Solution:
For client-side REST: I know I can callback on ‘onAuthorize’ to redirect to a pre-defined page to confirmed payment on server-side, but how do I pass the success payment detail back to the server? and more importantly, how do I know the payment detail passed back is from paypal and genuine instead of being sent from malicious site?
You’re correct that there’s no 100% reliable way to do this. The recommended approach here would be to pass the paymentID and payerID back to your server and to make the call there the to paypal REST api to validate the amounts.
For server-side REST: this make more sense to me to call the paypal API from server side, but how do I pass the payment amount and order detail from edit-order page to the create-payment page? from the example code
The way I’d recommend is:
- Do
execute()in onAuthrorize - Redirect the page
- Make a server-side call to get the payment details
You also have the option of building a single page app, and showing the details returned by client-side execute() on the same page
since paypal.request.post(CREATE_PAYMENT_URL) seems to accept only one argument, how to pass along the order detail in order to create the payment?
You can actually pass a second parameter, which will be passed to your server as key-values:
paypal.request.post(CREATE_PAYMENT_URL, { foo: 'bar' })
paypal.request.post is actually just a wrapper to make ajax calls more easily.
why would anyone want to client REST which finish the whole process in client side and pass nothing back to server to determine if the good is paid for?
You should still do server-side validation to make sure the item is paid for. The client side integration just makes it simpler to create and execute the payment.
One thing to note — both the client and server-side integrations use the same REST api. So there’s nothing stopping you from using both in conjunction with each other. The client-side calls just make it a little bit easier to do some of these calls without additional server-side logic.