How would I securely handle paid memberships? - django

I'm building a simple Django application for a client which will allow for users to register paid accounts to gain access certain parts of the site; however, I've never handled payment processing beyond a few simple Paypal buttons.
My question is, how would I securely handle and verify payments in this situation?

You might be able to use some of the payment code from Satchmo:
http://www.satchmoproject.com/docs/dev/payment.html

Related

How to connect a payment system in django?

I'm new to the Django framework and I don't quite understand how to connect the payment system to the site, at the same time, so that part of the payment for the product goes to the balance of the user who exposed it, and 10%-20% of the amount goes to the balance of the service. And what is the best way to connect a payment system for individuals.faces?
So, you need to answer yourself a few questions like:
What payment provider I need? It need to be paypal, stripe or...?
If I know what payment provider I need, is there package for django (or python) for it?
If yes, it is up-to-date?
If no, were there updates to API or solutions described in payment provider documentation?
Are they better in any term?
Depending on these answers, you could go straightforward to implementing payments using external library (for e.g. https://django-paypal.readthedocs.io/en/latest/) or just implement it yourself. In my situation when I implemented paypal payments in e_commerce store I just went with paypal buttons because they were looking better, and they, so far work more nicely.
What also you must mostly implement is something that Paypal calls IPN (instant payment notifications). Stripe, and for example TPay also has IPN-like mechanisms. The IPN is simply an view (functional or generic) that handles payments using data with usually md5 verification, where you update status of order to COMPLETED or et cetera.
The lack of security validation can make endpoint vulnerable to custom requests made by postman, curl or any kind of HTTP-testing tool.
For models - you should write them yourself or use provided by package. This usually means that with multiple payments you store one model per provider with ForeignKey to Order global model that collects all the data. You could use also abstract models for implementing multiple models with similar fields, but this causes some database query issues for additional logic handling (you can't query abstract models, so you need to parse stuff using forloops when you need it instead of using filters).
Frontend is also depending what you will use, but remember about not having price as hidden input :)
The thread is much bigger as it seems, but I hope I gave you point-of-view of the topic.

Do I need to sign out a user if they leave my homepage and signed on through their Google account?

I'm developing a login page for my Django application and am using Google login for users to gain access. My question is if they sign on successfully, do I need some way to change the state of their sign on for security purposes?
Might be a silly question but I honestly have no idea and want to be sure.
No, not a silly question but a thoughtful one.
Using Google or other OAuth2 providers for your login is Ok, you request a set of scopes and when your user login and accepts to continue, you can make requests within those scopes. The flow is outlined here for Google https://developers.google.com/identity/protocols/OAuth2.
Generally, you won't have far-reaching access to manipulate users' accounts and for some scopes, your app needs to be verified. For web applications, remember your users will see the scopes you are requesting and can always decline. Because of this, it's generally a good pattern to request the scopes when you need them.
If your public application uses scopes that permit access to certain user data, it must complete a verification process. If you see unverified app on the screen when testing your application, you must submit a verification request to remove it. Find out more about unverified apps and get answers to frequently asked questions about app verification in the Help Center.
https://developers.google.com/identity/protocols/googlescopes
That's Google trying to keep users safe.
By the way, users can always revoke the access they have given your app at any time and for any reason.

django & facebook: security & design for a facebook webapp that performs a third party login on behalf of the user

I'm writing a Facebook canvas webapp that performs a login (using urllib) to a third party website and performs actions on behalf of the user. This means I have 2 accounts; the account the user has with my webapp (via facebook) and the account the app uses to perform a login on their behalf (with user/password details provided by the user).
I obviously don't want plaintext passwords in the DB. But I also don't want the user to have to enter their password every time they perform an action. I want them to enter the password once when they sign up, and I want to encrypt the passwords, but what do I encrypt against?
Any key on the server would be available to anyone who had gained access (i.e. useless), so I was thinking of encrypting it against a value available via the Facebook API.
When the user logs in (and gives the app their access token), the app can request the value via the API and encrypt/decrypt their 3rd party password with this. Anyone with access to the server wouldn't be able to make this request without the user being logged in to the app. (This still means someone snooping on the server could get logged-in users 3rd party password, but anyone who got one-off access to the DB couldn't see passwords.) Is this wishful thinking?
You might as well encrypt it using a key on the server. If anyone gains access to your server they will have everything they need to retrieve the key even if you're getting it from Facebook.
I think the best you can do is to store the key in a location that isn't available to your webserver, but that is available to your script. At least make sure you don't store the key in the database.
Whatever you do beyond that would just be security through obscurity. The key here is to keep your server secure so that no one gains access to it.
I guess you could store the logins ONLY on the client, in some sort of local storage and do all the actions related to the third party, from the client in JS.
This of course would need some change in the architecture of your app if you tought to do all this from your server, but that would possible for sure, you can event make client JS send data to your server after it worked so you can log data from the interactions with the 3rd party.
Furthermore it has the advantage of distributing the load on the clients
I know you didn't tag the question with javascript and you seem to want a server pure solution, but It seems the best solution to me. the user keeps its data ..
Security through obscurity might be your best bet. Perhaps implement an algorithm to generate the key using something standard (like the current datetime). You can store the date in your db, and use that to generate the key using your own algorithm.

PayPal After checkout handling

I have a web service at which users can buy reports made on the fly using PayPals Express checkout process. I want to make sure that no matter how the user returns to the site (through paypals callback or by himself) he could download the report he payed for. For that I need to keep the report ID he has bought somewhere. Where and how would it be best to do that? (Cookies? Sessions Parameters?)
I am using ASP .Net C#.
Thanks,
Wess
Do the users have logins that are managed by you in your database? If so and you want the user to be able to return at any time to your page and download the report, then you'll need to use a PayPal callback to store in your database what report ID the user has purchased.
If you don't manage your users then I'm not sure how this can be accomplished because cookies are limited (and can be disabled by users) and sessions expire.

How should I handle authentication in my REST API?

I am new to this but I will try my best to explain what I am trying to do.
I have a catalog of products and various private information that my users want to be able to access via their website.
For example:
User-a has an e-commerce site and they want to sell my merchandise. They will be able to access a certain products details via a web service. They will also be able to see the negotiated rate that I've given them along with some other private details.
How should the API handle authenticating the request that comes from User-a's website?
I've been reading all day about different authentication methods but they all seem to revolve around the idea of a third party accessing specific user information. An example is if you let http://randomtwitterapp.com access your twitter profile. In that case, the third party site must manage multiple different users and auth tokens. In our case, my users website is interacting on behalf of the user. I hope this makes sense.
Let's call user A "Alice" because calling her User-A is cumbersome.
Treat Alice's web site as if it were Alice herself. The special pricing and such IS specific to the web site in question, so have it log into your site. Issue credentials that the person developing that site would use to authenticate with, and then use those credentials to determine the pricing and products you show.
As for actual authentication mechanisms, it really depends on your needs. If all you need to do is serve different data to different people, you could do something as simple as an API token passed in the query string: http://api.example.com/products?key=9af4d8381781baccb0f915e554f8798d
Or if Alice already has a username and password for your site, you could have her use those in her API requests with Basic Auth.
If Alice is going to need to enter her account information on various sites that she doesn't control, then oAuth comes in very handy. With that, you can essentially give her an API key for every site she needs to access your API from. And you give her the ability to delete those API keys and deny those sites access.