@russian-dima @MMVeiga … thank you both for your help on this (you both ultimately gave me the same solution)!
Now that the script is working, I have one other concern, and it’s not a minor one … whether I’ve created a security vulnerability …
Here’s my completed pay.jsw
import wixPay from 'wix-pay-backend';
import wixData from 'wix-data';
export async function createMyPayment(productId, nameOfCollection) {
return wixData.query(nameOfCollection)
.find()
.then((product) => {
let paymentInfo = ({
items: [{
name: product.items[0].title + '<br> Serial Key:<br> ' + product.items[0].serialKey + '<br>Password:<br>' + product.items[0].password,
price: product.items[0].price
}],
amount: product.items[0].price
});
return wixPay.createPayment(paymentInfo);
});
}
As you can see, the serial key and password for the product (a piece of proprietary software) are sent to the user through the confirmation email, nothing is encrypted. It is my understanding that since this is taking place in a backend file it is secure; am I correct in that assumption?
My front end code looks like this (and this is what has me more worried)
import wixData from 'wix-data';
import wixPay from 'wix-pay';
import { createMyPayment } from 'backend/pay';
$w.onReady(function () {
let queryValue = wixLocation.query;
$w('#dataset2').setFilter(wixData.filter().contains('title', queryValue.product));
let queryValue2 = wixLocation.query;
$w('#dataset2').setFilter(wixData.filter().contains('title', queryValue2.product));
$w('#text17').hide();
$w("#button1").onClick( (event) => {
let productId;
let $item = $w.at(event.context);
let nameOfCollection = $item("#text17").text;
createMyPayment(productId, nameOfCollection)
.then((payment) => {
wixPay.startPayment(payment.id, {
"showThankYouPage": false,
})
.then((result) => {
if (result.status === "Successful") {
wixData.query(nameOfCollection)
.find()
.then((product) => {
wixData.remove(nameOfCollection, product.items[0]._id)
.then((removeItem) => {
let item = removeItem;
})
.catch((err) => {
let errorMsg = err;
});
});
console.log('successful payment')
//wixWindow.openLightbox("#lightbox1");
} else if (result.status === "Pending") {
console.log('payment failure')
//wixWindow.openLightbox("Pending Box");
}
});
});
});
});
As you can see, after a successful transaction, I delete the item in the collection that contains the serial key and password that was sent to the purchaser. I am worried that this is creating a vulnerability since it is happening on a front end page …
Is this creating a vulnerability? Should I move this process to the pay.jsw page?
Can I use the info on the other backend page (event.js) to sent the email instead?(though I truthfully kind of like sending it as part of the the receipt, it’s “tidy”)
export function wixPay_onPaymentUpdate(event) {
let paymentId = event.payment.id;
let newTransactionStatus = event.status;
let userInfo = event.userInfo;
}