I have tweaked the code I found in this tutorial (https://support.wix.com/en/article/velo-tutorial-processing-payments) to send a unique serial key and password in the confirmation email sent to the purchaser …
In the backend pay.jsw file, I use the first item from the collection to append a serial key and password to the name of the product, which is then appears in the confirmation email the user gets after their purchase is complete:
export async function createMyPayment(productId, nameOfCollection) {
return wixData.query(nameOfCollection)
.find()
.then((product) => {
let paymentInfo = ({
items: [{
name: product.items[0].title + '<br> Serial Key:<br> ' + product.items[0].serialKey + '<br>Password:<br>' + product.items[0].password,
price: product.items[0].price
}],
amount: product.items[0].price
});
return wixPay.createPayment(paymentInfo);
});
}
Since that query takes place in the backend, I’m less concerned about it creating a vulnerability by which a hacker might steal serial keys and passwords …
In the frontend file, I then delete the item in the collection that contained the serial key and password that was appended to the product name:
if (result.status === "Successful") {
wixData.query("SoftwareUniqueCodes")
.find()
.then((product) => {
wixData.remove("SoftwareUniqueCodes", product.items[0]._id)
.then((removeItem) => {
let item = removeItem; //see item below
})
.catch((err) => {
let errorMsg = err;
});
});
This is where I’m most concerned that there is a potential security vulnerability, should I be worried?
Should I have the whole process taking place somewhere else?