Validating Popup Storefront Orders

Last modified March 7, 2016

For publishers who want to grant immediate access to content or services based on the results of a Popup Storefront transaction - e.g. taking action on the page immediately following the "popup closed" event - it is important to note that relying on webhooks such as the order.completed browser webhook to obtain data about a completed purchase is not recommended in the interest of security.

Because these webhooks are happening in the browser, there is the potential that a malicious user skilled in JavaScript could modify or fake these types of results, in order to gain access to content or services without actually paying.

For this reason, it is recommended that you use the FastSpring API to validate orders placed via your Popup Storefront, before granting access to content or services.

Here is the recommended process:

  1. Wait for the order ID to be passed to the callback function.
  2. Once the order ID has been obtained, make an AJAX request to the server which, in turn, makes a backend-to-backend call to the FastSpring API (/orders endpoint) with the order ID obtained from the popup store.
  3. Act upon the order based on the response from FastSpring's backend, which can be trusted.