Verify Googlecheck callback is actually from google

Question

I am building a Google checkout system. It works perfectly. I want to add an additional step to verify that the API notifications coming are from google and that the transaction is valid.

I can do curl notification-history-request on a 100% valid and charged transaction and it still comes back with the Financial Order State set to "Reviewing" when the transaction should say charged. Is there anyway to get it to tell me what it has charged?

Answer 1

Actually, its not 2 questions.

 $fields = array(
    '_type'                                 => 'notification-history-request',
    'order-numbers.google-order-number-1'   => 'ORDER_ID',
    'notification-types.notification-type-1'    => 'charge-amount',
);

That solves the issue. This way allows you to call google and ask if the transaction notification is 100% valid in PHP. It is possible to access your incoming API page and inject the information for a transaction. So, before you ship out everything you should ask google if it is valid AND if it has been paid for. Even if you have received the new-order-notification, risk-information, and order-state-change.

Answer 2

You have 2 unrelated questions (I think) -

1. the Google API has security "baked in" in any of the Notification options/versions you choose.

   • XML/Name value notification: SSL + Basic Auth. You will need to authenticate the POST from Google. They will send your MID/Key combination for username/password respectively.
   • Serial Number notification: Google will POST a serial number (no data, no basic auth headers, just a serial-number) to your listener. You will have to pull the data represented by that serial number from Google. You will send your credentials to Google so they can authenticate your request and (only) respond with the data accordingly.

2. What are you requesting in your Notification History request? See if this sample that requests for specific types of notifications, e.g. charge-amount, helps you.

Hth