Struggles with PayPal Integration

So, if you’ve ever purchased anything on eBay, I’m sure you are familiar with their wonderful brainchild called PayPal. A completely digital way of exchanging money, no banks involved. A perfect dream right? More like a security nightmare, as history as proved. But I will give them credit for getting on the ball in recent days.

Regardless, if you operate a business with an online presence, PayPal has a number of unique features which the average business owner will find useful. As we all know, processing credit cards is something that is almost required for any organization operating in the 21st century. You can’t get by without it. So, when my fraternity came to me to inquire about coming up with an online way to make payments – PayPal was my recommendation. Little did I know that integration with PayPal is a little harder than the sticker price.

This past January, I assumed the role of Website Chair within my fraternity, and deployed a custom-written Rails application that allows us to track attendance and fees, and other stuff like that. The website doesn’t serve as the “official record” – but it does allow brothers to get some idea of their standing within the fraternity by simply logging into their account. As I mentioned, fees are one thing that appears on a brother’s information readout.

For awhile, we simply allowed PayPal and the website to be separate entities, but I decided that there were probably some other options that could produce a much more professional result. After doing some research, I came across PayPal’s documentation of Instant Payment Notification (IPN).

IPN is a protocol defined by PayPal that is designed to make it easy for web developers to have automated actions when there is a payment event. The workflow goes as follows:

  1. Someone clicks a Buy Now button from your page and goes to paypal to make their payment.
  2. Their payment is completed.
  3. PayPal sends an HTTP POST request to the IPN URL that you specify when you created the Buy Now button that the user used.
  4. Your script receives the request, and then generates its own HTTP POST request back to PayPal with all the same parameters in order to verify that it is a legit payment.
  5. PayPal either responds “VALID” or “INVALID”
  6. If it responds VALID, you do whatever your program needs to do for a valid payment. If it responds INVALID, then it is recommended that you log the error. My program just does nothing for now.

Seems simple enough. I have successfully gotten it partially working in development however, and I’m pleased with that. The one hiccup I’ve hit is getting it to correctly contact PayPal’s server.

In the course of PayPal’s mission to prevent Joe Hacker from getting at your data, they have required that all communications with their servers take place over HTTPS, also known as HTTP over SSL. For those who don’t know, HTTPS is merely an extra level of encryption to keep your data safe. The obstacle I’ve been hitting is getting Ruby on Rails (the framework on which my fraternity’s site is built) to talk to PayPal over HTTPS. I keep getting “Error 301 Moved Permanently” messages whenever I try to hit the server, and I’m not really sure what’s going on.

While there is a good chance this code will make it to production without this safeguard for a little while (since spoofed data wouldn’t be that big of a problem for us), but I’m sincerely hoping I can get this working. It’s really frustrating…