0

I have a Django form, which sends the form data to an external source(to be more precise, it is a PayPal payment form). The user enters the price for the product, clicks on the button and the POST request is send to PayPal triggering the normal payment process.

Now I want to use OTP (like Google Authenticator) to validate each payment.

How should the validation be realized? I thought of several scenarios, but none of them is really satisfying:

  • Should I send the request first to my site, validate the OTP and then redirect the User to the PayPal site with the data via a POST request, coming with the request? Problem: POST requests are not meant to be redirected and I don't know, how to realize it in django.
  • Should I write JavaScript code, which sends an ajax request to my site, and "activates" the form on success? Problem: smarter users could just activate the form from the browser console, without sending the ajax request. Does anybody know some kind of activation trick in JavaScript, which is not "hackable"

I would be glad to hear some more solutions from you or some suggestions, how the solutions above could be realized without the problems mentioned.

EDIT - My Solution so far:
I have done a work around and split the form in two. The first form checks the OTP and sends the data to my internal django view. It also creates a model instance with an generated invoice, which can then be checked in the PayPal IPN routine. The second form is a PayPal payment form, which sends the POST request to PayPal. You can find the simplified code in the following Github-Gist:

https://gist.github.com/BloodyD/2cd15f38d0f666cf3a73

DiKorsch
  • 1,240
  • 9
  • 20
  • Why are you saying that POST request are not meant to be redirected? – GwynBleidD Aug 12 '15 at 14:16
  • i mean not the redirection after a POST request has income, but before you send the request... so send it to one URL, which redirects the POST data to another URL. Saw this in this answer(http://stackoverflow.com/a/3024528/1360842), and I'm actually fully agreed with that. – DiKorsch Aug 12 '15 at 14:57

1 Answers1

0

First method - normal redirection after POST:

I don't know why do You think that there shouldn't be any redirect after POST request? In django it happens all the time, without that each page refresh directly after adding something to database will trigger adding it one more time.

To redirect user into proper paypal page, you can just send HttpResponseRedirect instead of normal response when form is submitted with valid form data. If not, display some error messages.

2nd solution: using javascript.

You can send url to redirect to (paypal url) in AJAX response, so user won't be able to bypass this. Simply put some form submitted by AJAX, if it returns URL to redirect, just redirect user. If not, display error message.

GwynBleidD
  • 20,081
  • 5
  • 46
  • 77
  • As I mentioned in the comment before, I don't mean, that redirects after POST should not happen. The thing is, that I had to create a POST request in a view (which handles the POST data from the django form) on my site, send this request and display the response to the user. My server is that a kind of a proxy and in my opinion its not really a good design. – DiKorsch Aug 12 '15 at 15:02
  • And what about javascript solution? – GwynBleidD Aug 12 '15 at 15:16
  • the problem is, that the paypal URL always the same. so after the first request, one can set the URL manually – DiKorsch Aug 12 '15 at 15:26