I am creating a game on the blockchain platform and I am doing the front part using reactjs and for this purpose I am using libraries related to SOLANA and Phantom Wallet. The problem I am facing is that Phantom Wallet asks for confirmation from the user for every transaction that is made. For example, in the game, for each action that the user performs, a message confirming the transaction is displayed. How can this be done without receiving confirmation from the user?
For example, the code that runs to create a game is as follows:
program.methods
.setupGame()
.accounts({
game: gamePDA,
authority: wallet.publicKey,
playerOneAccount: CURRENT_USER_PDA,
})
.rpc();
Just curious on best practices for handling potential data loss with a third party integration.
For example, lets say that im integrating stripe for payments. If our platform has a credit system (a user needs X number of credits to do an action on the site), how would you reconcile a loss of data between the platform and after a purchase is made? Going into the example: a user is on the site, purchases a pack of credits for $10. Our platform calls stripe payment when the user clicks "purchase," the purchase is successful but all of a sudden a loss of power happens. We receive the $10 in our stripe, but on our platform the purchase was never "complete" because the loss of power happened immediately after the purchase was made, and there was no time for our system to receive the authorization code to store as completed. I'd imagine this could be common, or in another case where the purchase is complete, but there is some issue between receiving the success code from the payment processor and it causes delay. So, how do you handle this loss of data?
I could think of maybe storing a payment intent on our database with payment status "incomplete" and once a payment is made and we get a code back from stripe, then we update our database with "complete" and we have some job that polls this database every hour or something to check for "incomplete" payments.
What is common in this case?
I am using AngularJS and have built a basic single page application. My users will enter in their PayPal email address and currency upon signing up and it will be saved within the database.
Any user can post something basic for sale for another user to purchase.
How can I authorise a transaction between two users PayPal accounts while keeping them within my site without a redirect to PayPal? All solutions online require the user to be redirected to PayPal.
You would need to use either Reference Transactions or Preapproved Payments.
You can't avoid a redirect entirely if the users are going to be paying with the PayPal Wallet. When they first sign up for your app/service they would need to authorize your system to make payments on their behalf.
So if you're using Express Checkout, for example, the user would be redirected to PayPal to authorize their account. After that is done your app could then process payments using the DoReferenceTransaction API without the need for any redirection through PayPal.
The Preapproval API sets up the preapproval profile, so yes, at that point they would be redirected. After that, though, you would have a preapproval ID that you would then pass into the Pay API in order to process payments for that person without any further approval (so no redirect) required.
If you're going to set this up with credit cards directly then you would need Payments Pro. With that you could authorize a credit card directly within your app so you wouldn't need any redirect at that point, and then once again you would use a reference transaction to process payments for that card in the future.
building a server for an app and one of the steps of the registration in the app is to enter a phone number verification code. The verification code will be sent to the phone through sms and the verification code needs to be entered to continue the registration
The app will send a request to the server and is it possible for someone to find out the url and keep sending fake phone verification code requests to the server? How do you prevent the attack?
I assume you are doing this to confirm that the phone number that is being registered is real and belongs to the person who is registering.
Scenario 1:
-Legit user registers
-Legit user receives an sms
-Legit user sends the verification code to server
If code matches the one that was sent then activate the user
Scenario 2:
-Attacker registers
-Attacker does not receive an SMS because he entered a phone number that is not his.
-Random person receives the SMS
-Attacker starts DoS against verification server and tries to guess the code.
The DoS problem in this case can be solved with simple block after X failed attempts. For example, store each failed verification attempt into a table and when there are 5 failed attempts for an account, block the verification for X minutes. This is similar to failing to login with username and password several times. The verification code must have enough possible combinations so that a brute force attack is not viable.
The other problem is that your service could be used to spam random people with the verification SMS. You'd have to limit registrations per IP per X time interval or something similar. You could also use captcha to prevent automated registrations.
Scenario 3:
-Attacker registers
-Attacker entered fake phone number so nobody receives the SMS
-Your SMS server get's delivery failure of SMS so nothing really happens. The verification code that was used to send the SMS is invalidated.
I hope this was somewhat helpful and I understood your intentions correctly.
Use a CAPTCHA to prevent automation.
Limit frequency verification requests for a single number, ideally using exponential backoff.
Don't forget that the verification endpoint also needs securing; you must limit the number of attempts for a given verification code or use a long enough verification code such that it doesn't matter.
What is the best practice to handle transaction between application and paypal.
Consider:
I'm Alice and I want send money to Bob
In my DB I see that Bob has $200 and I want to send him $150.
Once transaction is sent I want to update the Bob's account such that it would contain $50.
Now according to PayPal API I can send Pay and receive success. However what happens
if I for example send Pay it succeeds but I fail to receive a response due to network problem. So I assume that error happened and try again and technically I'll send $300 to Bob instead of $150?
How can I handle such a transaction - between a local database that keeps an account and the remote PayPal API?
I had this exact concern recently with an ASP.NET MVC project I was completing for a client.
I learned two things:
Communication between Paypal and your database cannot be trusted (well, didn't really learn this, but it was entirely reinforced)
I now understand why so many websites that have Paypal as a transaction type mention there could be a processing period between the time that the transaction was completed and shipping/delivery of the product is completed.
The way you handle the situation is similar to the way a business could handle personal checks:
A personal check looks like currency (and typically is), but many businesses would like some sort of verification from the bank that funds are available before they accept payment - so they use a machine that asks the bank if funds are actually available.
If the machine says the funds are available, the business trusts it and you complete the transaction. However, the machine can give an error message that typically means "the funds are not available or something went wrong" and the business has a decision to make:
We can trust the customer and accept the check, deliver the product, and hope for the best when later depositing the check to the bank.
Or we can tell the customer that it will take time for the check to clear, deposit the check, wait for the funds to actually arrive in our account, and (if successful) deliver the product after the business receives funding.
This sounds inefficient with the way many businesses operate today, but it is something that does come up. In fact, this is why a lot of businesses stray away from accepting personal checks, they are unreliable when compared to other methods of payment.
Now how does this correlate to handling a Paypal payment?
A Paypal payment looks like currency (and it typically is), but many businesses would like some sort of verification from the Paypal that funds are available before they accept payment - so they use Paypal PDT, IPN, or other method for checking that the transaction was handled appropriately.
If Paypal properly responds to one of the verification requests, the business can trust it and complete the transaction. However, your website may throw an error of some sort (i.e. Paypal could reply with an IPN response of NOTVALID, or you could never get a reply from Paypal). The business has a decision to make:
The business can trust the customer and accept that they have made a Paypal payment and everything should be alright (very bad decision in the case of a Paypal transaction)
Or the business can tell the customer at check-out time that there may be a 72 hour processing period for Paypal payments.
This may not sound like the best way to operate your business, but it is the way we have to deal with an imperfect internet.
I would set up the Paypal payment flow similar to this:
UserA wants to send $100 to another UserB using Paypal
UserA enters the value in the 'checkout field' and is sent over to Paypal to verify the transaction.
UserA is sent back to your website from Paypal and your website performs the IPN check with the details that Paypal has POSTed to your site(I chose IPN in this case - as if we were using Express Checkout as opposed to some other payment gateway that Paypal offers).
If the IPN is VALID, process the transaction as expected.
If the IPN is not VALID, mention to the customer that there may be a delay in processing, have your application send you a notification that a possible Paypal transaction issue has occurred (you may want to include a reference id so that you can quickly find which transaction this notification is referencing), and mark the transaction as pending as opposed to complete or something similar.
An admin of the site who handles these notifications will manually investigate the transaction (or force the website to check with Paypal again - see the Paypal API documentation for details on this) and manually mark the transaction as complete or failed.
Notify those involved of the status of the transaction.
It is annoying that we have to have extra steps involved to make sure the money was transferred, but, as mentioned earlier, we are using an imperfect system and we want to be very certain of the success / failure of financial transactions.
An added bonus to this process is that there is likely to be notifications when someone is tampering with the Paypal payment system - leaving you better equipped to deal with evil-doers in the future.
Please refer this link ,Hope PayPal Authorization & Capture method will be suitable for you ,since you don't want lose the response as well as miscalculated amount transfers, PayPal provides correlation id that can be referred for PayPal to confirm your order status,it will be better to pass the order id to PayPal API.
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_admin_authcapture
http://www.scribd.com/doc/6303345/40/CorrelationID-for-Reporting-Problems-to-PayPal
Good Luck!
This is known as 2-phase commit. As long as paypal does not participate in the same transaction, you will run into problems.
I would debit Alice the $150 and reflect the transaction is "Pending Confirmation", then periodically poll PayPal to synchronize your DB, since you have no control of when the network or PayPal may be available, post, reverse or adjust the transaction. Once PayPal processes the transaction, you can change the status in your DB from "Pending" to "Completed". BTW, this how bank accounts and credit cards are processed. You could apply a double-entry accounting method to your DB. (see this Q&A)
From what i see you need to make sure the transaction is complete otherwise nothing should be done .
If you deposit the money into PayPal API and you do not receive an response from PAYPAL API then you need to rollback the transaction in you DB.