Using order secret to pay the order

[vojtasvoboda]

Please correct me if I'm wrong, but when I complete the order, for example on the demo.shopaholic.dev page, it redirects me to the URL:

https://demo.shopaholic.dev/order/05132d454b20a4287d3c6bc3cffcf343

And when I take that secret key and call:

https://demo.shopaholic.dev/shopaholic/omnipay/paypal/success/05132d454b20a4287d3c6bc3cffcf343

It will mark the order as paid with no need to go to the payment gate.

(It is not working on demo.shopaholic.dev because there is no Shopaholic Omnipay plugin, but it works on e-shops with the plugin installed).

[kharanenka]

Hi! Roadmap of purchase is:

1. PayPal plugin sends request to API and adds "success callback URL" to request object.
2. Customer pays for the order in PayPal interface.
3. PayPal API sends request to site with using "success callback URL".
4. "success callback URL" contains payment token only. We should add logic to change order state, if PayPal api sends request to "success callback URL".

We could protect this "success callback URL", if PayPal api passed additional data in request.
Perhaps now there is an opportunity to change the logic of plugin. I haven't researched PayPal API changes

[vojtasvoboda]

From my point of view, there should be some additional backend checks on the success callback URL. Because nowadays you can just open the success URL in the browser and the order is marked as paid without any payment.

If you know of some production e-shop with this plugin, I would be glad to try it.