Railscasts - PayPal Notifications

#142

Dec 29, 2008

PayPal Notifications

PayPal's IPN (Instant Payment Notification) service allows your app to get confirmation when an order is processed. In this episode I use IPN to mark a cart as purchased.

Tags: tools e-commerce

Download (16.4 MB, 10:46)

alternative download for iPod & Apple TV (12.8 MB, 10:46)

Read it on ASCIIcasts

Note: As mentioned at the end of this episode, this code should not be used in production as-is due to security problems. I will address these in the next episode.

Resources

script/generate nifty_scaffold payment_notification params:text cart_id:integer status:string transaction_id:string create
rake db:migrate
curl -d "txn_id=3XC103945N720211C&invoice=923204115&payment_status=Completed" http://localhost:3000/payment_notifications

# payment_notifications_controller.rb
protect_from_forgery :except => [:create]

def create
  PaymentNotification.create!(:params => params, :cart_id => params[:invoice], :status => params[:payment_status], :transaction_id => params[:txn_id])
  render :nothing => true
end

# models/payment_notification.rb
belongs_to :cart
serialize :params
after_create :mark_cart_as_purchased

private

def mark_cart_as_purchased
  if status == "Completed"
    cart.update_attribute(:purchased_at, Time.now)
  end
end

# controllers/application.rb
def current_cart
  if session[:cart_id]
    @current_cart ||= Cart.find(session[:cart_id])
    session[:cart_id] = nil if @current_cart.purchased_at
  end
  if session[:cart_id].nil?
    @current_cart = Cart.create!
    session[:cart_id] = @current_cart.id
  end
  @current_cart
end

# models/cart.rb
def paypal_url(return_url, notify_url)
  values = {
    :business => 'seller_1229899173_biz@railscasts.com',
    :cmd => '_cart',
    :upload => 1,
    :return => return_url,
    :invoice => id,
    :notify_url => notify_url
  }
  line_items.each_with_index do |item, index|
    values.merge!({
      "amount_#{index+1}" => item.unit_price,
      "item_name_#{index+1}" => item.product.name,
      "item_number_#{index+1}" => item.id,
      "quantity_#{index+1}" => item.quantity
    })
  end
  "https://www.sandbox.paypal.com/cgi-bin/webscr?" + values.to_query
end

<!-- carts/show.html.erb -->
<%= link_to "Checkout", @cart.paypal_url(products_url, payment_notifications_url) %>

< Previous Episode

28 comments

1. MTH Dec 29, 2008 at 01:52

It's annoying to wait until next episode for production use! :-)

Thanks, Ryan!

2. David Trasbo Dec 29, 2008 at 01:58

It is certainly getting more complex, Ryan, but it looks good. Thanks!

@MTH: If you want people to actually use your product then don't:

1. make something that looks like a spam site.
2. don't spam comments.

3. Dave Spurr Dec 29, 2008 at 04:05

To test this locally you could quite easily setup a dynamic dns to point a public domain name to your local environment, such as dyndns.

I've done that on a couple of occasions when working with external services which need to hit my machine as part of the applications natural processes.

4. Hamza Khan-Cheema Dec 29, 2008 at 05:50

It is interesting how other people do these kind of things.

However I am still a bit unsure why you are not using ActiveMerchant ?

Don't you find it makes things easier ?

Thanks, and keep up the good work!

Hamza

5. MTH Dec 29, 2008 at 06:46

@Trasbo You are not right:

1. don't looks like a spam site
2. didn't spam comments.

Anyway, thanks for suggestions, I'll think about it.

@Hamza, agree,
Ryan, please, show us how to use ActiveMerchant

Thanks

6. David Trasbo Dec 29, 2008 at 07:34

@MTH: I must disagree with you. E.g. Take a look at this site: http://flockr.com/ (misspelling of flickr.com)

1. It has no logo, just a text based representation of the domain name.
2. It has a monotone typography, e.g. Arial/sans-serif only.
3. It doesn't contain any useful information or any useful features.

This is exactly three convergences of spam sites, and your site fulfills them.

And I still think that you're comments here can be considered as spam, because they only seem to have one purpose: to promote your site.

If none of this is the case, please receive my apologies. But could you explain what exactly makes your site and comments non-spam?

7. David Trasbo Dec 29, 2008 at 07:40

I wrote this earlier:

"1. make something that looks like a spam site."

Of course, that should've been:

1. make something that DOES NOT look like a spam site.

Apologies... :)

8. MTH Dec 29, 2008 at 07:41

David,
I'll respond to you by email.

I'm very appreciate Ryan, and don't want to start flame here.
Thanks.

9. Liam Monahan Dec 29, 2008 at 09:34

I think recurring billing would be an interesting and useful topic. I know that certain payment gateways support it, but it can be complicated. You would need a background task to scan periodically and make charges...

Thanks Ryan and keep up the good work.

10. zero0x Dec 29, 2008 at 09:50

Hey,

I'm working on an e-shop (php but nevermind), and wanna ask something.

Is it safe enough to check the notification for the amount paid to ensure that payment was not tampered?

11. John Dec 29, 2008 at 15:01

Hi Ryan,

Paypal's Order Management integration guide says you need to use a "shared secret" or a "postback". I did not see you use either.

See page 26th of the guide: "After your server receives an Instant Payment Notification, you must confirm that the notification is authentic. This is known as notification validation."

Can you comment on this? Am I missing something?

Thanks,

John

12. Josh Dec 30, 2008 at 09:02

No questions, no suggestions, no complaints, just THANKS!

13. Mark Dec 30, 2008 at 11:09

Thanks for sharing!

14. RailsCasts Fan Dec 30, 2008 at 13:16

Ryan President ! :)

15. QuBiT Dec 31, 2008 at 01:15

Great Tutorial Again!

@Ryan:
If you continue to support us with this high quality screencasts, I'll maybe use the learned things to open my own business ;)

Happy New Year to everyone! (not yet but in a few hours ;) )

16. MTH Dec 31, 2008 at 02:05

Happy New Year, Ryan!

Thank you for all your work this year.
Please, continue on the next year.
Thanks thanks thanks!!!

17. Mitja Dec 31, 2008 at 06:45

Hello!

Thanks for this tutorial, it is really great, but i am somehow stuck on the serialize part....

In a LOG i can see i get all the information from PayPal, but serialize is somehow failing.

Anyone else with a same problem?
What could be a trick?

Thanks

18. Arash Dec 31, 2008 at 12:19

Great video.

19. Josh Jan 01, 2009 at 10:03

Hey Ryan,

I have taken what you have done here (great workup, by the way!) and have translated it to use Google Checkout using the google4r-checkout gem. It is really great! Let me know if you want me to pastie you the source for a Railscast episode in this series :)

Thanks again!

20. Patrick Jan 02, 2009 at 02:31

Hey Ryan:
Would you mind addressing how to validate non-model backed form components? I'm specifically talking about forms where you use a model to save stuff like the customer's name and phone number, but you don't want to save sensitive data like their credit card number to the database for security reasons.

The same question was raised in a different context by creatop in the comments of Episode 37: "Nice, but what about more complicated non-model forms with many fields with validation required?"

It seems like a pretty common scenario to me - but for some reason there is absolutely no documentation on it (or if there is, I've wasted the last five hours for nothing...haha).

21. elise Jan 02, 2009 at 07:37

Happy New Year !
I owe you not a beer, but a bottle of fine single malt. Or i might just go and buy a few of your commercial screencasts.
Keep up the good work !

22. Jacko Jan 02, 2009 at 12:42

Big thanks. I was looking all the time for this. Greetings, Jacko

23. Ryan Bates Jan 02, 2009 at 14:54

@Hamza, I plan to cover ActiveMerchant in future episodes.

@zero0x, right, this is one of the security issues I plan to cover in the next episode.

@Josh, that sounds great. I don't plan to cover Google Checkout in this series, but maybe if there's enough demand I'll make an episode for it later.

@Patrick, using ActiveRecord's validations on a non-database backed model can be difficult. I am delaying talking about this issue until Rails has some better support for this built in. But in the meantime you may want to check out some external validation plugins. Sorry I don't know of the best one off the top of my head.

I personally do not run into this issue because I prefer to keep a record of user input. So, every model that has a decent size form is backed by a database.

24. Dan Pickett Jan 02, 2009 at 16:03

Great screencast, Ryan!

Paypal kind of bums me out. I dislike the idea of ipn. For MassPay transactions, I really wish there was a query/request you could send to get the status of payment, but unfortunately I haven't been able to find it.

25. Thomas Jan 03, 2009 at 05:37

@Dan: it exists and it is compulsory for validating a purchase! It's just that Ryan didn't get into that yet. I guess he'll talk about it in the next episode.

At this stage of the app you still cannot mark a cart as being purchased/paid.

FYI Paypal provides on their developer website, a Ruby on Rails app in which you can dive in to understand the payment process, but beware it requires a lot of cleaning up.

26. Sean Schofield Jan 08, 2009 at 08:30

People interested in PayPal for Rails may want to check out the Spree[1] commerce project which has excellent PayPal support.

There's also a nice extension[2] that provides integrates support for Paypal Website Standard.

[1] http://spreehq.org
[2] http://github.com/Gregg/spree-pp-website-standard/tree/master

27. replica Bvlgari Necklaces May 07, 2009 at 01:53

I'll respond to you by email.

28. aradycom Jun 08, 2009 at 14:03

re thank you good job

Add your comment:

navigation:

sponsored by:

tags:

if you want to help:

required: