Skip to content

Pulling Checkout Response violates security #145

@ChrisCoder123

Description

@ChrisCoder123

Hi,

I am doing successful an checkout over the API and the Solo device displays successful the amount given in the check-out.
Afterwards i am polling the status, but than i am getting a security violation, polling the status.
which is weird, because i have done successful the check-out.
Why should i not be able to poll the status of my check-out.
Code used for calling and polling.

checkout = await client.readers.create_checkout(
            merchant_code,
            solo.id,
            CreateReaderCheckoutBody(
                total_amount=CreateReaderCheckoutBodyTotalAmount(currency="EUR", value=100, minor_unit=2),
            ),
        )
        logging.info(f"DEBUG: Empfangenes Checkout-Objekt: {checkout}")

        client_tx_id = checkout.data.client_transaction_id
        logging.info(f"Checkout gestartet. Client Transaction ID: {client_tx_id}")

        # 2. Status der Zahlung abfragen (Polling)
        logging.info("Warte auf Zahlungsstatus (Polling)...")
        for _ in range(30):  # Maximal 60 Sekunden warten
            await asyncio.sleep(2)  # 2 Sekunden warten zwischen den Abfragen
            transaction = await client.transactions.get(client_tx_id)
            logging.info(f"Polling-Status für Transaktion {client_tx_id}: {transaction.status}")
            if transaction.status == "SUCCESSFUL":
                logging.info(f"✅ Zahlung {client_tx_id} erfolgreich!")
                return
            if transaction.status in ["FAILED", "CANCELLED"]:
                logging.warning(f"❌ Zahlung {client_tx_id} fehlgeschlagen oder wurde abgebrochen.")
                return

        # Wenn die Schleife ohne Ergebnis endet
        logging.warning(f"⌛ Timeout bei der Abfrage des Zahlungsstatus für {client_tx_id}.")
    except APIError as e:
        logging.error(f"Fehler bei der Kommunikation mit der SumUp API: {e.message}")
        logging.error(f"   HTTP Status Code: {e.status}")
        logging.error(f"   Antwort vom Server (Body): {e.body}")
    except Exception as e:
        logging.error(f"Ein unerwarteter Fehler ist aufgetreten: {e}")
:

Doing this results in an error.

2025-12-18 10:10:40,642 [INFO] - Warte auf Zahlungsstatus (Polling)...
2025-12-18 10:10:42,713 [INFO] - HTTP Request: GET https://api.sumup.com/v2.1/merchants/1297a595-a703-446f-84f1-002d43543f34/transactions "HTTP/1.1 403 Forbidden"
2025-12-18 10:10:42,715 [ERROR] - Fehler bei der Kommunikation mit der SumUp API: Unexpected response
2025-12-18 10:10:42,715 [ERROR] -    HTTP Status Code: 403
2025-12-18 10:10:42,715 [ERROR] -    Antwort vom Server (Body): {"type":"https://developer.sumup.com/problem/forbidden","detail":"Not allowed, subject \"user:b026ff1e...........\" doesn't have permission \"merchant_read\" for object \"merchant:1297a595-a........\".","instance":"3b890...........","status":403,"title":"Forbidden"}

By the way, would be easier, if you extend your python examples a little bit in Github.
Sumup Version used 0.0.15

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions