fuck; stuck. on @paypal #classicapi
i am now depressingly intimate with navigating paypal's dev, docs and sandbox site. here is the workflow of how paypal works:
you create a paypal button on your site which uses a POST route to their site with a bunch of site-specific information, including a notify_url attribute which upon completion of transaction routes a notification back to your site asynchronously.
using SSH i encrypted this using a certificate that is pre-loaded with the buyer account at paypal
the purchase information is de-encrypted and read by paypal
user completes the transaction on paypal's site
everything up until this part works perfectly.
a notification, called IPN should be sent to my website using the notify_url param that was passed to it in my initial call. but my site is never receiving it or is rejecting it.
possible solutions:
the notification is definitely being sent by paypal, because there is a record of it at paypal.
the doc says here that ""Your listener returns an empty HTTP 200 response to PayPal." what does that mean? how does that occur
once that happens, then paypal sends the exact same thing again.
also, the doc says "the message must contain the same fields (in the same order) as the original message and be encoded in the same way as the original message."
what does that mean?
EDIT feb 25
I think what happened between railscast 143 and today (and it's been five long years), is that in the episode, ryan bates made it sound like paypal's first postback was not required; in other words, in the past, it seems like paypal did not send a first postback to your site. instead, it just sent you the purchase information and it was up to you to verify whether it was from paypal or not.
that's no longer the case. it is now standard for paypal to first send you a postback, which you then have to verify by sending back an empty 200 request. then your site posts the unaltered message, except preceded by cmd=_notify-validate to paypal. paypal then sends you either a 'valid' or 'invalid' response.
seems like there's an extra security step there that wasn't addressed by railscast.
that's the problem, i think.
this link might be key: http://stackoverflow.com/questions/14316426/is-there-a-paypal-ipn-code-sample-for-ruby-on-rails
EDIT feb 26
ok found the problem.
here's a snippet from the original code from railscast 142:
values = { :business => '[[email protected]]', :cmd => '_cart', :upload => 1, :return => return_url, :invoice => id.to_s + 'h', :rm => 2, :notify_url => notify_url, :cert_id => '[YOUR CERTIFICATE#]' }
this code was written in 2009. not much has changed, but apparently paypal took out both the return_url and notify_url from the values that you send to paypal, probably for security purposes. both those urls are set by you manually through their web interface. once i deleted both those keys, it worked.














