PayPal已更新其Webhook验证端点
#javascript #网络开发人员 #编程 #news

tl; dr;

PayPal要求收到这些消息的Webhook侦听器验证其发送的所有Webhook通知消息。
通过确保您的Webhook侦听器收到真实的PayPal Webhook消息来增强安全性。
PayPal已更新了其终点,以验证PayPal Webhook通知消息,并且现在不建议使用其旧的Webhook验证方法。更新的端点简化了验证PayPal Webhook消息的过程,从而改善了开发人员的体验。
该更新还包含了更多的REST API(例如订单API)。您可能会了解有关更新理由here的更多信息。

当事件触发时,Webhook是从应用程序发送的自动HTTP请求。此请求将消息(称为有效载荷)带到唯一的目标URL(称为Webhook侦听器),并且接收应用程序可以根据有效负载内容采取进一步的操作。 Webhooks允许应用程序彼此无缝通信,并使处理和服务交付的速度启用速度。

PayPal的REST API使用Webhooks通知您的应用程序已发生事件;例如,已经下达了新订单,或者已经处理了付款。您可以在PayPal开发人员门户帐户中创建与事件相关联的Webhook。 PayPal Webhooks支持extensive list of event types

一个不道德的玩家可以欺骗Webhook通知消息,并试图使该消息源自PayPal时出现。因此,为确保安全性,PayPal要求应用程序验证从PayPal收到的所有Webhook通知。

要验证PayPal Webhook消息,您的应用程序将发布PayPal的verify-webhook-signature endpoint的邮政请求,其中包含有几个必需参数的有效载荷:

  • auth_algo从webhook响应标题中的PAYPAL-AUTH-ALGO值中提取。
  • cert_url从webhook响应标头中的PAYPAL-CERT-URL值中提取。
  • transmission_id从webhook响应标题中的PAYPAL-TRANSMISSION-ID值中提取。
  • transmission_sig从webhook响应标头中的PAYPAL-TRANSMISSION-SIG值提取。
  • transmission_time从webhook响应标题中的PAYPAL-TRANSMISSION-TIME值中提取。
  • webhook_id在您的PayPal开发人员门户帐户中配置的Webhook的ID。
  • webhook_event这是从PayPal收到的Webhook通知响应,您现在正在验证。

这是示例Webhook验证有效载荷:

{ 
"auth_algo": "SHA256withRSA", 
"cert_url": "cert_url", 
"transmission_id": "69cd13f0-d67a-11e5-baa3-778b53f4ae55", 
"transmission_sig": 
"lmI95Jx3Y9nhR5SJWlHVIWpg4AgFk7n9bCHSRxbrd8A9zrhdu2rMyFrmz+Zjh3s3boXB07VXCXUZy/UFzUlnGJn0wDugt7FlSvdKeIJenLRemUxYCPVoEZzg9VFNqOa48gMkvF+XTpxBeUx/kWy6B5cp7GkT2+pOowfRK7OaynuxUoKW3JcMWw272VKjLTtTAShncla7tGF+55rxyt2KNZIIqxNMJ48RDZheGU5w1npu9dZHnPgTXB9iomeVRoD8O/jhRpnKsGrDschyNdkeh81BJJMH4Ctc6lnCCquoP/GzCzz33MMsNdid7vL/NIWaCsekQpW26FpWPi/tfj8nLA==", 
"transmission_time": "2016-02-18T20:01:35Z", 
"webhook_id": "1JE4291016473214C", 
"webhook_event": {
   "id": "8PT597110X687430LKGECATA",
   "create_time": "2013-06-25T21:41:28Z",
   "resource_type": "authorization",
   "event_type": "PAYMENT.AUTHORIZATION.CREATED",
   "summary": "A payment authorization was created",
   "resource": {
      "id": "2DC87612EK520411B",
      "create_time": "2013-06-25T21:39:15Z",
      "update_time": "2013-06-25T21:39:17Z",
      "state": "authorized",
      "amount": {
         "total": "7.47",
         "currency": "USD",
         "details": {
            "subtotal": "7.47"
         }
      },
      "parent_payment": "PAY-36246664YD343335CKHFA4AY",
      "valid_until": "2013-07-24T21:39:15Z",
      "links": [
         {
            "href": "https://api-m.paypal.com/v1/payments/authorization/2DC87612EK520411B",
            "rel": "self",
            "method": "GET"
         },
         {
            "href": "https://api-m.paypal.com/v1/payments/authorization/2DC87612EK520411B/capture",
            "rel": "capture",
            "method": "POST"
         },
         {
            "href": "https://api-m.paypal.com/v1/payments/authorization/2DC87612EK520411B/void",
            "rel": "void",
            "method": "POST"
         },
         {
            "href": "https://api-m.paypal.com/v1/payments/payment/PAY-36246664YD343335CKHFA4AY",
            "rel": "parent_payment",
            "method": "GET"
         }
      ]
   }
}
}

这是一个示例帖子请求,验证从nodejs应用程序发送的PayPal Webhook通知:

var fetch = require('node-fetch'); 
fetch('https://api-m.sandbox.paypal.com/v1/notifications/verify-webhook-signature', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer ECvJ_yBNz_UfMmCvWEbT_2ZWXdzbFFQZ-1Y5K2NGgeHn' 
    },
    body: JSON.stringify({ "transmission_id": "69cd13f0-d67a-11e5-baa3-778b53f4ae55", "transmission_time": "2016-02-18T20:01:35Z", "cert_url": "cert_url", "auth_algo": "SHA256withRSA", "transmission_sig": "lmI95Jx3Y9nhR5SJWlHVIWpg4AgFk7n9bCHSRxbrd8A9zrhdu2rMyFrmz+Zjh3s3boXB07VXCXUZy/UFzUlnGJn0wDugt7FlSvdKeIJenLRemUxYCPVoEZzg9VFNqOa48gMkvF+XTpxBeUx/kWy6B5cp7GkT2+pOowfRK7OaynuxUoKW3JcMWw272VKjLTtTAShncla7tGF+55rxyt2KNZIIqxNMJ48RDZheGU5w1npu9dZHnPgTXB9iomeVRoD8O/jhRpnKsGrDschyNdkeh81BJJMH4Ctc6lnCCquoP/GzCzz33MMsNdid7vL/NIWaCsekQpW26FpWPi/tfj8nLA==", "webhook_id": "1JE4291016473214C", "webhook_event": { "id": "8PT597110X687430LKGECATA", "create_time": "2013-06-25T21:41:28Z", "resource_type": "authorization", "event_type": "PAYMENT.AUTHORIZATION.CREATED", "summary": "A payment authorization was created", "resource": { "id": "2DC87612EK520411B", "create_time": "2013-06-25T21:39:15Z", "update_time": "2013-06-25T21:39:17Z", "state": "authorized", "amount": { "total": "7.47", "currency": "USD", "details": { "subtotal": "7.47" } }, "parent_payment": "PAY-36246664YD343335CKHFA4AY", "valid_until": "2013-07-24T21:39:15Z", "links": [ { "href": "https://api-m.paypal.com/v1/payments/authorization/2DC87612EK520411B", "rel": "self", "method": "GET" }, { "href": "https://api-m.paypal.com/v1/payments/authorization/2DC87612EK520411B/capture", "rel": "capture", "method": "POST" }, { "href": "https://api-m.paypal.com/v1/payments/authorization/2DC87612EK520411B/void", "rel": "void", "method": "POST" }, { "href": "https://api-m.paypal.com/v1/payments/payment/PAY-36246664YD343335CKHFA4AY", "rel": "parent_payment", "method": "GET" } ] } } })
});

当您的Webhook验证请求成功时,PayPal会以以下有效载荷(和HTTP状态为200)做出响应:

{
  "verification_status": "SUCCESS" 
}

PayPal具有一个webhook simulator,您可以快速测试Webhook侦听器。抓住您的Webhook侦听器的URL,或从https://webhook.site等服务中获取模拟听众URL。在Webhook模拟器中,在Webhooks URL字段中输入此URL,选择要通知消息的事件类型,然后单击发送测试:

Screenshot of PayPal Webhook Smmulator

您的Webhook侦听器应从PayPal收到一个模拟有效载荷,类似于本文前面提供的示例。

PayPal非常重视我们产品的安全性;通过此Webhook验证端点的更新,我们将继续提供无缝的付款集成以及关键任务质量安全标准。

加入贝宝开发人员社区

我们的开发人员社区成员互相支持,以整合PayPal技术,为开源,扩大知识和网络以及改善PayPal的产品和文档的贡献。我们很想让您加入我们! ð