Plugin to manage a credit system

I was wondering while watching grav-plugin-thumb-ratings if it would be possible to create a Grav plugin to allow users to buy credits and see them in their profile, and let them be stored in an external database. It would have to interact with grav-login, and be secure enough to interact with a payment system. Is this feasible to do with Grav / Grav plugins? If so, is there a plugin other than thumb-ratings that could point me in the right direction?

I imagine the GravCart-plugin could do something of the sort.

if you use Stripe or Paypal, they often have simple Javascript code blocks that you can include, or even buy buttons, that can allow you to sell products easily with Grav with a minimal amount of effort.

The question was a bit more focused on the relationship between users and credits, rather than the “buying” part. I suppose a Credits Plugin, where after the user buys a pack through one of the methods you mentioned they could be shown in their profile or similar, would be necessary to make this work. It’s my first time using Grav’s plugin system so it’s a bit difficult for me to visualize the entire process.

There was a recent discussion on a similar process. To rephrase my suggested process from there:

  1. Customer A pays for something.
  2. A proof of purchase is returned via the vendor (PayPal, Stripe, carrier pigeon) to the server, which stores it, and it identifies the purchase as being done by Customer A.
  3. When needed, the purchase can be verified against against this data, for instance for any benefits/credits the user has.

Really, you just need to think of what data you want to store upon successful purchases. At minimum, this would include normal payment details and customer details, so it can be used to identify value.

If you want to store the data externally, a simple request (Rest, PDO, other API) to a server will allow this. The only security-flaw would be if external requests are not protected, stored data is public, or your server does not withstand attack-vectors against Grav’s admin. Naturally you’d want the site in its entirety to run with SSL, as all sites with some commerce do (and should a nyways).

In my opinion, and I’ve gone through such setups a few times before, most of your concerns are addressed by normal masking and protection of the login and using a service like CloudFlare. Any payment-service already has enterprise-level security, most hosting providers have the good sense to redundantly protect their servers, and unless you attract a lot of attention the likelihood of being hacked is low.

Thank you very much for the thorough reply, I’ll try my hand at it and see how it goes!