Comments (4)
immanuelfodor
commented on June 3, 2024
1
Hi @crookedneighbor, following your suggestion, what's stopping the client from rewriting the product list to get an invalid price for the cart? A simple delete could mean hundreds of $$$ by leaving out a/some products or replacing to something cheap:
// req.body.items === 'abc123,abc456,abc789';
// req.body.items === 'abc123,abc456';
// req.body.items === 'cde123';
from braintree_express_example.
immanuelfodor
commented on June 3, 2024
1
I think I've got the aha moment thanks to your comment
Somehow I believed the example code is a service (a payment gateway) to where the webshop submits the customer's cart, but no, the example code is the webshop itself. So if the req.body.items is the cart, then if the cart is modified, then the user will pay for the modified cart and will have the modified cart items on the receipt. In my misbelief, the customer could modify the submitted value to the gateway separately from the real cart, and this is why I had this question. Thanks for the clarification!
from braintree_express_example.
crookedneighbor
commented on June 3, 2024
If you have an item you are selling that is worth $100, you wouldn't want to send the amount from the client, because there is nothing stopping someone from adjusting that amount from $100 to $1.
Instead, you could send ids that correspond to items and calculate the price on your server.
In this simplified example, we send the item ids as a string with commas separating each id. Doesn't really matter how you do it as long as you have the ids of the products your customer wants to purchase.
// req.body.items === 'abc123,abc456,abc789';
var items = req.body.items.split(','); // ['abc123', 'abc456', 'abc789'];We can then look up the prices for each item on the server. You might have a database where you've stored this information, or just have it hard coded on your server. For simplicity, the example below has it hard coded.
// defined as a constant some where
var products = {
abc123: {
name: 'Item A',
amount: '10.43'
},
abc456: {
name: 'Item B',
amount: '123.00'
},
abc789: {
name: 'Item C',
amount: '5.00'
},
};
// in your transaction route
var amount = 0;
items.forEach(function (item) {
amount = amount + products[item].amount
});
// perform transaction with amount generated on the serverfrom braintree_express_example.
Epreuve
commented on June 3, 2024
@immanuelfodor I'm not sure I understand what the concern here is. In the example, the list of IDs is what the customer is purchasing. The cost is calculated on the server based on those IDs.
If a customer added or deleted items from the array, the amount they would be charged is also changed, and more to the point they wouldn't get any items removed from the array, or would still pay for items added to the array.
from braintree_express_example.
Related Issues (18)
- Scrolling on iOS is sticky HOT 1
- JS v3 SDK Example HOT 2
- add customers.create and subscription example HOT 1
- Total meltdown HOT 1
- Demo.js HOT 4
- Integrating Braintree HOT 1
- deploy the same app to heroku, even the real credit card is consider as not valid and says `Please check your information and try again.` HOT 1
- Unable to checkout in sandbox HOT 4
- npm start error out and stopped HOT 2
- Error: 91564: Cannot use a payment_method_nonce more than once. HOT 7
- clientToken issue HOT 1
- TypeError: Cannot read property 'charAt' of undefined HOT 1
- Debit card issues HOT 1
- Deploy to heroku error HOT 2
- error in connect
- https://github.com/braintree/braintree_express_example.git
- is it SCA compliant? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from braintree_express_example.