J
J
jamster2020-07-20 23:42:50
JavaScript
jamster, 2020-07-20 23:42:50

How to correctly confirm payments on nodejs?

Good day.
What do we have. Back - nodejs, Front - Vuejs.
Task: Confirm successful user transactions on the nodejs server.

Actually before history.
We have a client-server application, a mini shop for cosmetics and various household goods.
The front is written in vuejs.
Client authentication/authorization using Passport.js JWT token.
Actually, in terms of payment confirmation of payments, we failed. We were hacked and it is not clear how they learned to replenish their balance, in the personal account there is a withdrawal of part of the funds when buying from the N-amount.
How everything was arranged.
On the Front, a person in the personal account went to the point to replenish the account, chose the payment system. After payment, went to pay.
At the moment, a record was created on the back in the database with the fields status - false and summ - N. Transaction ID.
Transactions were confirmed through the payment API, cron worked every minute. and checked by the transaction ID whether it was paid, and whether the validity period has expired. If the API returned true for the success field, then the transaction was closed and the user received a balance.
This entire algorithm turned out to be vulnerable, and was compromised.
Actually the question is how and with the help of what tools to implement this in a more or less safe form.
Such a moment is the only thing that we managed to find out that the vulnerability was used without front-end. That is, only if there is a backing, and most likely the base was not broken.

The first actions that come to mind are to connect encryption to the transmitted user data from the front.
Implement some mechanism for storing SC in user cookies, and only if it is available, create a transaction.
Again, when checking a transaction, having only fields from the success expired API, what can you think of?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
D
Dasha Tsiklauri, 2020-07-21
@dasha_programmist

in general, the payment system should send a notification (pull your API) if the transaction is successful or vice versa if the transaction fails. Traffic must be either signed with a key or verified against the input IP address

A
Artem Silantiev, 2020-07-21
@AntiStream

I can’t give a direct answer, but I can share some thoughts:
1. Get away from using Passport.js, write your own solution, since using standard modules for authorization is not safe in itself.
2. Do you log all user actions related to finances?
3. Is the data from the user validated on the side of the backend when creating a replenishment?
4. Ask yourself, are you sure about your payment system?
5. Perhaps someone has access to the database

A
Andrey Shamin, 2020-07-21
@WhiteSsnoww

Apparently, the programmer who wrote the payment gateway left the Easter egg and now skillfully uses it. Everything is fine in your diagram. If you do not know the payment ID, then you will not receive anything. Look for how the insider gets the payment ID. By the way, this programmer can continue to work for you, then look who has access to the DBMS.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question