I'm getting the following header from the PayPal sandbox in Python/Flask:
request_headers = request.headers
print(request_headers)
Host: www.mysite.com
Content-Length: 1306
Accept: */*
Paypal-Transmission-Id: ****
Paypal-Transmission-Time: 2022-06-30T11:39:45Z
Paypal-Transmission-Sig: ****
Paypal-Auth-Version: v2
Paypal-Cert-Url: https://api.sandbox.paypal.com/v1/notifications/certs/CERT-*****
Paypal-Auth-Algo: SHA256withRSA
Content-Type: application/json
User-Agent: PayPal/AUHD-****
Correlation-Id: ****
Cal-Poolstack: amqunphttpdeliveryd:UNPHTTPDELIVERY*CalThreadId=0*TopLevelTxnStartTime=****Host=***
X-B3-Spanid: ***
Client-Pid: ****
X-Cloud-Trace-Context:***
X-Appengine-City: ?
X-Appengine-Citylatlong: 0.000000,0.000000
X-Appengine-Country: US
X-Appengine-Region: ?
Via: 1.1 google
X-Forwarded-For: ***,***
X-Forwarded-Proto: https
Unfortunately, there is no webhookId as decribed in the documentation, nor a validation signature with this shape:
<transmissionId>|<timeStamp>|<webhookId>|<crc32>
Is it because of the sandbox environment? How can know if the payment comes from Paypal and is not a fraud?
CodePudding user response:
The webhook id used for verification is not included in the header since if it was, it could be spoofed by someone delivering a malicious/fake webhook.
The webhook id is returned when you subscribe to webhooks via API or in the web interface, and can be looked up in the REST APP management interface (or queried via the list webhooks API as well)