily need to store anything in your own database. When you create the charge, you will be immediately informed of the result (success or failure) and can take the necessary actions.
I guess you solved the problem.
On top of that, I wanna add some information about PayPal payments when working a REST API(DRF) and a frontend server.
In this case, you can use both servers to work to secure your transactions, how?
The frontend server will take care of displaying the PayPal checkout buttons, and creating an Order in the Paypal Servers when the order has gone through. And the backend server will check the validity of the order created in the PayPal servers (using an order ID passed from the frontend after the payment has gone through), and update the database based on the PayPal response to that.
Now you could simply update your database when the payment is successful, but that would cause a security issue: people can send requests to update the database without even going through the payment.
Here is an illustration of this:
Full tutorial: https://www.kowe.io/projects/accept-paypal-payments-in-your-vuejs-and-drf-app/
Related
I'm using the stripe subscription API to provide multi tier accounts for my users. but about 50% of the transactions that i get in stripe are declined and flagged as fraudulent. how can i diagnose this issue knowing that i'm using the default base code provided in the stripe documentation (front end) and using the stripe python module (backend).
I know that i haven't provided much information, but that is only because there isn't much to provide. the code is known to anyone who has used stripe before, and there isn't any issue with it as there are transaction that work normally.
Thank you !
After contacting stripe support, i found that many payments were done by people from an IP address that belongs to a certain location with a card that is registered to a different location.
for example if someone uses a French debit card from England. i did ask stripe to look into this issue.
I'm trying to write a basic Flask app that limits the number of active logins a user can have, a la Netflix. I'm using the following strategy for now:
Using Flask_Security
store a active_login_count field for my User class.
every time a successful login request is completed, the app increases the active_login_count by 1. If doing so makes the count greater than the limit, it calls logout_user() instead.
This is a bad solution, because if the user loses her session (closed the incognito mode without logging out), the app hasn't been able to decrement her login count, and so, future logins are blocked.
One solution is to store the sessions on the server, but I don't know how I would go about authenticating valid sessions. Flask_Sessions is something I'm looking into, but I have no idea how to limit the number of active sessions.
As per my understanding, in the default configuration, Flask generates new session cookies on every request to prevent CSRF attacks. How would I go about doing that?
There could be several ways off the top of my head you approach this, none of them striking a nice balance between simplicity and effectiveness:
One way could be to add a last_seen field to your User. Pick some arbitrary number(s) that could serve as a heuristic to determine whether someone is "active". Any sufficiently long gap in activity could trigger a reset of the active_login_count. This obviously has many apparent loopholes, the biggest I see at the moment being, users could simply coordinate logins and potentially rack up an unlimited number of active sessions without your application being any the wiser. It's a shame humans in general tend to use similar "logical" mechanisms to run their entire lives; but I digress...
You could make this approach more sophisticated by trying to track the user's active ip addresses. Add an active_ips field and populate a list of (n) ips, perhaps with some browser information etc to try and fingerprint users' devices and manage it that way.
Another way is to use an external service, such as a Redis instance or even a database. Create up to (n) session ids that are passed around in the http headers and which are checked every time the api is hit. No active session id, or if the next session id would constitute a breach of contract, no access to the app. Then you simply clear out those session ids at regular intervals to keep them fresh.
Hopefully that gives you some useful ideas.
before anything, I wanna you to Know that I'm a Complete Newbie
in these things about developing "paid" webapps. I have been reading some posts
about how to integrate Paypal's IPN with Google App Engine, and I have some questions
about the topic, the thing is like this:
I want to use a paypal's Subscribe button in my webapp (wich is developed with GAE's Python base)
so the users can subscribe to the premium version if they don't want to use the free one anymore...
I was reading that paypal can help me to manage this thing about the users control via IPN but
I have to setup that in my GAE App and I don't know how... For example:
Where the notification URL has to point to in paypal's profile configuration?
I believe it has to point to a python script in my app but I'm not sure... If
that is true, What does this python script has to have?
Then, after that's finished, How can I make paypal create
usernames and passwords for my users in order to keep non premium users out of the
"premium features"?? I don't want links to something, I need explanations on how
to implement a "Paypal Subscriptions service" inside a Python based app on GAE
in order to offer a "premium service" and a free one,
Thanks, hope you can help
To make a short answer (as I'm not exactly sure what's the scope of your question).
It's not paypal's job to maintain your data model. You need to create a database entry with your users.
For an example of that, look Google's documentation at
http://code.google.com/appengine/docs/python/gettingstarted/usingusers.html
and, more importantly, http://code.google.com/appengine/docs/python/gettingstarted/usingdatastore.html
So you could create, for example, data model of this sort:
class Users(db.Model):
gae_user_object = db.UserProperty()
premium_member = db.BooleanProperty(default=False)
(of course, since you want to track subscriptions, this would be way too limited but you can get the idea).
and make the script called by Paypal trigger a function to change the value of *premium_member*...
Yes, paypal instant payment notification will call your app (you can specify somewhere in Paypal interface what uri, so you can choose what to map it to, preferably using your https appspot subdomain). Your app will need to store what paypal just sent and, before officializing anything, call Paypal servers back with the parameters that were just sent to know if the first was truly made by Paypal and not someone else.
To see a working example of that, check http://blog.awarelabs.com/2008/paypal-ipn-python-code/ and http://groups.google.com/group/google-appengine-python/browse_thread/thread/d76701e774e308be, even if both these example sucks (it will probably work, but don't use them as is in production as you'll notably end up with real bad error management).
Firstly pardon me if i've yet again failed to title my question correctly.
I am required to build an app to manage magazine subscriptions. The client wants to enter subscriber data and then receive alerts at pre-set intervals such as when the subscription of a subscriber is about to expire and also the option to view all subscriber records at any time. Also needed is the facility to send an SMS/e-mail to particular subscribers reminding them for subscription renewal.
I am very familiar with python but this will be my first real project. I have decided to build it as a web app using django, allowing the admin user the ability to view/add/modify all records and others to subscribe. What options do I have for integrating an online payment service? Also how do I manage the SMS alert functionality? Any other pointers/suggestions would be welcome.
Thank You
Payment gateway integration:
Here is a detailed article about how to integrate the Authorize.net payment system into a Django project. Authorize.net is used by a few popular Django projects, including the Satchmo e-commerce store project.
django-paypal is a pluggable Django app which lets you connect to PayPal merchant services.
SMS alerts:
django-sms is a Django app which is "...designed to make sending SMS text messages as simple as sending an email." so might be a good start.
General Django
You didn't mention your knowledge level of Django itself; if you need to brush up on your Django skills I would highly recommend the book Django 1.0 Website Development.
I think it's also worth pointing out that the resources I've mentioned here were all found in the first few results of a Google search for each topic. These are the search terms I used:
django payment gateway integration
django paypal integration (because I knew of PayPal beforehand)
django sms alerts
I'd like to comment on the SMS alert part.
First, I have to admit that I'm not familiar with Django, but I assume it to be just like most other web frameworks: request based. This might be your first problem, as the alert service needs to run independently of requests. You could of course hack together something to externally trigger a request once a day... :-)
Now for the SMS part: much depends on how you plan to implement this. If you are going with an SMS provider, there are many to choose from that let you send SMS with a simple HTTP request. I wouldn't recommend the other approach, namely using a real cellphone or SMS modem and take care of the delivery yourself: it is way too cumbersome and you have to take into account a lot more issues: e.g. retry message transmission for handsets that are turned off or aren't able to receive SMS because their memory is full. Your friendly SMS provider will probably take care of this.
I'm building an application that eventually needs to process cc #s. I'd like to handle it completely in my app, and then hand off the information securely to my payment gateway. Ideally the user would have no interaction with the payment gateway directly.
Any thoughts? Is there an easier way?
Most payment gateways offer a few mechanisms for submitting CC payments:
1) A simple HTTPS POST where your application collects the customer's payment details (card number, expiry date, amount, optional CVV) and then submits this to the gateway. The payment parameters are sent through in the POST variables, and the gateway returns a HTTP response.
2) Via an API (often XML over HTTPS). In this case your application collects the customer's payment details, constructs an XML document encapsulating the payment details, and then posts this information to the gateway. The gateway response will be an XML document which your application then has to parse and interpret.
3) Some form of redirect to web pages hosted by the payment gateway. The payment gateway collects the customer's CC number and other details, processes the payment, and then redirects the customer back to a web page hosted by you.
Option 3 is usually the easiest solution but would require the customer to interact with pages hosted by the gateway (although this can usually be made to be almost transparent).
1 and 2 above would satisfy your requirements with 1 being the simplest of the two to implement.
Because your preference is to have your application collect the payment details, you may need to consider whether you need to acquire PCI DSS compliance, but there are many factors that affect this. There is a lot of information about PCI DSS here and on Wikipedia.
That's something usual to do. Please follow the instructions your payment gateway gives you on how to send info to them, and write the code. If you have some issue, feel free to ask a more specific question.
You will probably find that it's easier to just let the payment gateway handle it. It's best to leave PCI compliance to the experts.