Base Pay backend confirmation

[youssefea]

What changed? Why?

Following some feedback from the community, adding more details to the Base Pay guide to improve backend verification and replay attack protection

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[montycheese]

Typically the developer would call this type of endpoint with some user auth token of the payer (whether its the SIWE payload, or a JWT from an auth management platform). I would suggest passing a field like payerAddress to this function, and then do a validation that the sender that you get from getPaymentStatus matches the expected payerAddress, so a malicious caller does not try to send someone else's payment to fulfill their order.

[spencerstock]

Good callout - I think our solve for this right now is the dataCallback context - where the orderID passes to the wallet and then directly to the backend service with the payment ID now associated with the orderID.