Is my custom purchase feature creating a security vulnerability?

I have tweaked the code I found in this tutorial (https://support.wix.com/en/article/velo-tutorial-processing-payments) to send a unique serial key and password in the confirmation email sent to the purchaser …

In the backend pay.jsw file, I use the first item from the collection to append a serial key and password to the name of the product, which is then appears in the confirmation email the user gets after their purchase is complete:

export async function createMyPayment(productId, nameOfCollection) {
 return wixData.query(nameOfCollection)
        .find()
        .then((product) => {
 let paymentInfo = ({
                items: [{
                    name: product.items[0].title + '<br>  Serial Key:<br> ' + product.items[0].serialKey + '<br>Password:<br>' + product.items[0].password,
                    price: product.items[0].price
                }],
                amount: product.items[0].price
            });
 return wixPay.createPayment(paymentInfo);
        });

}

Since that query takes place in the backend, I’m less concerned about it creating a vulnerability by which a hacker might steal serial keys and passwords …

In the frontend file, I then delete the item in the collection that contained the serial key and password that was appended to the product name:

if (result.status === "Successful") {
                                wixData.query("SoftwareUniqueCodes")
                                .find()
                                .then((product) => {
                                wixData.remove("SoftwareUniqueCodes", product.items[0]._id)
                                .then((removeItem) => {
 let item = removeItem; //see item below
                                    })
                                    .catch((err) => {
 let errorMsg = err;
                                    });
                            });

This is where I’m most concerned that there is a potential security vulnerability, should I be worried?

Should I have the whole process taking place somewhere else?

@certified-code , you helped me get this code to work in the first place, do you think my process keeps the data secure enough secure?

Hey so here is my input

If your frontend can read and write on your softwareUniqueCodes collection it means that anyone can query the whole database downloading all of your unique code ( it would literally take minutes to pull that off)

Your collection should be private.
You should only read / update the collection from the backend using {suppressAuth:true} flag

The technique to keep everything private is

  1. create a transaction with createPayment;

  2. save that transaction id in the item (so the item is marked as reserved)

  3. return the transaction

  4. add your payment handler https://www.wix.com/velo/reference/wix-pay-backend/events/onpaymentupdate . The payment handler should lookup in your database for the item with the current transaction Id (the one that was reserve) (only if the payment is successful). Once you get the item, you can send the item by email inside the payment handler.

This insures that your private data remain private and that customer only have access to info on the item they purchased

I would recommend not deleting the item but instead use a isSold(boolean) or soldOn(date) and/or soldTo(reference to contactId/member) flag so you can always rollback is something goes wrong.

PS: you’ll also need an endpoint to remove the transaction Id if the user cancels the payment(only possible to know that from the frontend payment result) so that it liberate the locked item.

Does that helps?

It answers a lot of questions and creates a few more … I’ve messaged you …