Skip to content

Base Pay backend confirmation#825

Merged
youssefea merged 3 commits intomasterfrom
base-pay-backend-confirmation
Jan 16, 2026
Merged

Base Pay backend confirmation#825
youssefea merged 3 commits intomasterfrom
base-pay-backend-confirmation

Conversation

@youssefea
Copy link
Contributor

@youssefea youssefea commented Jan 15, 2026

What changed? Why?

Following some feedback from the community, adding more details to the Base Pay guide to improve backend verification and replay attack protection

@cb-heimdall
Copy link
Collaborator

cb-heimdall commented Jan 15, 2026
edited
Loading

✅ Heimdall Review Status

Requirement Status More Info
Reviews 1/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

montycheese
montycheese reviewed Jan 15, 2026
View reviewed changes
docs/base-account/guides/accept-payments.mdx
}>(); // In production, use a persistent database

export async function verifyAndFulfillPayment(
txId: string,
Copy link
Contributor

@montycheese montycheese Jan 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typically the developer would call this type of endpoint with some user auth token of the payer (whether its the SIWE payload, or a JWT from an auth management platform). I would suggest passing a field like payerAddress to this function, and then do a validation that the sender that you get from getPaymentStatus matches the expected payerAddress, so a malicious caller does not try to send someone else's payment to fulfill their order.

Copy link
Contributor

@spencerstock spencerstock Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good callout - I think our solve for this right now is the dataCallback context - where the orderID passes to the wallet and then directly to the backend service with the payment ID now associated with the orderID.

@youssefea youssefea requested a review from montycheese January 16, 2026 17:14
montycheese
montycheese approved these changes Jan 16, 2026
View reviewed changes
Copy link
Contributor

@montycheese montycheese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@youssefea youssefea merged commit 05ba46d into master Jan 16, 2026
8 checks passed
@youssefea youssefea deleted the base-pay-backend-confirmation branch January 16, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@montycheese montycheese montycheese approved these changes

@spencerstock spencerstock Awaiting requested review from spencerstock

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@youssefea @cb-heimdall @montycheese @spencerstock

Comments