我从Python/Flask中的PayPal沙箱中获得以下标题:
request_headers = request.headers
print(request_headers)
Host: www.mysite.com
Content-Length: 1306
Accept: */*
Paypal-Transmission-Id: ****
Paypal-Transmission-Time: 2022-06-30T11:39:45Z
Paypal-Transmission-Sig: ****
Paypal-Auth-Version: v2
Paypal-Cert-Url: https://api.sandbox.paypal.com/v1/notifications/certs/CERT-*****
Paypal-Auth-Algo: SHA256withRSA
Content-Type: application/json
User-Agent: PayPal/AUHD-****
Correlation-Id: ****
Cal-Poolstack: amqunphttpdeliveryd:UNPHTTPDELIVERY*CalThreadId=0*TopLevelTxnStartTime=****Host=***
X-B3-Spanid: ***
Client-Pid: ****
X-Cloud-Trace-Context:***
X-Appengine-City: ?
X-Appengine-Citylatlong: 0.000000,0.000000
X-Appengine-Country: US
X-Appengine-Region: ?
Via: 1.1 google
X-Forwarded-For: ***,***
X-Forwarded-Proto: https
不幸的是,没有webhookId如文档中,用这种形状和验证签名:
<transmissionId>|<timeStamp>|<webhookId>|<crc32>
是因为沙箱环境吗?如何知道付款是否来自Paypal而不是欺诈?
用于验证的webhook id不包含在报头中,因为如果包含,它可能被发送恶意/假冒webhook的人欺骗。
当你通过API或web界面订阅webhook时,webhook id会返回,并且可以在REST APP管理界面中查找(或者通过列表webhooks API进行查询)