Dear bloggie,
During my line of work I meet quite alot of fascinating peoples... Tis however is one of those times I wish I didn't have to do tis integration with a 3rd software house party. I understand alot of programmers out there can't speak good English (sorta like how I can't speak proper Cantonese) but common, if reading a god damn email requesting for advice on how to a certain thing is misread as an explanation of how their flow works, something is f*ckin wrong.
The 3rd party involved here is a payment gateway. It's one of those return url type payment gateway. I done one payment gateway before and quite similar except on thing that I will b*tch about in awhile. The flow is quite straight forward, I set a success and failure page I wan the user to be redirected to once the transaction is either success/failure at the payment gateway. Simple noes? Ya, but one problem...
Usually at the success page, your side will have to do some backend stuff like maybe save the record in db or update the transaction status so the transaction is valid. Main problem, what if someone directly inputs the success url in ur browser address? Should your application update the data? No right. Coz the user haven't paid at the payment gateway. How to identify if the user been redirected from the payment gateway or not? This is the problem I been f*ckin trying to convey across to the other party from day 1 I receive their API guide. Usually the payment gateway have some call back method to check if the transaction is really successful or not but tis payment gateway takada. Either that or they throw in a hash (involves concatenating a few of the return parameters with a secret key then sha the string to get the hash, since this hash can only be generated by party that knows the secret key, can be used sorta like a authentication mechanism for this kinda flow) when they redirect to the return url so the return url party knows the request was from the payment gateway.
First time I asked, the bugger told me I need to setup a SSL at the return success url. So I did abit a research on SSL, Either I'm deeply confused on SSL or SSL should be just the means to secure the connection between the user and the server, wtf does it have to do with the problem I raised? SSL is just encrypting the data from the user browser send to the server so if a jack@$$ intercepts it, he will onli see some encrypted data. I failed to comprehend how SSL can be used to identify if the request was result from redirection from the payment gateway. I asked around my few former work collegue, most also uncertain how SSL can be used to solve my problem.
Ok, no problem... Since they dun offer me a solution, I might as well propose my solution. I asked the payment gateway party if they can add another return parameter when they redirect to my success return url. They turn me down flat. I understand it's common practice s/w houses won't add anything that could compromise their stable system but I'm quite pissed of at the fact to append another 1 parameter to the redirect url is turn down flat without even bother asking why I want that parameter.
So since I dunno how so solve the problem, and they refuse to modify their s/w for my propose solution, I throw the ball at they. I asked for advice on how to prevent the issue via email. It took 3 days, before I got feed up and decided to call them. They say they very busy no check mail. Will get back to me after. Tiu. Just now, Ulti tulan, they reply my mail, say the flow describe is correct in the email. Walan eh, I put a "We need your advice on the following matter:" then describe the problem in details with example and all, they come back to me with simple words "then ur flow is right.just do the demo transaction for RM1 then u can run the whole flow."
CB!!! I asking how to secure the flow so other f*ckers won't attack, he gimme tis crap. I know the flow can work, but that not wat I been trying to ask... People attack this weak spot, our side that will get the rap! Really wish can change better payment gateway party... Nia seng...
Subscribe to:
Post Comments (Atom)
2 b*tchin:
OMFG, first time heard payment gateway party has such low security awareness. Or maybe he just don't know anything ROFL
Hate to do tis kinda integration with 3rd party... Damn mafan...
Post a Comment