[MyAcc] Python Paypal API

[Joriku]

[ Feel free to comment for changes, improvements or security related matters ]
Here comes a temp solution for MyAcc, PayPal.

Since current version of MyAcc has issues regarding API, until an update comes. Here is an back-end written in Python.
You can design the template however you'd like.


Github

 

[Joriku]

A new update is made on github, spoofing has been patched front-end and back-end.
I'll need to make sure that the back-end code does in fact stop the spoofing, but payments are O.K and JSON data is sent back and works live and sandbox with the new code. ( This means the front-end is stopped, and back-end should, but is not tested yet ).

This was an oversight made, where the payment was blindsided only getting O.K or not O.K status if a payment was made and added client-sided data based on it.

So a payment is made, System: "Great, we got your payment, here's your coins"

If any improvement or errors, report them to me asap

 

[Joriku]

New update, UI and security measures
Live on github

• Click-through agreement modal – users now accept TOS once, timestamped & displayed on the page

• Package picker redesigned as icon buttons for faster selection

• PayPal buttons auto-render on load & selection—no manual swaps

Security Improvements:
• Verify custom_id → prevents order spoofing

• Enforce unique PayPal transactions (idempotent processing)
Validate currency on every order

• Stronger X-Auth-Token (SHA-256 hashed secret)

[SIZE=7]• [/SIZE]Short-lived PayPal OAuth tokens per request

Fixes & Tweaks:
Debug logging of all order requests & responses

• Proper capture-amount lookup for v2 orders

• Safe DB schema migrations at startup (agreement log & unique txn index)

 

[jeanphilip]

this is donatives or purchaes? with this you can prevent chargebacks?

 

[Joriku]

this is donatives or purchaes? with this you can prevent chargebacks?

Hi,
to strengthen the case of charge-backs. I've added this agreement, that has to be accepted to continue.
It will also showcase the important aspects ( As I am aware of ), remind you that I am not a law related person. So if anyone got suggestions and/or ideas to strengthen it tighter. Let me know.

This adds a layer to the cases, why?
1) Clickwrap, it's a must agree to terms in-order to proceed.
2) We clearly state what the purchase is regarding, in all our cases. Virtual coins, the acceptance or agreement of an electronic binding contract, that we are strict that all sales are final and non-refundable, user confirms that they themselves are above >18, meaning they themselves represent their age, making sure that the transaction is legal or it's a breach of agreement.

3) Record, we store the loggings required, ip address ( Can be VPN or fake, keep this in mind ). I added no layer due to cost of check if IP is a known VPN address. We log Date and time of agreement, who and what account accepted it. The purchase will be logged with this account id and their paypal email address, meaning we have more logs that they in fact agreed to our terms.

4) We've specified our jurisdiction.

So in short terms, we have unique txn id's, proof of delivery, clickwrap acceptance logging, ip and user capture, a non-refund policy to fight those chargebacks over on paypal in our favor.


As a bonus: I am checking out on adding a logging to what a user, by account, and character buys in the in-game store to prove to strengthen the case even further of what, when they did spend their coins.

Make sure to understand, I am not paypal, or a lawyer and I do not have the means to tell you that all of this will by 100% work for each case. However, using this will make sure you can prove and provide evidence of misconduct.