feat: Add paypal configuration for Android Paypal Payment

[anhanh11001]

Fixes: #5961

Short description of what this resolves:

Add PayPal configuration to verify Paypal payment for Android Paypal integration

Changes proposed in this pull request:

• Add Verifying Paypal Payment for Android

• I have read the Contribution & Best practices Guide and my PR follows them.

• My branch is up-to-date with the Upstream development branch.

• [] The unit tests pass locally with my changes

• [] I have added tests that prove my fix is effective or that my feature works

• I have added necessary documentation (if appropriate)

• All the functions created/modified in this PR contain relevant docstrings.

[codecov]

Codecov Report

Merging #6297 into development will decrease coverage by 0.12%.
The diff coverage is 13.88%.

@@               Coverage Diff               @@
##           development    #6297      +/-   ##
===============================================
- Coverage        65.29%   65.16%   -0.13%     
===============================================
  Files              287      287              
  Lines            14775    14810      +35     
===============================================
+ Hits              9647     9651       +4     
- Misses            5128     5159      +31

Impacted Files	Coverage Δ
app/api/helpers/payment.py	23.7% <11.11%> (-3.82%)	⬇️
app/api/orders.py	27.91% <22.22%> (-0.17%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f2607b0...e703ddb. Read the comment docs.

[mrsaicharan1]

Umm, why can't you scan through the model to search for the used payment ID?

[anhanh11001]

I'm kinda new to server-side issue so I might need more advices. What do you mean by "scan through the model"? Besides, codecov/patch and codecov/project are failing, what should I do then? @mrsaicharan1

[mrsaicharan1]

@anhanh11001 Yeah, so those checks are ok. Leave them. Travis is important. Scanning through the model as in scanning through the DB table. (SQLAlchemy). Read the SQLalchemy docs and read up on how to query the model & others.

[mrsaicharan1]

In layman terms, would you rather read data from a table in a DB or read the values from a txt file?

[anhanh11001]

D:\Coding Project\11. Fossasia\open-event-server\venv\lib\site-packages\envparse.py:195: UserWarning: Could not any envfile.
  warnings.warn('Could not any envfile.')
`DATABASE_URL` either not exported or empty

I'm getting this when migrating new table, what should I do?

[iamareebjamal]

This is a warning, not an error

[anhanh11001]

@mrsaicharan1 please review

[mrsaicharan1]

Travis is failing

[anhanh11001]

@mrsaicharan1 updated, travis is not failing now

[mrsaicharan1]

@anhanh11001 For this purpose, query the order model for the paypal id.

[mrsaicharan1]

Also, remove the new model which was created

[anhanh11001]

@iamareebjamal please review, this is pending for a long time..

[iamareebjamal]

Why is this needed?

[anhanh11001]

so that I can create an Order to save paypal payment ID. @mrsaicharan1 commented above that I can find paypal payment ID in Order model to save it, but I couldn't find it Order model so I thought he meant paypal_token.

[iamareebjamal]

@mrsaicharan1 Please comment

[mrsaicharan1]

Orders should never be created with a paypal_token. Consider this as imitating a paid order through paypal. After an order is created, only after proper authorisation from PayPal's API, the attribute should be updated.
All you need to do is verify it right? So please remove this.

[iamareebjamal]

This is not needed anywhere AFAIK

[mrsaicharan1]

@anhanh11001 So have a look here. https://github.com/paypal/PayPal-Python-SDK
The workflow is as follows:

1. Create a payment on the server side
2. Authorize it
3. Execute the payment

As you're trying to verify if the payment ID has been used or not, you'll need to hit the paypal API to check if the payment has been CREATED like this. There is paypal token which resides in the order model but it would be better if you would verify it with PayPal REST API itself rather than checking on our order model.
Just think about it in this way, the paypal token might've been used by some other project/application, who knows? So, always verify through the API when it comes to payment IDs/tokens.

payment = paypalrestsdk.Payment.find("PAY-57363176S1057143SKE2HO3A")
if payment is None:
    return 'No payment found'

Post that, according to what you're trying to accomplish, to verify the payment status, just check for the approved status(which has already been done)

[iamareebjamal]

@mrsaicharan1 Yes, so where does this payment ID PAY-57363176S1057143SKE2HO3A is stored?

[anhanh11001]

@mrsaicharan1 I was following this example code: https://github.com/paypal/PayPal-Python-SDK/blob/master/samples/mobile_backend/paypal_client.py#L37 maybe you can take a look as well.

In Android, we use Android SDK to make the payment to pay and receive a proof of payment (which contain payment ID). Server side integration for Android will use that proof of payment to verify the order one more time to provide tickets for user.

Besides, I don't quite understand what does it mean by "paypal token". is it also the same with "paypal payment id"

[anhanh11001]

@iamareebjamal maybe can I just first follow : https://github.com/paypal/PayPal-Python-SDK/blob/master/samples/mobile_backend/paypal_client.py#L37 this to store the payment ID to a text file first to get this issue done so that harshit and I can work and do some testing on Android and then come back to this later to save it to a model.

[iamareebjamal]

I can't merge an incomplete implementation. You're free to host your server on a temporary heroku instance

[anhanh11001]

I can't merge an incomplete implementation. You're free to host your server on a temporary heroku instance

ok, I'll wait for @mrsaicharan1 feedback

[mrsaicharan1]

Okay, so I wasn't aware what was happening on the android side so just to verify it for one more time, just scan the order model if there's an order associated with that PayPal token or not. That's it.

…

On Fri, 9 Aug 2019 at 10:50 PM, Duc Le Tran ***@***.***> wrote: I can't merge an incomplete implementation. You're free to host your server on a temporary heroku instance ok, I'll wait for @mrsaicharan1 <https://github.com/mrsaicharan1> feedback — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6297?email_source=notifications&email_token=AGAHUW7HZAKYTUQV6ANU7YTQDWRPDA5CNFSM4IJCOSKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD37IULY#issuecomment-519997999>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGAHUW6W3EFY5EA7FQUBZD3QDWRPDANCNFSM4IJCOSKA> .

[anhanh11001]

Okay, so I wasn't aware what was happening on the android side so just to verify it for one more time, just scan the order model if there's an order associated with that PayPal token or not. That's it.
…
On Fri, 9 Aug 2019 at 10:50 PM, Duc Le Tran @.***> wrote: I can't merge an incomplete implementation. You're free to host your server on a temporary heroku instance ok, I'll wait for @mrsaicharan1 https://github.com/mrsaicharan1 feedback — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6297?email_source=notifications&email_token=AGAHUW7HZAKYTUQV6ANU7YTQDWRPDA5CNFSM4IJCOSKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD37IULY#issuecomment-519997999>, or mute the thread https://github.com/notifications/unsubscribe-auth/AGAHUW6W3EFY5EA7FQUBZD3QDWRPDANCNFSM4IJCOSKA .

then please review this PR @mrsaicharan1

[mrsaicharan1]

@mrsaicharan1 Yes, so where does this payment ID PAY-57363176S1057143SKE2HO3A is stored?

It will be stored in PayPal records & the same ID is being stored in our order model as paypal_token

[mrsaicharan1]

@anhanh11001 Also, is this working locally? Have you tested it?

[anhanh11001]

@mrsaicharan1 Do you know which file I can use to put my client ID and client secret in for testing ?

[mrsaicharan1]

@mrsaicharan1 Do you know which file I can use to put my client ID and client secret in for testing ?

We never store keys in files but if you just want to test it locally, you can replace the code where you find get_settings()['client_id'] with your key.
you'll find it here -> app/api/helpers/payment.py(configure_paypal method)
Just keep in mind that you don't push this code with the actual keys set in the code

[anhanh11001]

@anhanh11001 Also, is this working locally? Have you tested it?

tested

[liveHarshit]

@anhanh11001 Also, is this working locally? Have you tested it?

tested

Okay, so I think it is ready to merge now?

[mrsaicharan1]

function to check for recycling of payment IDs

[anhanh11001]

Orders should never be created with a paypal_token. Consider this as imitating a paid order through PayPal. After an order is created, only after proper authorization from PayPal's API, the attribute should be updated.
All you need to do is verify it right? So please remove this.

So how should I save a used payment ID? You told me to save it in the Order model, please clarify this for me? Thank you

[mrsaicharan1]

Orders should never be created with a paypal_token. Consider this as imitating a paid order through paypal. After an order is created, only after proper authorisation from PayPal's API, the attribute should be updated.
All you need to do is verify it right? So please remove this.

[mrsaicharan1]

You check if the PayPal token is associated with any of the orders

…

On Wed, 14 Aug 2019 at 7:56 PM, Duc Le Tran ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In app/api/helpers/payment.py <#6297 (comment)> : > + return False, 'Payment amount does not match order' + elif currency_server != order.event.payment_currency: + return False, 'Payment currency does not match order' + if sale_state != 'completed': + return False, 'Sale not completed' + elif PayPalPaymentsManager.used_payment(payment_id): + return False, 'Payment already been verified' + else: + return True, None + except paypalrestsdk.ResourceNotFound: + return False, 'Payment Not Found' + + @staticmethod + def used_payment(payment_id): + """ + Make sure same payment does not reused Orders should never be created with a paypal_token. Consider this as imitating a paid order through PayPal. After an order is created, only after proper authorization from PayPal's API, the attribute should be updated. All you need to do is verify it right? So please remove this. So how should I save a used payment ID? You told me to save it in the Order model, please clarify this for me? Thank you — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6297?email_source=notifications&email_token=AGAHUW3EJTFTR7DVIV5XDDLQEQIZLA5CNFSM4IJCOSKKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCBRQFOQ#discussion_r313904186>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGAHUW5XNXYJBCMS2UKIHSLQEQIZLANCNFSM4IJCOSKA> .

[iamareebjamal]

You are not even using the paypal token anywhere. There is no migration. So if you confirmed it to be working, then it can be removed safely without any issue

[anhanh11001]

@mrsaicharan1 @iamareebjamal please review

[mrsaicharan1]

@anhanh11001 This looks good but I have a question. What order object are you passing into the used_payment function?
Is the order object being created on android-client side with the amount, related event etc and then being passed into it?

[iamareebjamal]

@anhanh11001 Please respond

[anhanh11001]

@anhanh11001 This looks good but I have a question. What order object are you passing into the used_payment function?
Is the order object being created on android-client side with the amount, related event etc and then being passed into it?

Yes @mrsaicharan1

[iamareebjamal]

Let's merge this so that you guys can test on debug server