In the Razorpay web API docs, it is given that on successful payment, three things are returned to the Checkout form, i.e razorpay_order_id, razorpay_payment_id and razorpay_signature. For verification, we need to generate a signature from order_id(this we get from order creation) , razorpay_payment_id and key_secret which we get from the dashboard. If the generated signature and razorpay_signature match then the payment is verified. My question what are we verifying here (What would happen if skipped this step?, i.e the purpose of this step) and also I think if the payment was successful then the razorpay_order_id which we got would be the same as order_id. Why don't we just compare the order_id and razorpay_order_id?
This is a mandatory step that allows you to confirm the authenticity of the details returned to the Checkout form for successful payments.
The idea is not to just compare the orderIds as, the orderId is a part of the UI and is visible with the view source.
Say, we are expecting only orderId and paymentId.
A hacker generates a random payment id, and triggers a payment success call back with orderId(visible in source) and paymentId . How do we identify here that the paymentId is a valid one ?
If the signature you generate on your server matches the razorpay_signature returned to you by the Checkout form, the payment received is from an authentic source.
When we verify the signature we are able to indetify that this is a valid callback from Razorpay servers