topic Verify an Accept Hosted transaction server-side in Integration and Testing

Verify an Accept Hosted transaction server-side

spacedev — Tue, 20 Mar 2018 18:12:39 GMT

I am looking at the Accept Hosted documentation and sample app, and I am not seeing a way to verify on the server-side whether or not the transResponse.authorization returned from the client via the window.CommunicationHandler is valid.

Am I missing something? These values could be easily intercepted & changed by malicious users using browser dev tools, so we should be using server-side checks to validate that the payment transaction data is legit.

Yet nowhere in the documentation does Authorize.net suggest to even perform such a check. Doesn't this seem like a rather large oversight? If the application layer doesn't verify the client-side-provided transaction data, then anyone could run an order through such a system and potentially cause the application to think that an order has been paid when no payment transaction was actually run.

Re: Verify an Accept Hosted transaction server-side

spacedev — Wed, 21 Mar 2018 14:08:21 GMT

After some digging into the API, I found a getTransactionDetailsRequest method that can be used to verify a transaction. To use this method, I had to log into the sandbox and enable the transaction details API.

Still seems odd to me that the documentation doesn't suggest or recommend using this to verify that payments have gone through.

Re: Verify an Accept Hosted transaction server-side

Anurag — Thu, 22 Mar 2018 03:27:21 GMT

Hi @spacedev

You can also subscribe to payment webhooks to get real time notifications for your payment events .

https://developer.authorize.net/api/reference/features/webhooks.html

Hope it helps !!!