#8
Jan 04, 2009
0 comments

PayPal Security- PayPal安全

This episode shows how to encrypt the variables passed to PayPal and verify the authenticity of the payment notifications (IPN).
这个视频演示了如何加密传递到PayPal的变量,和验证支付通知的真伪.

Tags: tools security
Bittorrent 种子下载 推荐使用 (22.9 MB, 11:37)
直接下载/Direct Download Link (22.9 MB, 11:37) 
mkdir certs
cd certs
openssl genrsa -out app_key.pem 1024
openssl req -new -key app_key.pem -x509 -days 365 -out app_cert.pem
mv ~/Downloads/paypal_cert_pem.txt paypal_cert.pem
script/generate nifty_config



# models/cart.rb
def paypal_encrypted(return_url, notify_url)
  values = {
    :business => APP_CONFIG[:paypal_email],
    :cmd => '_cart',
    :upload => 1,
    :return => return_url,
    :invoice => id,
    :notify_url => notify_url,
    :cert_id => APP_CONFIG[:paypal_cert_id]
  }
  line_items.each_with_index do |item, index|
    values.merge!({
      "amount_#{index+1}" => item.unit_price,
      "item_name_#{index+1}" => item.product.name,
      "item_number_#{index+1}" => item.id,
      "quantity_#{index+1}" => item.quantity
    })
  end
  encrypt_for_paypal(values)
end

PAYPAL_CERT_PEM = File.read("#{Rails.root}/certs/paypal_cert.pem")
APP_CERT_PEM = File.read("#{Rails.root}/certs/app_cert.pem")
APP_KEY_PEM = File.read("#{Rails.root}/certs/app_key.pem")

def encrypt_for_paypal(values)
  signed = OpenSSL::PKCS7::sign(OpenSSL::X509::Certificate.new(APP_CERT_PEM), OpenSSL::PKey::RSA.new(APP_KEY_PEM, ''), values.map { |k, v| "#{k}=#{v}" }.join("\n"), [], OpenSSL::PKCS7::BINARY)
  OpenSSL::PKCS7::encrypt([OpenSSL::X509::Certificate.new(PAYPAL_CERT_PEM)], signed.to_der, OpenSSL::Cipher::Cipher::new("DES3"), OpenSSL::PKCS7::BINARY).to_s.gsub("\n", "")
end

# models/payment_notification.rb
def mark_cart_as_purchased
  if status == "Completed" && params[:secret] == APP_CONFIG[:paypal_secret] &&
      params[:receiver_email] == APP_CONFIG[:paypal_email] &&
      params[:mc_gross] == cart.total_price.to_s && params[:mc_currency] == "USD"
    cart.update_attribute(:purchased_at, Time.now)
  end
end

<!-- carts/show.html.erb -->
<% form_tag APP_CONFIG[:paypal_url] do %>
  <%= hidden_field_tag :cmd, "_s-xclick" %>
  <%= hidden_field_tag :encrypted, @cart.paypal_encrypted(products_url, payment_notifications_url(:secret => APP_CONFIG[:paypal_secret])) %>
  <p><%= submit_tag "Checkout" %></p>

# app_config.yml
development:
  paypal_email: seller_1229899173_biz@railscasts.com
  paypal_secret: foobar
  paypal_cert_id: WKKX2FSCFDB8C
  paypal_url: "https://www.sandbox.paypal.com/cgi-bin/webscr"

test:
  paypal_email: test@example.com
  paypal_secret: testsecret
  paypal_cert_id: 123456789
  paypal_url: testpaypalurl

production:
  paypal_email: foo@example.com
  paypal_secret: supersecret
  paypal_cert_id: KLHZSK326HEDS
  paypal_url: "https://www.paypal.com/cgi-bin/webscr"

添加留言:/Add your comment:

(SKIP THIS ONE)

(required)

(not shown)


(可以使用pastie或者gist添加代码) (use pastie or gist for code)

navigation:
tags:
if you want to help:
required:
BT下载工具
Get Bittorrent Tool
VLC播放器
Get VLC Media Player