0

I've recently wanted to start implementing APIs into my website but I've come across some problems regarding validations due to my lack of knowledge on how to properly send JSON data with Ruby on Rails. I've worked with some APIs and JSON in the past, but this is the first time I've done both at the same time, and my experience in RoR is still lacking.

My first instinct was to just concatenate the parameters onto the url and after seeing a more positive (albeit still incomplete) JSON response from the API, I thought I was on the right track, but after failing to get a successful response I started digging into what I was sending exactly, that's when I noticed two problems.

First problem was that there was sensitive information inside the URL like my clientID, information about a purchase like the price and description, along a secret key encrypted with MD5 and a bit of encryption salt, but according to the documentation it's safe and just for comparison with the server's received information, so all in all I was not too worried about compromising that kind of information. Still I wanted to improve on my code and protect as much information as possible.

My second problem was more significant, I noticed the information sent across was incomplete, due to the limited space in the url parameters.

Right then I knew I was doing something wrong, so I started digging for alternatives, preferably with a POST response, however I still lack the knowledge on how to properly send the parameters with a POST and the information was still when I tried using forms, worse still is that it seemed the parameters I was sending came out empty on the other end unlike my previous attempts, so I started to dig more into it.

Then I found that the link_to helper could send parameters, but after some testing it wasn't working and then I found out that to send parameters to external sites with rails, the suggested method was to concatenate the parameters into the url, so I came back full-circle.

So my question would be, how do you send parameters to an external website (preferably while keeping all the information as safe as possible) without a form (as all the information has previously been filled out in a previous form) in rails?

While I have worked with both APIs and JSON before, they are still subjects I'm not too comfortable working with them yet and to some extent I'm still learning a lot in RoR.

This was the code (the real one looks a bit different) that was giving me the most results:

My controller order_controller.rb

def confirm_order

  #Here I group all the parameters I'll need

  @payment_params = []
  description = "create_"+ @order.name.gsub(' ','_')
  device_info = "WEB"
  currency = @order.currency
  fee =  @order.price
  #this was to concatenate the url, previouly I had the name of each parameter and the "&" taken into account, the response was different as I added each.
  @payment_params << description << device_info << currency << fee
end

And in my view confirm_order.html.erb something like

<a href= <%="https://payexample/something/order?"+ @payment_params%> >Confirm order</a>

Any insight is welcome, but right now I'm really clueless on how to even approach the question as I've exhausted everything I've learned.

Bluespheal
  • 123
  • 1
  • 10
  • If you want to do a post, you should either build a form, or move towards a Javascript approach, in which you catch the link click and transform the request into a post request, through Ajax for instance. – bo-oz Feb 21 '19 at 06:01
  • Not sure if you're concerned about security or not, maybe https://github.com/jwt/ruby-jwt helps. You can use the encoded token as a parameter, the payload can be as long as you want. The only downside is that the receiver has to decode the token to see the params. – razvans Feb 21 '19 at 07:45

1 Answers1

1

I’m a bit confused by what your UI looks like, but I would keep all of that info out of the link and make sure to do the confirmation in a POST (as some browsers preload links which can lead to unintended purchases if you keep it as a link). I would instead use the button_to helper.

I’m not sure how you’re keeping track of the order, whether it’s in the database or session or what. So you may have to modify this a little to pass the right params through.

https://apidock.com/rails/ActionView/Helpers/UrlHelper/button_to

<%= button_to('Confirm order', action: 'confirm_order') %>

Then in your confirm_order action, you can redirect to the payment site, as opposed to putting all of that confidential info on the page the whole time. If someone is watching the network traffic, they’ll see it come through in the header real quick, but it’s less easy to spot and a link on the page that you can open in a new tab multiple times. 

def confirm_order
  #Here I group all the parameters I'll need

  @payment_params = []
  description = "create_"+ @order.name.gsub(' ','_')
  device_info = "WEB"
  currency = @order.currency
  fee =  @order.price
  #this was to concatenate the url, previouly I had the name of each parameter and the "&" taken into account, the response was different as I added each.
  @payment_params << description << device_info << currency << fee

  redirect_to("https://payexample/something/order?#{@payment_params}")
end

I’m not exactly sure what you want that redirect url to be. That depends on the external site. If you need it to be querystring parameters, you can make a hash of keys and values and use the to_query method to turn it into a querystring.

https://apidock.com/rails/Hash/to_query

Nate
  • 2,364
  • 1
  • 10
  • 16
  • This is what I needed, I still forget that the controller can and should do these kind of requests, even then I didn't know I could use redirect_to for external sites, I've always used it to redirect to an action. – Bluespheal Feb 22 '19 at 04:31
  • Ahh, yup! You can redirect to anywhere. If the argument is a Hash, Rails will use the router to build the url. If it’s a string, it’ll redirect as is. There’s some other cool options such as calling redirect_to and giving it an ActiveRecord object as the argument, or using one of the named routes. I would recommend you read this documentation and also the documentation on url_for (which redirect_to uses to build the URL). I think you’ll find it very helpful. https://apidock.com/rails/ActionController/Redirecting/redirect_to – Nate Feb 22 '19 at 04:35