如何在node.js中验证PayPal Webhooks?

x33g5p2x  于 2023-04-05  发布在  Node.js
关注(0)|答案(1)|浏览(103)

我发现了一些处理PHP和this code example的旧答案,但我不确定这是否已经过时了,因为repo已经存档了,我知道PayPal通常会转向只使用REST API的方法。
我希望有人能在这里给予一下最新的建议是什么,以及2015年的代码是否已经过时了。

/* Copyright 2015-2016 PayPal, Inc. */
"use strict";

var paypal = require('../../../');
require('../../configure');

// Sends the webhook event data to PayPal to verify the webhook event signature is correct and 
// the event data came from PayPal.

// Note this sample is only for illustrative purposes. You must have a valid webhook configured with your
// client ID and secret. This sample may not work due to other tests deleting and creating webhooks.

// Normally, you would pass all the HTTP request headers sent in the Webhook Event, but creating a
// JSON object here for the sample.
var certURL = "https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-a5cafa77";
var transmissionId = "103e3700-8b0c-11e6-8695-6b62a8a99ac4";
var transmissionSignature = "t8hlRk64rpEImZMKqgtp5dlWaT1W8ed/mf8Msos341QInVn3BMQubjAhM/cKiSJtW07VwJvSX7X4+YUmHBrm5BQ+CEkClke4Yf4ouhCK6GWsfs0J8cKkmjI0XxfJpPLgjROEWY3MXorwCtbvrEo5vrRI2+TyLkquBKAlM95LbNWG43lxMu0LHzsSRUBDdt5IP1b2CKqbcEJKGrC78iw+fJEQGagkJAiv3Qvpw8F/8q7FCQAZ3c81mzTvP4ZH3Xk2/nNznEA7eMi3u1EjSpTmLfAb423ytX37Ts0QpmPNgxJe8wnMB/+fvt4xjYH6KNe+bIcYU30hUIe9O8c9UFwKuQ==";
var transmissionTimestamp = "2016-10-05T14:57:40Z";
var headers = {
    'paypal-auth-algo': 'SHA256withRSA',
    'paypal-cert-url': certURL,
    'paypal-transmission-id': transmissionId,
    'paypal-transmission-sig': transmissionSignature,
    'paypal-transmission-time': transmissionTimestamp
};

// The eventBody parameter is the entire webhook event body.
var eventBody = '{"id":"WH-82L71649W50323023-5WC64761VS637831A","event_version":"1.0","create_time":"2016-10-05T14:57:40Z","resource_type":"sale","event_type":"PAYMENT.SALE.COMPLETED","summary":"Payment completed for $ 6.01 USD","resource":{"id":"8RS6210148826604N","state":"completed","amount":{"total":"6.01","currency":"USD","details":{"subtotal":"3.00","tax":"0.01","shipping":"1.00","handling_fee":"2.00","shipping_discount":"3.00"}},"payment_mode":"INSTANT_TRANSFER","protection_eligibility":"ELIGIBLE","protection_eligibility_type":"ITEM_NOT_RECEIVED_ELIGIBLE,UNAUTHORIZED_PAYMENT_ELIGIBLE","transaction_fee":{"value":"0.47","currency":"USD"},"invoice_number":"","custom":"Hello World!","parent_payment":"PAY-11X29866PC6848407K72RIQA","create_time":"2016-10-05T14:57:18Z","update_time":"2016-10-05T14:57:26Z","links":[{"href":"https://api.sandbox.paypal.com/v1/payments/sale/8RS6210148826604N","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/payments/sale/8RS6210148826604N/refund","rel":"refund","method":"POST"},{"href":"https://api.sandbox.paypal.com/v1/payments/payment/PAY-11X29866PC6848407K72RIQA","rel":"parent_payment","method":"GET"}]},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-82L71649W50323023-5WC64761VS637831A","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-82L71649W50323023-5WC64761VS637831A/resend","rel":"resend","method":"POST"}]}';

// The webhookId is the ID of the configured webhook (can find this in the PayPal Developer Dashboard or
// by doing a paypal.webhook.list()
var webhookId = "3TR748995U920805P";

paypal.notification.webhookEvent.verify(headers, eventBody, webhookId, function (error, response) {
    if (error) {
        console.log(error);
        throw error;
    } else {
        console.log(response);

        // Verification status must be SUCCESS
        if (response.verification_status === "SUCCESS") {
            console.log("It was a success.");
        } else {
            console.log("It was a failed verification");
        }
    }
});
bvuwiixz

bvuwiixz1#

这些SDK是REST API的抽象,但不再被维护,因此最好不要使用它们。
有两种可能的方法来验证Webhooks
1.使用verify webhook sygnature REST API调用将消息发布回PayPal。您需要使用client_id和secret首先获取访问令牌,与所有其他REST API调用相同。
1.自己验证加密签名(此处为Java伪代码)。
对于这两种方法,“webhookId”--与每个webhook event id相反--是17个字母数字,并且出于安全(防欺骗)原因,它不是Webhook消息本身的一部分(在注册webhook或查看REST app config中现有的订阅hook时会得到它)。
由于有时会引起混淆,值得一提的是,验证webhooks是为了您自己的信息-以确认消息确实来自PayPal,而不是其他(恶意)行为者。
但是对于PayPal本身来说,要想认为webhook消息已成功发送(而不是不断重试),所需要做的就是让它发布到的侦听器URL响应HTTP 200 OK状态。这就结束了webhook消息的发送。

相关问题