I am using the Square API to process user payment (using the Create Checkout Link
API): POST /v2/online-checkout/payment-links
.
The problem is that square does not support out-of-the-box callback functions on payment success and payment failure, it only provides a redirect_url
option to send the user to another page when they finish the payment.
The way I solved it now is to generate a random secret key
for each purchase intent
and pass the key as an argument in the redirect_url
:
redirectr_url = "https://example.com?pid=5&secret_key=abcdefgh12345"
This however exposes the inner-workings of my system to anyone remotely skilled in IT, they can see that I pass a secret key as a GET
argument.
Even though the secret key is a variation with class 25
and number of elements 64
where order of elements is important and repetition is allowed (which works out to ~2*10^84
, if there is ever a leak of the database (e.g. hosting provider is compromised), all the secret keys will be up for grabs and people can just manually hit the API to approve their purchases. I need to either make this more subtle or change the payment validation process altogether.
Any way I can improve my current system? Is there a way to somehow use Square's API to verify a purchase success via callback like the Stripe API provides?
You can add your key to the redirect_url
but as you pointed out that's easily accessible to bad actors. Have you looked at added your secret key as a reference_id
in the payment link order? Once the payment is complete you can take the order_id
and call RetrieveOrder to get all order details including your unique reference_id
which wouldn't be accessible to bad actors.