gfsdeliver.com VS justshoutgfs.com for server-side price validation

  • 1.9K Views
  • Last Post 02 July 2019
  • Topic Is Solved
Iaroslav posted this 28 June 2019

Hi!

 

We've integrated the GFS Checkout widget into our store a year ago, and now we have a security issue. When user selects a delivery option from a list, the widget provide us with an option id AND a price, that is send to our own API and saved. The problem is that a hacker could decrease the delivery price value and send this modified value disrupting calculations on our side. We decided to retrieve this price value via Server to Server request, making it secure. Right now we have two ways to retrieve the price of delivery option:

 

1) Use REST Api as described on the documentation web page (request to connect2.gfsdeliver.com, SESSION GET). The problem is that we have to recreate a session from scratch because SessionID from Widget doesn't work with that rest (is it supposed to work or we have different session ids for gfsdeliver.com and justshoutgfs.com?). When we recreate session from scratch on the server side, we have to supply many parameters when we already send them to the font end, this duplication doesn't feel right for me.

2) Use undocumented rest used by the widget, that way we just repeat the request to rest-checkout.justshoutgfs.com on the server side. We can use the same session id and it looks better, but this API is not documented and could be changed in the future.

 

What do you think, which way is better?

 

Thanks in advance!

Simon Wilson posted this 02 July 2019

Hi Iaroslav,

 

The close checkout call is used to secure the request details.

Once you have the details from the request you validate it server to server in the close checkout call.

You are currently doing this now in your current implementation, If required we can have a web conference to discuss this further.

 

Best regards

Simon

  • Liked by
  • Iaroslav
Close