I'm writing utilities in Java and other languages I would like to charge a small a subscription fee for. The Paypal micro payments for digital goods look like a working solution for this as a contractual basis, however, their implementation as far as I can tell is always dependent on some web browser based intermediate step.
The way I would like to implement this is completely in-app similar to the following flow:
My application checks with paypal if the subscription is current/present.
If not, a dialog is presented to the user that asks for their paypal details.
They can choose between several subscription models, or restore an already purchased subscription.
My application stores a unique purchase/subscription UID locally which it uses to check with paypal whether the subscription is current.
Once paid, the customer can manage their subscription through their Paypal web interface (i.e. nothing I need to implement at my end)
Every time my application starts on their computers, it contacts paypal with the stored subscription UID to find out whether their subscription is still current.
Can anyone shed some light on how/whether this is possible?
Thanks!
Balt
Short answer: you cannot currently access PayPal's Digital Goods micropayments solution except through a web browser integration. It is part of PayPal's web-based classic/pro product suite.
If you want or need an in-app solution look at PayPal's in-app product sets, either the PayPal Mobile Payment API/SDK or (better, IMO) the Braintree APIs that incorporate PayPal payments. You won't get the micropayment pricing & related features but you can get a good chunk of what you are looking for.
A bit of background:
PayPal has many products and unfortunately the products differ substantially in both integration style and payment capabilities. In other words, what you can do in one integration style you may not be able to do in another integration style. This is largely a historical artifact from 15 years of evolution on the fast-moving web (and differences in how secure various integration styles have been understood to be over time), but that doesn't help you the customer out much.
Perhaps unsurprisingly the deepest/most flexible products are the oldest ones, Website Payments Standard/Express Checkout/Pro -- but unfortunately these have the oldest integration styles. They predate smartphones (and hence apps) and even the web APIs are now pretty dated.
The newest products, the REST APIs and Braintree integrations, are undergoing the most rapid evolution. Ultimately these will have even more functionality than the older products, although probably not identical functionality (so it may not always be exactly a 1:1 translation to update from old to new). If these new products offer enough for you to get started, use them. If not, fall back on the old stuff and live with the integration limitations.
Related
I am working on a school project and need to calculate the time it will take to travel between two locations preferably with the option to specify the mode of transportation inside of an android app.
I have come across the Google Distance Matrix API (documentation here) which seems to have the features that I am looking for, but it warns...
"If you are building a mobile application, you will need to introduce a proxy server to act as intermediary between your mobile application and the Google Maps API Web Services."
I know that this is for the protection of the API key and want to follow this pretty diligently. I'm wonder, is there another way to get the data I need for the app without setting up a proxy server?
I know I could use a service like Heroku to run the code that accesses the API, but this seems like a difficult option given that this is just a school project. Any other ideas on how to get the travel time for my app?
Setting up a proxy server is the best way to secure your API key, but Google also suggests other security techniques such as obfuscation and pinning.
Having said that, if this is a school project and you won't make your API key public in a production environment, then you can just leave your API key unrestricted (and without a proxy server).
But do make sure that you monitor your API usage on a regular basis and that you regenerate your API key periodically and/or as needed. It's also strongly recommended that you set daily quota limits and budget alerts as per this FAQ so that you don't go over budget regardless.
Hope this helps!
I need to integrate a subscription billing platform into my software. Examples of this are Pabbly or Recurly. There are loads out there, and generally they all work in a similar way and include APIs for a developer to use. Which I choose doesn't particularly matter for this question I don't think.
In terms of the software it is a Java application that a user runs on their own computer. Currently I keep no database of users and the software is free.
I need to add a subscription model to the software so that a user can pay for, enabling particular features to be available to them.
The question is, can the software in combination with a subscription platform be used without a database (other than the database the billing platform is using)?
If possible I would like to avoid storing any customer data. Can I just use the APIs provided and the information stored by the billing platform to have the functionality I need?
My initial thoughts are that the user can enter their details via some kind of portal. Which are sent to the billing platform, then depending on the state of their subscription the software would generate some kind of encrypted key which expires with the subscription. Would something like that be possible?
(disclaimer, I work for Recurly). What you are looking to do could be achievable with our software. Events inside of Recurly trigger webhooks, which you could consume to update access and provisioning on your side. Any API calls you submit to Recurly would also give you an API response that contains all the information you'd need to provision an account.
For example, when a customer subscribes, you'll get XML in response that indicates the plan they signed up for (ie, what features to give) and when the bill period ends (when you might remove access). If the customer ever has a payment issue, we'll send you a webhook, so you would know to remove access (and perhaps put up a past due banner) until they pay.
Take a look at https://docs.recurly.com/docs/webhooks and https://dev.recurly.com/page/webhooks#dunning-event-notifications as a starting point, and let us know if you have more questions!
1 - Current situation
We've got a REST API (coded with the Play framework 2.5 in Java) and four front-end interacting with it (two web apps: a back office and our site coded with React, and two mobile apps: Android and iOS).
Everything is working correctly, but without user management.
2 - What we want to do
We would like to add user management with two roles: user (can sign up and log in to our site and our mobile apps) and admin (can do everything a user can do plus can log in to the back office). In other terms, administrators can use all web services whereas users can only use some of them.
Firstly, users have to be able to sign up with email and password.
In a second time (this is not part of our MVP), we would like to give the opportunity to register using a Google or a Facebook account.
3 - Technical choice
After reading a lot, we think that an authentication whose authorization step is taken care of by Oauth2 is a suitable choice.
But, during our research, we found articles that have made us hesitate, with sentences like theses ones:
"You should only use OAuth if you actually need it. If you are
building a service where you need to use a user’s private data that is
stored on another system — use OAuth. If not — you might want to
rethink your approach!"
"To be clear, OAuth 2.0 at the hand of a developer with deep
understanding of web security will likely result is a secure
implementation. However, at the hands of most developers — as has been
the experience from the past two years — 2.0 is likely to produce
insecure implementations."
We're not going to implement Google or Facebook authentication right away and don't have a "deep understanding of web security", so we question the relevance of choosing Oauth2.
4 - Implementation
We've understood the way Oauth2 works and are not afraid by the implementation of the client side, it seems straightforward (and many projects exist to facilitate its implementation).
On the contrary, for the server side, we will have to create an authorization server and it scares us a bit because we don't know how to do. Implement the whole by ourselves seems to be a fairly substantial and difficult job (and we didn't find any example using Play Java), we're scared to make a mistake that would create a security hole and don't want to reinvent the wheel. We've found some tools like Apache Oltu or Spring Security (that I've used in another project) but we're not sure if they're suitable for what we want to do.
5 - Questions
Is Oauth2 really a suitable choice for our needs?
If we choose Oauth2, what should we do about implementation? Trying to do it by ourselves? Using a tool like Apache Oltu or Spring Security?
Thank you in advance for your answers!
We are working on the analysis of big data to help develop e-learning platform for our university and looking for some info from you !!!! Please provide us an initiative by clarifying !!!
We need to get the below big data information from my university's database: the enrolled student list, course materials, grades and related university info stored in the database. I have seen the Valence REST APIs of D2L and so thinking to use them to get the information from the database. Is that possible to get the university's data? If so, please guide me how I could do that or any docs to refer?
Note:[My university uses Desire2learn to share the course materials, assignments, grades and so we hope we could get the necessary authorization to access its data base information]
Do I need to have the university back-end web server address ? How can I get pull up the required info? (I am not sure where the data is stored exactly as I couldn't find any database info or data models in the valence website)
If 2 is true => Is it the correct resource to follow to use apis in our application?
http://docs.valence.desire2learn.com/basic/apicall.html
Lastly, where can I know about the data base structure/organization/models? Is the data stored in the form of logs or files in the database and can be pulled out as a file/log ???
Please let us know .... Any additional information / help is appreciated !!!!
Thanks,
Desire2Learn User
In order to make use of the Valence Learning Framework APIs you will need:
A set of Application credentials (an Application ID/Key pair) that is limited to the domain (or LMSID) of the LMS you're going to use it with: your LMS admin can tell you what the LMSID of your LMS actually is, but you must provide it exactly (case-sensitive) when applying for your Application ID/Key credentials.
An LMS user account. The Valence Learning Framework APIs do authentication by providing you with an ID/Key pair bound to your particular App ID/Key and to a known authenticated, LMS user.
Note! The access you will have to your LMS' functionality and data is strictly limited to the privileges afforded to your LMS user account. That is, if you have a student user account with minimal privileges, you will have minimal access to LMS functionality or data. In general, the Learning Framework API functionality mirrors what a user can do through the Web UI, so use that as a rough guide -- you will not be able to do things that your user account cannot do through the Web UI.
All the resources you need to get started are on the Valence project website. The steps for getting started are clearly listed on the front page, and available in more detail on the Getting started with Valence topic page.
Please make sure that you have read and understood the Core concepts topics that describe all the foundational concepts for the platform, and the conventions we use in the project documentation.
The API reference topics all describe the various REST-like routes that act as the API functions available through the Learning Framework API. The reference topics also describe all the JSON structures that you will receive from the LMS in calls, and are expected to provide to the LMS in calls.
To get started, I would recommend that you first read all the getting started/concepts topics, then choose a client library to work with, and try to get the Getting Started sample up and running. If, after that point, you have specific questions about how to use the Learning Framework API, you can ask them here, tagged with desire2learn and the community can try to answer your specific questions.
If you have an existing business relationship with D2L (and thus an account manager, or a customer support account), then you can also seek support through their customer support desk.
I have a GWT based app, which is deployed on Google App Engine for Java. The app uses Google Accounts based authentication. I'm maintaining basic user information such as email id (from Google Accounts), last login date etc. in the GAE datastore. The access to the website is free. Anyone can use it using his/her Google Account.
Going forward, I would like to make it a paid service. However, I have zero experience with setting up and operating an e-commerce website. So my question may be a bit vague. I need some guidance on how to go about it.
Here are some of my requirements (but I'm flexible on the exact implementation):
Offer 2 different types of account - free and premium.
I do not want to maintain any credit card related information in my system. I would also prefer to not maintain an elaborate user database.
When a user first logs in, he/she automatically gets a free account.
User has to "upgrade" to a premium account to access all features of the application.
User has to pay a one-time fee to upgrade.
Given this information, I have the following questions:
Is GAE suited for my requirements?
Which payment gateway (Paypal, Google Checkout etc.) would be most suitable for my requirements?
What level of integration is required between my app and the Payment gateway? I would like to maintain minimal user information in my app. I want to focus on my application development and want to spend minimal effort on user administration.
Would I need to implement a custom authentication mechanism or continue to use Google Accounts or another OpenID based authentication?
What other things do I need to consider?
I'll appreciate any help on this. Thanks.
Generally speaking, there's absolutely no reason why you wouldn't be able to keep the current application and its account management. You can extend your user account with an account type field that stores whether the user is a paying customer or not. If you need to send invoices, also store the users contact information (Paypal will send this to you together with payment receipts)
As far as specific payment providers is concerned. I only have practical hands-on experience with PayPal. I would not use them again for a few reasons:
Their APIs are not very well documented and some of the documentation is wrong (or out-of-date).
If you're a small player, support is mostly via the forums. So basically this means you're on your own.
Some of the APIs have serious gaping holes and missing functionality (for instance, you can create subscriptions, but not cancel them if you're using the standard payments APIs.
Outside of the US and a few lucky countries, the advanced APIs are not available. So you're stuck with implementing a IPN listener servlet, while it would much more preferable to pull the information when needed.
All existing PayPal Java libraries I have found use the Pro features that are not available to most of the users. Because I couldn't find it anywhere else, I have created and open sourced my own IPN servlet but it is very unfinished. If there is a demand for it, I'd be willing to improve it, just let me know.
What this IPN servlet does is listen to incoming PayPal messages. For instance, if a user subscribes, you'll get a message. If a user is billed (for instance on a monthly cycle), you'll get a message. If a user cancels his subscription you'll get a message. Those message allow you to maintain the account type of the user.
If I'd do it again, I would probably use a more advanced and higher level subscription API, such as Spreedly. I've heard some good things about the API and they are pretty affordable. I have no actual experience with Spreedly, so this is not an endorsement.
GAE supports this kind of applications without any particular problem; if your language of choice is Java, I would pick Paypal with this toolkit because Google Checkout Java API does not seem to work very well on GAE.
You would need an Authorization mechanism to check what your users are allowed to do based on their permissions.
Basically you would need the following things:
A flag membership status that indicates if a user is Premium or not; this should be set after the payment notification
An authorization system to check if, reading the membership flag value
, a given Web Handler can be consumed by the current user
Have a look to this great Spring Security tutorial; it covers:
Authentication using Google Accounts.
Setup access-control restrictions based on the roles assigned to users.
If you need subscription based billing with free trials, coupons, plan upgrades/downgrades, Dunning management and a whole lot more then take a look at Recurly.
You can choose to have customers maintain their billing information on pages hosted by Recurly, or use their Transparent POST API to post billing info to their servers from a page in your GAE app - both solutions avoid passing sensitive credit card data through your servers, which makes PCI compliance easy.
The Java API is not fully developed but it's easy to build out for your specific requirements using JAXB. I do not have my code wrapped into an open source project but would be willing to share snippets.