Webhook sending Purchase Details to handling Purchases from a Third Pary Service Secure?

I’m developing a mobile application for a client that sells digital courses on a service called Teachable that hosts their website and handles the purchase process for them. My client wants to keep using this service for the purchase process and when a user bought a course, he should have access to it on my app.

Now I did some research on Teachable. To my knowledge, it does not a provide a API or some sort of oAuth provider. However it does offer webhooks.

I though about a way to implement this behaviour but I have some concerns about my idea, so I would like to hear opinions from more experienced developers in the security field. My Idea goes like this:

  1. Lets assume Alice buys a course called “Awesome Course 1”.
  2. The Teachable webhooks sends me a json object to my server, that include the following properties: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
  3. Now In my Database, I create a random Id and add this json object to it. So I have something like this: RandomKey987: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
  4. I send Alice a mail that contains the Id RandomKey987
  5. Alice goes to my app, creates an account/logs into her account (that is completely independent of the Teachable Mail/Account she used to buy the course) and enters the Id RandomKey987 in a form, to unlock her course in my app
  6. On my Server, I create a Database entry under Alice’s field to mark that she bought the course associated with the Database Entry RandomKey987, which in this case is the course “Awesome Course 1”
  7. I delete the Database Entry RandomKey987, so no one can unlock this course a second time.

Now my concers are:

  1. An Adverary could just send a similar Json Object to like in Step 2., that doesn’t come from Teachable. The Attacker would need to know the http endpoint of my webhook and a valid courseId, wich I’m not sure if I can keep these private. Teachable does not provide an API where I could make a request, to validate, that the Json Object indeed refers to a valid purchase. Would be an imaginable solution, to just keep the http enpoint and the courseIDs private?

  2. It won’t be possible to guess the Id for a purchase in my database but could there be another way to get the key I send via email? Assuming no other person then Alice can read this email, this should not be a problem right?

Whats your opinion on this? Did I overlook an imporant security apect? Is there a better way to handle this problem?

Easy Digital Downloads Purchase Link not working

I am using Easy Digital Downloads plugin to sell some digital products. However, I am facing an issue when I use the Purchase Link on ajax. If I use ajax filter and filter the products then the Purchase Link throws an error:

Uncaught TypeError: Cannot read property 'total' of null     at Object.success (edd-ajax.js?ver=2.9.16:229)     at i (jquery.js?ver=1.12.4-wp:2)     at Object.fireWith [as resolveWith] (jquery.js?ver=1.12.4-wp:2)     at x (jquery.js?ver=1.12.4-wp:4)     at XMLHttpRequest.c (jquery.js?ver=1.12.4-wp:4) 

However, the Purchase Link works fine on page load but is throwing the above error after I filter the products. There is nonce value when I inspect the purchase button but when I try to alert or console it, the value is returned blank and hence nonce check fails. This leads to the above error – http://prntscr.com/qcvbm8

This is the code for purchase link –

echo edd_get_purchase_link( array( 'download_id' => 1111 ) ); 

Any help would be more than appreciable.

Best place to show a confirmation modal in a purchase flow

So, I’m working on an insurance ecommerce and would like to get input on where to show a confirmation modal. Let’s say I am in the summary page, and there’s a “Change Plan” button to choose another plan. I have to options where to show the confirmation modal

Option 1. Once the user clicks the “Change button”, s/he is redirected to the Plans Page. And right after the user clicks the “I want this plan” button to commit the change, show the modal.

Option 2. Show the modal in the Summary Page right after the user clicks the “Change Plan” button. And then redirect the user to the Plan Page.

I feel option 1 works better as the modal is shown right before committing the change, but option 2 can work as well. Any feedback is appreciated.

Prototype that shows both options https://www.figma.com/proto/nuRTOn8ZdMjGLkHrQXOZge/Untitled?node-id=6%3A38&viewport=-570%2C195%2C0.6362286806106567&scaling=min-zoom

Are dismissible banners acceptable UI for purchase confirmations?

Here’s some context:

A user on a Free account is editing a draft in our text editor. To be able to publish the draft (they get auto-saved), they need to purchase a plan.

When they click on the “Upgrade” button, they are taken to the Checkout flow. After Checkout completion, what is the best way to confirm their purchase?

  1. A screen that says “Purchase was successful” with a CTA that will take them back to the editor?

  2. Or take them back to the text editor, but append a banner notification up top that says their purchase was successful?

I would think Option 1 would be the best way to go about it. IMO, a purchase is a big deal/big decision, hence a warrants its own single page instead of just a banner?

Buying A Magic Item Downtime Activity – Opportunity to purchase later

I’m DM’ing using the downtime activity rules in Xanathar’s Guide to Everything and I was wondering if there are any rules (or suggested approaches) to allowing my players to purchase one of their discovered magic items at a later date.

For instance, one of the players rolled for a Saddle of the Cavalier but none of the party has a horse. Do the rules allow the player to track down the merchant at a later date to buy the item? Or is this more of a DM’s discretionary decision?

Adding product attribute to purchase management extension (custom extension)

I am wanting to simply add the value from a products attributes (“supplier_code”) to an order invoice in a custom extension. The extension is designed to create purchase orders however there are key items missing from their extension like comments and supplier details (ie codes ect)

here is a snippet of code from the page that I am wanting to add the attributes to. here you can easily add things like sku and description as these are loaded already. and here is code they have for custom options of the ring order.

$  collection = Mage::getModel("purchasemanagement/orderitem")->getCollection()->addFieldToFilter("purchase_id",$  this->getRequest()->getParam("id"));             foreach ($  collection as $  order_item) {          ?>                 <tbody class="<?php if($  count % 2 == 0)echo 'even';else echo 'odd';?>">                     <tr class="border">                         <td>                             <div class="item-container">                                 <div class="item-text">                                     <h5 class="title">                                         <span><?php echo $  order_item->getDescription(); ?></span>                                     </h5>                                     <h5>Supplier Code: <?php echo $  order_item->getAttributeText("supplier_code"); ?></h5> 

I am trying to show the attribute text for supplier code but it is just blank with no errors.

Any suggestions as to what I am doing wrong would be great.

Can a vampire purchase multiple powers that are on the same level of a discipline?

One of my player is interested in two powers that are on the same level of a discipline, and I couldn’t tell him if he can take both one way or another. So here is my question: Can a vampire purchase multiple powers that are on the same level of a discipline?

My guess is “Yes, but you have to get another point in this discipline to get it”, but I also see a house rule that says:

LEARNING DISCIPLINES Vampires can learn multiple powers from the same discipline by purchasing its dot level a 2nd time as an in clan discipline.

So after I’ve seen that house rule I started thinking that RAW you can’t purchase same level powers.