commerce_decoupled_checkout
Security covered
The modules provides REST endpoints for decoupled Commerce experience:
- Remote orders creation (alongside with user / profile / order items)
- Remote payment creation / initialization (and capturing if needed)
- Remote payment capturing / finalization (if was not captured before)
REST API
1. Create a new order (with potential to submit payment as well)
POST /commerce/order/create
Payload documentation
2. Create a new payment for the order (with potential to capture it as well)
POST /commerce/payment/create/{order_id}
Payload documentation
3. Capture the existing payment (if it was not captured before).
POST /commerce/payment/capture/{order_id}/{payment_id}
No payload.
4. Void the existing payment (if it was not captured before).
POST /commerce/payment/void/{order_id}/{payment_id}
No payload.
Payment Gateway integrations
The module was tested / proven to be working with:
- Paypal Button (Express Checkout)
- Stripe
- Credit Cards through Global Payments (former Realex)
- Direct Debits
Known issues:
- Currently frontend can override order item price. Need a better way of allowing / disallowing this override.
- Theoretically payment endpoints can be bruteforced and payments can be initialized / completed on behalf of other people. Needs some sort of tokenization to make sure that only user who created the order can pay for it (not sure how viable this is though).