Search code examples
paypalpaypal-ipn

PayPal Webhook cannot be validated

This might seem like a duplicate question but I wouldn't be here if any of the proposed solutions did work. I have been trying to integrate PayPal IPN on my server-side according to their docs and the Github code sample here https://github.com/paypal/ipn-code-samples/blob/master/python/paypal_ipn.py

I have changed the encoding of my sandbox business account to UTF-8 as per this answer Paypal sandbox IPN return INVALID but I keep getting the same INVALID response.

I am using python with Django REST framework. Here's my code.

class PaypalWebhookAPIView(APIView):
    permission_classes = (AllowAny,)

    def post(self, request, *args, **kwargs):
        VERIFY_URL_PROD = 'https://ipnpb.paypal.com/cgi-bin/webscr'
        VERIFY_URL_TEST = 'https://ipnpb.sandbox.paypal.com/cgi-bin/webscr'
        # Switch as appropriate
        VERIFY_URL = VERIFY_URL_TEST
        data = {
            'cmd': '_notify-validate',
            **request.data
        }
        # Post back to PayPal for validation
        headers = {'content-type': 'application/x-www-form-urlencoded',
                   'user-agent': 'Python-IPN-Verification-Script'}
        response = requests.post(VERIFY_URL, data=data,
                                 headers=headers)
        response.raise_for_status()
        import pdb
        pdb.set_trace()

        # Check return message and take action as needed
        if response.text == 'VERIFIED':
            pass
        elif response.text == 'INVALID':
            pass
        else:
            pass

This is the IPN message I received. You will notice that when checking out I added a custom_id field.

{'id': 'WH-8VT506292F0529107-6AL76556YR820754B', 'event_version': '1.0', 'create_time': '2020-02-10T05:44:14.774Z', 'resource_type': 'capture', 'resource_version': '2.0', 'event_type': 'PAYMENT.CAPTURE.COMPLETED', 'summary': 'Payment completed for $ 30.0 USD', 'resource': {'id': '5YA69751S2248772K', 'amount': {'currency_code': 'USD', 'value': '30.00'}, 'final_capture': True, 'seller_protection': {'status': 'ELIGIBLE', 'dispute_categories': ['ITEM_NOT_RECEIVED', 'UNAUTHORIZED_TRANSACTION']}, 'seller_receivable_breakdown': {'gross_amount': {'currency_code': 'USD', 'value': '30.00'}, 'paypal_fee': {'currency_code': 'USD', 'value': '1.32'}, 'net_amount': {'currency_code': 'USD', 'value': '28.68'}}, 'custom_id': 'RO8ZXX20', 'status': 'COMPLETED', 'create_time': '2020-02-10T05:44:10Z', 'update_time': '2020-02-10T05:44:10Z', 'links': [{'href': 'https://api.sandbox.paypal.com/v2/payments/captures/5YA69751S2248772K', 'rel': 'self', 'method': 'GET'}, {'href': 'https://api.sandbox.paypal.com/v2/payments/captures/5YA69751S2248772K/refund', 'rel': 'refund', 'method': 'POST'}, {'href': 'https://api.sandbox.paypal.com/v2/checkout/orders/5GN0468041100792N', 'rel': 'up', 'method': 'GET'}]}, 'links': [{'href': 'https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-8VT506292F0529107-6AL76556YR820754B', 'rel': 'self', 'method': 'GET'}, {'href': 'https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-8VT506292F0529107-6AL76556YR820754B/resend', 'rel': 'resend', 'method': 'POST'}]}

This is the data I am sending back.

{'cmd': '_notify-validate', 'id': 'WH-8VT506292F0529107-6AL76556YR820754B', 'event_version': '1.0', 'create_time': '2020-02-10T05:44:14.774Z', 'resource_type': 'capture', 'resource_version': '2.0', 'event_type': 'PAYMENT.CAPTURE.COMPLETED', 'summary': 'Payment completed for $ 30.0 USD', 'resource': {'id': '5YA69751S2248772K', 'amount': {'currency_code': 'USD', 'value': '30.00'}, 'final_capture': True, 'seller_protection': {'status': 'ELIGIBLE', 'dispute_categories': ['ITEM_NOT_RECEIVED', 'UNAUTHORIZED_TRANSACTION']}, 'seller_receivable_breakdown': {'gross_amount': {'currency_code': 'USD', 'value': '30.00'}, 'paypal_fee': {'currency_code': 'USD', 'value': '1.32'}, 'net_amount': {'currency_code': 'USD', 'value': '28.68'}}, 'custom_id': 'RO8ZXX20', 'status': 'COMPLETED', 'create_time': '2020-02-10T05:44:10Z', 'update_time': '2020-02-10T05:44:10Z', 'links': [{'href': 'https://api.sandbox.paypal.com/v2/payments/captures/5YA69751S2248772K', 'rel': 'self', 'method': 'GET'}, {'href': 'https://api.sandbox.paypal.com/v2/payments/captures/5YA69751S2248772K/refund', 'rel': 'refund', 'method': 'POST'}, {'href': 'https://api.sandbox.paypal.com/v2/checkout/orders/5GN0468041100792N', 'rel': 'up', 'method': 'GET'}]}, 'links': [{'href': 'https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-8VT506292F0529107-6AL76556YR820754B', 'rel': 'self', 'method': 'GET'}, {'href': 'https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-8VT506292F0529107-6AL76556YR820754B/resend', 'rel': 'resend', 'method': 'POST'}]}
Solution

  • This is the IPN message I received

    You did not receive an IPN. You received a Webhook event notification. Webhooks do not use postbacks for validation, but rather a signature in the event's header.

    Instant Payment Notification (IPN) -- which uses postbacks to the ipnpb host with &cmd=_notify-validate for validation -- is a much older service that predates the existence of Webhooks.