google checkout html api - get payment status without HTTPS?

0
votes

When I log into my merchant account, in the Settings tab I can set the callback URL.

The problem is that, without HTTPS, the only option is to send back a serial number to the callback URL.

Callback contents:
[x] Notification Serial Number
e.g. serial-number=123-456-7
[ ] Notification as XML (Requires an HTTPS URL)
e.g. 123...
[ ] Notification as HTML (name/value pairs) (Requires an HTTPS URL)
e.g. google-order-number=123&...

So from this serial number, is it possible for my server-side script to get the status of the order?

I need to get the payment status of the order (paid or not, amount paid) & the order number sent back to my (custom) cart so that I can update my database.

(I can't get HTTPS at the moment because the person whose website it is doesn't want to get it)

1
phphtmlformsgoogle-checkout
I should think the answer is no - anything related to payment should be done in an encrypted session.halfer
the person whose website it is doesn't want to get it - do you mean they don't want to pay for an SSL cert? They're very cheap these days, I believe.halfer
Yeah I know they're just £60 for the minimum per year! I'm making this website for a friend (for free), and this person really doesn't want to pay for a certificate yet (not until they get some orders in)Ozzy
So I definitely can't integrate my custom order processing with google checkout without the HTTPS right?Ozzy
@halfer Yes I think you're right. Its not really a major problem, just a bit of a bummer that non-google orders will be viewed in the custom cart but google orders have to be viewed separately in google checkout.Ozzy

1 Answers

2
votes

I would caution you regarding your accepted answer.

  1. continue_url is not an "auto-redirect". You are fully dependent on the user actually clicking that link instead of any other link in the page - notably, Google's own link to go the user's Wallet page where he/she has access to all his/her orders.

    You are therefore risking your operations by possibly not having all the orders in your own system.

  2. All Google Checkout orders have order statuses that you should really be aware of. You are already making an assumption in #1 that the user will actually click your continue_url link - additionally, you have also opened yourself up to the possibility that you are tracking orders that may not actually be approved by Google, or fails some monetary/risk authorization or check.

    If a user does in fact click the link you provide, but Google has issues with the order, your system has "money" where it shouldn't.

  3. The only reliable method of implementing Google Checkout API and integrating it with your systems is to follow documentation/instructions - in this case you must implement Notification API.

  4. Yes, you can obtain all order data without installing/purchasing SSL cert for your server using serial number notification - which is what you describe.

    • XML/name-value notification is a "push" model - Google will "push" data to you. You will authenticate Google's basic auth request (which is why SSL is required).
    • serial number notification is "pull" model - you will "pull" data from Google (given a serial number - and that is why SSL is not required on your end - you will authenticate your pull request and send your request with SSL). Google isn't sending you any data, just a serial number. You will use this serial number to obtain data associated with it and provide authentication to Google - your request will use SSL.

  5. You will use serial number notification with Notification History API to obtain data.

The links above should lead you to complete documentation/reference. If you have questions, comment here, or post it at Google Checkout Product Forums.

Hth....