I am creating a service where users have to pay for certain product. Now, I am struggling with the transaction part.
I am creating a transaction if users get to the checkout page. The payment gateway has the following URLs:
ReturnUrl -> The URL the costumer is being redirected to after a succesfull payment (after clicking "Back to Webshop")
NotifyUrl -> The URL (server-to-server call) thats being called when the user finishes his payment, when the costumer is being redirected back via ReturnUrl
CallbackUrl -> The URL thats being called when the user closes his browser after a succesfull payment, without clicking the "Back to Webshop" button, and hence not being redirected via ReturnUrl
Now, I am struggling with how to securely set the transaction to completed when they return to either NotifyUrl or CallbackUrl. I am generating a token when I am putting the transaction to the database so unauthorized users can't modify/change anything. But I am sending the token with POST to my payment provider, which means if they know what url to send a GET request to with all the information such as token en transaction_id, they could browse there without actually paying and tricking my server into thinking the request came from my payment processor.
How would I go about properly doing this?
At least you should verify the origin of the server-to-server call (ip address or domain) to be sure it's the payment processor who made the request.
Some payment processors (multisafepay) just send a wake-up message to NotifyUrl, simply stating that the status of payment such-and-so has changed. Then your server can make a secure call to the payment processor requesting the exact details and update the local status accordingly.
Furthermore it's always wise to use ssl in these scenarios.