gfsdeliver.com VS justshoutgfs.com for server-side price validation

  • 725 Views
  • Last Post 4 weeks ago
  • Topic Is Solved
Iaroslav posted this 28 June 2019

Hi!

 

We've integrated the GFS Checkout widget into our store a year ago, and now we have a security issue. When user selects a delivery option from a list, the widget provide us with an option id AND a price, that is send to our own API and saved. The problem is that a hacker could decrease the delivery price value and send this modified value disrupting calculations on our side. We decided to retrieve this price value via Server to Server request, making it secure. Right now we have two ways to retrieve the price of delivery option:

 

1) Use REST Api as described on the documentation web page (request to connect2.gfsdeliver.com, SESSION GET). The problem is that we have to recreate a session from scratch because SessionID from Widget doesn't work with that rest (is it supposed to work or we have different session ids for gfsdeliver.com and justshoutgfs.com?). When we recreate session from scratch on the server side, we have to supply many parameters when we already send them to the font end, this duplication doesn't feel right for me.

2) Use undocumented rest used by the widget, that way we just repeat the request to rest-checkout.justshoutgfs.com on the server side. We can use the same session id and it looks better, but this API is not documented and could be changed in the future.

 

What do you think, which way is better?

 

Thanks in advance!

Order By: Standard | Newest | Votes
Simon Wilson posted this 02 July 2019

Hi Iaroslav,

 

The close checkout call is used to secure the request details.

Once you have the details from the request you validate it server to server in the close checkout call.

You are currently doing this now in your current implementation, If required we can have a web conference to discuss this further.

 

Best regards

Simon

  • Liked by
  • Iaroslav
JosephWallace posted this 07 September 2020

Developer and all unique feature is told for the individuals. The patent right of the developer and https://resumecompaniesreview.com/resumes-planet-review/ is swiftly followed for the individuals. Group is filled for the top of the reforms for the manners for the implication for all goals.

saeed20 posted this 09 September 2020

Edinburgh  ..  hedge trimming

 

TylerPH posted this 4 weeks ago

All my friends who need social psychology research paper topics start to address Homeworkfor.me because I advised them to use it.

 

Close