My Wix website I'm currently working on has the Pricing Plans app installed and depending on these plans users can access certain API functions I have exposed on the website via an app I'm developing. Since I can't retrieve a user object in the http-functions.js file I have had to make a separate collection to store data about a user's subscriptions. Upon ordering a plan this works fine as I can hook into the onPlanPurchased event and do whatever logic I need there to modify the said collection. However no such event exists for the cancellation of a plan meaning any modification to the collection has to be done by a backend function being called from client-side code such as:
cancelPlan(wixUsers.currentUser.id)
.then( (results) => {
if (results === "SUCCESS") {
wixPaidPlans.cancelOrder(orderId)
.then( () => {
wixWindow.openLightbox("PlanCancelled");
})
.catch( (err) => {
wixWindow.openLightbox("PlanCancelFailed");
});
}else {
wixWindow.openLightbox("PlanCancelFailed");
}
})
.catch( (err) => {
wixWindow.openLightbox("PlanCancelFailed");
});
As you can see the issue here is that since this is run in the browser would it be possible for someone to modify this and run just the wixPaidPlans.cancelOrder() line without my backend function running? If so somebody could cancel their payment but still have access to things offered by my website via the API functions I've talked about. Am I correct to be worrying about this? And if so does anybody have any pointers on how else I could go about this? Thanks.
I forgot about this question a while back but wanted to update it since I did end up finding a solution.
Wix has several webhooks that can be used to point to an API/HTTP-function on your site. One of these webhooks is for when a payment plan is cancelled, this event can be pointed to a function in http-functions.js and the relevant logic can be done there, ensuring that everything can be executed as is meant to, but the process can also be started by the user.