Is confirmation server-side or client-side?

[samuel-allan]

As the title indicates - is the transaction confirmation check client-side (javascript in the browser) or server-side (node.js/PHP/e.t.c.)?
It currently looks to me that the library is purely client-side but I might be gravely mistaken (please correct me in that case) - and the main problem with this is an attacker can simply modify the quantity via the console / in the browser

[samuel-allan]

The only two secure options I see are the following:

1. Have a central organization (like PayPal) which does the processing and IS sufficiently secure, it can then act as an intermediate to confirm transactions - in this case the client side approach will work, because the post-transaction will be handled by your central organization (e.g. calling a PHP page with a specific one-time ID number, e.t.c.)
2. Have a 'confirmation server' installed with the package (Node.JS or PHP and maybe Python server most probably) which does nothing but gets requests from the client javascript to order 10 of XYZ with memo ABC, it then waits until verified and when verified replies back to the client the post-transaction details (such as a generated software key, e.t.c.)
   If the post-transaction details are stored in the javascript, or the quantity is coded into the javascript it will always be vulnerable

[kuyawa]

Right now it's only client side but we will be working on a server implementation.