I'm making a website where users will be able to purchase points for use on the website. They will be able to input the amount they want to purchase, and once the purchase is complete I want to change some values behind the scenes.
I'm quite a green developer and I'm doing all this from scratch. I'm not looking for help with code I have written quite yet; I need guidance on what I need to learn in order to do this.
I'm using Paypal and Firebase. I need to use the user-input number to create a Paypal sale and then use that same number in my code within Firebase. My understanding is that if I do this on the client, the user will be able to purchase one amount of points, and then send a different number to Firebase if I do all this on the client. I need a way to keep all of this server-side, and I have been unable to find a solution so far.
I know the answer lies somewhere within the Paypal documentation, but I am so green that I don't even know where to begin. I believe that I need to use webhooks to have Paypal send data to my Firebase app once the purchase is complete, but I believe that I have read that even this can be exploited if I don't verify that the webhook came from Paypal properly. Does this sound right?
I think the simplest way to describe what I need to do is I essentially I just need to make something happen on Firebase after a successful Paypal sale. Any guidance would be greatly appreciated!
The way I have done this before, using Stripe (but the process should be similar to paypal), is to use firebase cloud functions. Generally what happens is:
The Client (frontend) makes a request to create a payment intent / checkout session, which calls your cloud function. You send some extra information there, in your case the UID of the user making the purchase, their /data or wherever you store their data in firestore, and the quantity of points they wish to buy. Usually there is a metadata field you can add to the checkout session, where you can add the UID of the firebase user and their documentID as you'll need it to know how to fulfill the order in the 4th step,
Your first Cloud Function processes that request of points they wish to buy (quantity x price = total, note: do not send the price from client side as the user can manipulate the price), and returns a payment page to Stripe / Paypal.
With the response returned from the Cloud Function to your frontend you redirect the user to the checkout/payment page, once the user is finished purchasing the Paypal / Stripe should send a webhook to your other Cloud Function (webhook handler).
The other Cloud Function (webhook handler) receives from Stripe / Paypal some data (in your case it may be the amount paid or item and quantity, and the UID of the user who paid so you can lookup their document in firestore). The Cloud Function that handles the webhook then can update the users data in firestore. Generally the data sent from the webhook (what your cloud function receives) has a secret sent to you that you can verify with an api call or function call, it depends on the package you're using.
https://developer.paypal.com/docs/api/webhooks/v1/#verify-webhook-signature