6

I'm implementing a payment method on my application, and the bank site send back a post request with information about the payment, like the status, the payment id ...

But to be sure the request is not from someone trying to do bad stuff, can I accept only request from my bank system? I'm looking for something to check in the request for this action/controller is only from mybank.com and skip others.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Ugo Mare
  • 442
  • 5
  • 15
  • I don't understand your question. Please explain more. Can we see what you implement? – CodingSource Jan 09 '15 at 01:51
  • I have a controller with a payment_response action. This action is call back by the bank server with an xml as post when a user paid something. What I would like to do is to limit this route/action only a a certain domain name which is the bank domain name. – Ugo Mare Jan 09 '15 at 01:56
  • 2
    If your payment processor doesn't offer a way to authenticate a payment, it's time to find a new payment processor. – ihaztehcodez Jan 09 '15 at 02:15

2 Answers2

6

You can constrain the route:

post 'yourpath', to: 'controller#action', constraints: { protocol: 'https://', host: 'yourbank' }
shweta
  • 8,019
  • 1
  • 40
  • 43
  • 1
    The bank gave my the server ip who's unique. post 'bank_response' => 'bank#payment_response', constraints: { ip: "127.0.0.1" } Thanks – Ugo Mare Jan 09 '15 at 22:56
0

You can try to check the referer and disallow request that do not match:

if request.referer.starts_with?('https://your.bank/') # or request.env['HTTP_REFERER']
  # do stuff
else
  # render error
end

But not: a) referrers are not secure. Everybody can fake them. b) your bank very likely does not sent a referrer.

I would investigate other solutions: Only allow requests from your banks ip range and ask the bank to authenticate with a secret.

spickermann
  • 100,941
  • 9
  • 101
  • 131
  • Yea one of the best solution is a secret sent by the bank with de datas, but unfortunately mine does not offer it. I'll look around ip ranges, but the main problem is if the bank server change its ip and is out of the range. – Ugo Mare Jan 09 '15 at 02:06
  • 2
    If your bank doesn't provide any way to ensure/prove authenticity of payment, I would not trust this bank at all. – spickermann Jan 09 '15 at 02:47