I am looking at the Accept Hosted documentation and sample app, and I am not seeing a way to verify on the server-side whether or not the transResponse.authorization returned from the client via the window.CommunicationHandler is valid.
Am I missing something? These values could be easily intercepted & changed by malicious users using browser dev tools, so we should be using server-side checks to validate that the payment transaction data is legit.
Yet nowhere in the documentation does Authorize.net suggest to even perform such a check. Doesn't this seem like a rather large oversight? If the application layer doesn't verify the client-side-provided transaction data, then anyone could run an order through such a system and potentially cause the application to think that an order has been paid when no payment transaction was actually run.
03-20-2018 11:12 AM