I am looking at the Accept Hosted documentation and sample app, and I am not seeing a way to verify on the server-side whether or not the transResponse.authorization returned from the client via the window.CommunicationHandler is valid.
Am I missing something? These values could be easily intercepted & changed by malicious users using browser dev tools, so we should be using server-side checks to validate that the payment transaction data is legit.
Yet nowhere in the documentation does Authorize.net suggest to even perform such a check. Doesn't this seem like a rather large oversight? If the application layer doesn't verify the client-side-provided transaction data, then anyone could run an order through such a system and potentially cause the application to think that an order has been paid when no payment transaction was actually run.
After some digging into the API, I found a getTransactionDetailsRequest method that can be used to verify a transaction. To use this method, I had to log into the sandbox and enable the transaction details API.
Still seems odd to me that the documentation doesn't suggest or recommend using this to verify that payments have gone through.
You can also subscribe to payment webhooks to get real time notifications for your payment events .
Hope it helps !!!