How to connect a payment system in django? - django

I'm new to the Django framework and I don't quite understand how to connect the payment system to the site, at the same time, so that part of the payment for the product goes to the balance of the user who exposed it, and 10%-20% of the amount goes to the balance of the service. And what is the best way to connect a payment system for individuals.faces?

So, you need to answer yourself a few questions like:
What payment provider I need? It need to be paypal, stripe or...?
If I know what payment provider I need, is there package for django (or python) for it?
If yes, it is up-to-date?
If no, were there updates to API or solutions described in payment provider documentation?
Are they better in any term?
Depending on these answers, you could go straightforward to implementing payments using external library (for e.g. https://django-paypal.readthedocs.io/en/latest/) or just implement it yourself. In my situation when I implemented paypal payments in e_commerce store I just went with paypal buttons because they were looking better, and they, so far work more nicely.
What also you must mostly implement is something that Paypal calls IPN (instant payment notifications). Stripe, and for example TPay also has IPN-like mechanisms. The IPN is simply an view (functional or generic) that handles payments using data with usually md5 verification, where you update status of order to COMPLETED or et cetera.
The lack of security validation can make endpoint vulnerable to custom requests made by postman, curl or any kind of HTTP-testing tool.
For models - you should write them yourself or use provided by package. This usually means that with multiple payments you store one model per provider with ForeignKey to Order global model that collects all the data. You could use also abstract models for implementing multiple models with similar fields, but this causes some database query issues for additional logic handling (you can't query abstract models, so you need to parse stuff using forloops when you need it instead of using filters).
Frontend is also depending what you will use, but remember about not having price as hidden input :)
The thread is much bigger as it seems, but I hope I gave you point-of-view of the topic.

Related

How to differentiate Basic/Premium plan users for premium-only features in Django REST?

I am working on a beta-stage writing tool SaaS that is built with NextJS, React, and Django REST. As I’m gaining some user base, I am starting to research on introducing a premium plan to the mix using Stripe.
As most other SaaSs, I will have a subscription-based premium plan which grants access to premium-only features. However, even after days of research, I am still lost how this is commonly implemented in Django/Backend. Here is what I’ve thought of so far, but again, I am not sure if it’s the best/common way to accomplish this.
User model has a ‘premium’ field which is either True or False
Whenever user clicks on a premium-only API call, Django will check if user is premium or not to decide whether to make the actual API call. I currently have a '/user/me/' route which returns basic user information as API GET call.
Upon successful stripe payment, stripe redirects user to the success_url. Then, somehow I will detect when user lands on success_url and then set that user’s premium field to True.
I know this is not the ideal way, because I already see lots of issues/hurdles:
How will I set ‘premium’ field back to False after user’s payment stops
How can I ‘detect’ stripe’s payment to set user’s premium field
Is this feature supposed to be implemented with Stripe customer objects instead? I would appreciate any guidance on where I should be looking for solutions.
If you use subscription on Checkout Session (low code solution), you can add additional key-value pair data such as premium: true in metadata and subscription_data.metadata fields when creating a subscription.
Once the payment is completed, those metadata will appear in checkout.session.completed and customer.subscription.updated webhook events, which you can then set the user as premium in your own database.
A customer object in Stripe can have multiple subscriptions, so this feature will be implemented on subscription object instead.

TWO Silent URL need to setup in the authorize.net

I have two applications which have a different server and using one authorize.net account. I have to put two silent URL in the one authorize.net account. how can i do it ?
You can't have more than one Silent Post URL. In fact, you probably shouldn't be using the same Authorize.Net and merchant account for different sites, but that's on you if you get caught.
You will need to make your Silent Post code smart enough to know which site the payment applies to and then act accordingly. This would probably mean utilizing the description field in the transaction to identify which site it came from. Then your code and use that to determine the originating site and perform whatever actions are necessary.
You also may want to look into Webhooks which offers more flexibility than Silent Post although it is more complicated to implement.

Django paypal checkout for WHOLE cart

I made a Django online-store site and I need to include paypal checkout system for the cart, but solutions I found online either just for one item only(Buy Now buttons) or something like django-paypal-cart, which is not well-documented and I can't figure out how to make it to the checkout.
Please, give me some hint, maybe good article about how to make your cart items go to the checkout, anything will be highly appreciated, I don't know what else to google now
There are numerous options for tying PayPal into your website or app. Depending on exactly what you're doing or how good you are with web service API's you may choose one or another.
If you want to keep things simple, you can stick with Payments Standard. This is basically what you're referring to about the one item only buy now button, but you can use the cart upload command method to build a form that includes multiple items and pass it all over to PayPal at once.
If you prefer web service API's I'd recommend using Express Checkout. This consists of SetExpressCheckout, GetExpressCheckoutDetails, and DoExpressCheckoutPayment. Read through that general EC documentation to get familiar with the calls and how it all flows.
Another thing I would highly recommend utilizing is Instant Payment Notification (IPN). This is a feature where PayPal will POST transaction data to a listener script that you have sitting on your server any time a transaction occurs on your PayPal account. This includes payments, refunds, disputes, cleared payments that were pending, etc. This allows you to automate tasks like updating your database, sending out custom email notifications, hitting 3rd party web services, etc. and it happens in real-time, so it's very powerful.

How would I securely handle paid memberships?

I'm building a simple Django application for a client which will allow for users to register paid accounts to gain access certain parts of the site; however, I've never handled payment processing beyond a few simple Paypal buttons.
My question is, how would I securely handle and verify payments in this situation?
You might be able to use some of the payment code from Satchmo:
http://www.satchmoproject.com/docs/dev/payment.html

Web Dev - Where to store state of a shopping-cart-like object?

You're building a web application. You need to store the state for a shopping cart like object during a user's session.
Some notes:
This is not exactly a shopping cart, but more like an itinerary that the user is building... but we'll use the word cart for now b/c ppl relate to it.
You do not care about "abandoned" carts
Once a cart is completed we will persist it to some server-side data store for later retrieval.
Where do you store that stateful object? And how?
server (session, db, etc?)
client (cookie key-vals, cookie JSON object, hidden form-field, etc?)
other...
Update: It was suggested that I list the platform we're targeting - tho I'm not sure its totally necessary... but lets say the front-end is built w/ASP.NET MVC.
It's been my experience with the Commerce Starter Kit and MVC Storefront (and other sites I've built) that no matter what you think now, information about user interactions with your "products" is paramount to the business guys. There's so many metrics to capture - it's nuts.
I'll save you all the stuff I've been through - what's by far been the most successful for me is just creating an Order object with "NotCheckedOut" status and then adding items to it and the user adds items. This lets users have more than one cart and allows you to mine the tar out of the Orders table. It also is quite easy to transact the order - just change the status.
Persisting "as they go" also allows the user to come back and finish the cart off if they can't, for some reason. Forgiveness is massive with eCommerce.
Cookies suck, session sucks, Profile is attached to the notion of a user and it hits the DB so you might as well use the DB.
You might think you don't want to do this - but you need to trust me and know that you WILL indeed need to feed the stats wonks some data later. I promise you.
I have considered what you are suggesting but have not had a client project yet to try it. The closest actually is a shopping list that you can find here...
http://www.scottcommonsense.com/toolbox.aspx
Click on Grocery Checklist to open the window. It does use ASPX, but only to manage the JS references placed on the page. The rest is done via AJAX using web services.
Previously I built an ASP.NET 2.0 site for a commerce site which used anon/auth cookies automatically. Each provides you with a GUID value which you can use to identify a user which is then associated with data in your database. I wanted the auth cookies so a user could move to different computers; work, home, etc. I avoided using the Profile fields to hold onto a complex ShoppingBasket object which was popular during the time in all the ASP.NET 2.0 books. I did not want to deal with "magic" serialization issues as the data structure changed over time. I prefer to manage db schema changes with update/alter scripts synced with software changes.
With the anon/auth cookies identifying the user on the client you can use the ASP.NET AJAX client-side to call the authentication web services using the JS proxies that are provided for you as a part of ASP.NET. You need to implement the Membership API to at least authenticate the user. The rest of the provider implementation can throw a NotImplementedException safely. You can then use your own custom ASMX web services via AJAX (see ScriptReference attribute) and update the pages with server-side data. You can completely do away with ASPX pages and just use static HTML/CSS/JS if you like.
The one big caveat is memory leaks in JS. Staying on the same page a long time increases your potential issue with memory leaks. It is a risk you can minimize by testing for long sessions and using tools like Firebug and others to look for memory leaks. Use the JS Lint tool as well as it will help identify major problems as you go.
I'd be inclined to store it as a session object. This is because you're not concerned with abandoned carts, and can therefore remove the overhead of storing it in the database as it's not necessary (not to mention that you'd also need some kind of cleanup routine to remove abandoned carts from the database).
However, if you'd like users to be able to persist their carts, then the database option is better. This way, a user who is logged in will have their cart saved across sessions (so when they come back to the site and login, their cart will be restored).
You could also use a combination of the two. Users who come to the site use the session-based cart by default. When they log in, all items are moved from the session-based cart to a database-based cart, and any subsequent cart activity is applied directly to the database.
In the DB tied to whatever you're using for sessions (db/memcache sessions, signed cookies) or to an authenticated user.
Store it in the database.
Do you envision folks needing to be able to start on one machine (e.g. their work PC) but continue/finsih from a different machine (e.g. home PC)? If so, the answer is obvious.
If you don't care about abandoned carts and have things in place for someone messing with the data on the client side... I think a cookie would be good -- especially if it's just a cookie of JSON data.
I'd use an (encrypted) cookie on the client which holds the ID of the users basket. Unless it's a really busy site then abandoned baskets won't fill up the database by too much, and you can run a regular admin task to clear the abandoned orders down if you care that much. Also doing it this way the user will keep their order if they close their browser and go away, a basket in the session would be cleared at this point..
Finally this means that you don't have to worry about writing code to deal with de/serialising the data from a client-side cookie, while later worrying about actually putting that data into the database when it gets converted into an order (too many points of failure for my liking)..
Without knowing the platform I can't give a direct answer. However, since you don't care about abandoned carts, then I would differ from my colleagues here and suggest storing it on the client. Why store it in the database if you don't care if it's abandoned?
Then again, it does depend on the size of the object you're storing -- cookies have their limits after all.
Edit: Ahh, asp.net MVC? Why not use the profile system? You can enable an anonymous profile if you don't want to bother making them log in
I'd say store the state somewhere on the server and correlate it to the user's session. While a cookie could ostensibly be an equal place to store things, if you consider security and data size, keeping as much data on the server as possible becomes a good thing.
For example, in a public terminal setting, would it be OK for someone to look at the contents of the cookie and see the list? If so, cookie's fine; if not, you'll just want an ID that links the user to the data. Doing that would also allow you to ensure the user is authenticated to the site in order to get to that data rather than storing everything on the machine - they'd need some form of credentials as well as the session identifier.
From a size perspective, sure, you're not going to be too concerned about a 4K cookie or something for a browser/broadband user, but if one of your targets is to allow a mobile phone or BlackBerry (not on 3G) to connect and have a snappy experience (and not get billed for the data), minimizing the amount of data getting passed to the client will be key.
The server storage also gives you some flexibility mentioned in some of the other answers - the user can save their cart on one machine and resume working with it on another; you can tie the cart to some form of credentials (rather than a transient session) and persist the cart long after the user has cleared their cookies; you get a little more in the way of fault tolerance - if the user's browser crashes, the site still has the data safe and sound.
If fault tolerance is important, you'll need some sort of persistent store like a database. If not, in application memory is probably fine, but you'll lose data if the app restarts. If you're in a farm environment, the store has to be centrally accessible, so you're again looking at a database.
Whether you choose to key by transient session or by credentials is going to depend on whether the users can save their data and come back later to get it. Transient session will eventually get cleaned up as "abandoned," and maybe that's OK. Tying to a user profile will let the user keep their data and explicitly abandon it. Either way, I'd make use of some sort of backing store like a database for fault tolerance and central accessibility. (Or maybe I'm overengineering the solution?)
If you care about supporting users without Javascript enabled, then the server side sessions will let you use URL rewriting.
If a relatively short time-out (around 2 hours, depending on your server config) is OK for the cart, then I'd say the server-side session. It's faster and more efficient than accessing the DB.
If you need a longer persistence (say some users like to leave and come back the next day), then store it in a cookie that is tamper-evident (use encryption or hashes).