I couldn’t find a good example of a Ruby on Rails Paypal Website Payments Standard implementation that I could open the hood and dig around in. The majority of the ones I found were partially implemented, geared at Website Payments Pro ($30/month), or were commercial products. So I decided to write a test to see how it all worked.
DISCLAIMER: I am NOT a good Ruby on Rails coder. I am from a Java world and still find the world of closures and dynamically typed variables a little disorienting. That said, things could definitely be cleaned up and made to work better. I am open to house cleaning suggestions.
DISCLAMER: This was done over the past couple months in my spare time only so there are likely bugs. I have only tested this in the Paypal Sandbox and have NOT used it in any production capacity. If you plan on using this in a production environment DO NOT assume that it all works correctly. TEST! Let me know if you find any bugs.
Let’s jump in.
The first thing you should know is that accessing the cart automatically and randomly generates and stores down inventory so you don’t have to worry about it.
This test covers the following scenarios:
- Basic connection using form variables and posting in the same window.
This is the most straight forward scenario. The page has hidden fields that contain all the information needed to start the payment process. When the user click the checkout button they are directed over to Paypal for payment. They then have the option of returning to the site after the payment process completes or if they decide to cancel.
- Return URL order detail validation.
When the user clicks “Return to Paypal Test Site” on the payment confirmation page within Paypal this site then validates the data submitted from that click in order to ensure payment and order details are correct. NOTE: This is not secure and was just the first step of the test. Don’t do this in real life!
- Payment data transfer (PDT) order detail validation.
PDT basically sends an encrypted token back which can then be posted to Paypal to get payment and order details. This allows the server to verify details about the transaction, removing the ability for users to change the validation data. Note that PDT only happens if the user returns to the site from the payment confirmation page within Paypal. All but the first scenario use PDT and IPN together.
- Instant payment notification (IPN) order detail validation.
IPN is the same as PDT, only it happens regardless of whether the user returns to the site. All but the first scenario use PDT and IPN together.
- Page level redirection to Paypal.
This hides the paypal form tags on a redirect page that is only displayed briefly. This moves the Paypal form variables off the cart page, where they tempt people to try to change them, off into a briefly displayed redirect page. This by no means offers any real security, however it does obscure the process a little bit, making it less tempting to play with. IPN and PDT are in place for this option as well.
- Controller level redirection – not fully working.
The idea behind this one is that it passes all the Paypal form fields across at the server level, removing the ability for users to interact with or change them. This uses the Net::HTTP code to do some funky POSTs and redirects but is failing at the moment. I have the code so that it submits via Net:HTTP in the controller and follows the redirects, however it is not transferring cookie or form data correctly (not sure which/either), which causes Paypal to redirect to an error page. I would be very interested to see if anyone can get this one working.
- DHTML popup window payments.
This is the same basic concept as the standard flow with page level redirection only the Paypal site is displayed in a centered popup window. Cancelling the paypal transaction simply closes the popup, leaving you still at the shopping cart. Completing the transaction redirects the entire window to the payment confirmation page.
Changes that you will need to make to get this working:
- Update models/util.rb to point to your email addresses and Paypal sandbox info.
- Update config/environments/development.rb to point to your SMTP server.
- Update the controllers/website_payment_standard_controller.rb PDT_IDENTITY_TOKEN variable to point to match your PDT identity token.
NOTE: I removed the Test folders to lighten the load and quickly remove a bunch of SVN folders but didn’t try it out after this. If you are having any errors revolving around tests, create a new project then copy the test folder and its contents over to this one.
The files: paypal.zip