I am setting up an Authorize.Net DPM (Direct Post Method) payment gateway for a site. There is something I am fundamentally not understanding, and can't tie up the pieces.
The basic operation of DPM is that the merchant site - my site - provides a credit card form. That form is posted direct to Authorize.Net. After the CC and other posted details are authorized, Authorize.Net will POST the results back to my site. I'll refer to this as the callback post. Now here is where things don't quite tie up for me.
The callback POST comes direct from Authorize.Net and does not share a session with the user, so the POST handler only has the information that has been posted to hand. The amount (x_amount) and the Authorize.Net generated transaction ID (x_trans_id) are hashed with a pre-agreed secret and the Authorize.Net account login ID. This can be used to check the authenticity of the system providing that callback. From what I can tell, it is really just checking that the sender knows the pre-agreed secret.
So the only data I can trust in the callback is the amount and the gateway generated transaction ID (and this is the first point at which that ID is available to my site, so its value is meaningless).
What I cannot see, is how to tie the results of the authorisation back to the transaction that the end user is paying. There is no other data in the POST that can be trusted not to have been changed, and it does not pass on the merchant-generated ID anyway (a combination of x_fp_sequence and x_timestamp).
What I am expecting to be able to do in the callback is to take the result of the card authorisation, be sure that the result can be trusted, tie it back to the pending transaction stored in the database before the user posted the form to Authorize.Net, so that the transaction can be confidently marked as complete. But how?
I have worked with the SagePay Server gateway, and that also has a callback. However, the callback contains all the fields needed to tie the result back to the transaction being processed (it includes the merchant-generated transaction ID) and importantly it provides a hash of ALL the POSTed fields that need to be trusted so they can be checked.
So what am I overlooking? I can provide sample data if that helps to explain the issue. I'm using OmniPay and am extending the driver for this gateway.
Related
I'm searching for an alternative to NONCES to prevent replay attacks.
My scenario:
I have implanted a ticket shop where you can buy tickets and to prevent two persons trying to buy the same ticket, I added a reservation system. So when you select the seats, a request to a reservation service is sent which stores the reservation for 10mins. Now my problem: How can I prevent that a potential attacker sniffs the reservation requests and replays it over and over again. This blocks the seats (and in the worst case ALL seats) infinitely.
As the ticket shop is open source, the code is available if necessary! Thank you already!
When someone else's facing the same kind of issue, here's what I did to solve the problem:
I added an optional (admins of the ticket shop can enable it) integration of reCAPTCHA. Once a seat is selected (and therefore needs to be reserved) the invisible captcha is executed and a client-side token is generated. This token is available for 2mins and sent to the back-end server, where it will be verified using the google API. When the token has already been used or timed out, the server sends an error to the client which will generate a new reCAPTCHA token and retries the request. Potential exploiters would need to generate such tokens on their own, which is - according to google - not possible.
I am using the hosted form payment approach to accepting payments from users on my site. I dont see any examples of how to go about verifying the payment once the user is redirected back to my site. Here is how I'm trying to approach it:
Generate a token/form based on the cart
Post to the form url and send the user away
User returns to a verifying page
I have set up a webhook for all payment notifications
I receive the notification
?????
Verify the payment status and price are correct
Navigate the user away from the verifying screen to the next page
In step 6 all i have is the token that was generated for the transaction and the webhook doesnt provide that token back to me. How do I say "this transaction belongs to this user who is waiting to be verified"?
You can use the getTransactionDetailsRequest in their Transaction Reporting API to get the transaction details. The best place to put this information is in the refTransId field which is a value you can pass in as part of your transaction.
I am using Paypal api for my Django website.I am able to make payment but don't know how to get payment response from paypal server as either True or False.
Without knowing what you are currently doing, I can only share the best solution.
Create two routes, one for 'Create Order' and 'Capture Order', documented here. These routes should return/output only JSON data (no HTML or text).
Pair those two routes with the following approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server
In the Capture Order route, before returning the JSON, examine the response for a PayPal transaction ID in the payments object and store this information in your database. If there is a new transaction ID, its status should be 'COMPLETED' or 'PENDING'. In the latter case, flag it for manual review in PayPal.com
I'm using the hosted payment form with getHostedPaymentPageRequest
After successful payment the browser opens by success url correctly.
However, i dont know how to verify that payment was actually completed. I have the token from getHostedPaymentPageRequest, but i cant find an API to call to get the result of that transaction.
I can see that when using an IFrame we can use the IFrameCommunicator, but we would prefer to not use that.
How can i verify the transaction succeeeded after redirect back from the hosted payment page?
If you don't use the iframe you won't get the results of the transaction in real time. Your best option then is to use a webhook to receive a notification of the successful payment. You can then get the transaction info using the transaction ID provided by the webhook. But that would mean the user won't know the status of their payment when they arrive back at your site. For that to happen you'd have to build a mechanism that does the above and have your receipt page poll your backend until it has the results of the transaction and then can display them to the user.
Is it possible to use userID and the API to record a user having done an event (i.e. reached a goal) by API?
For example, if I set up my GA installation to record userID for logged in users, but the Goal I want to record is something that happens when the user is offline.
Can I use an API somehow to tell Google "User 001 completed Goal X"?
Or, alternatively, can I pull a unique identifier from a user's cookie, store it on my server side linked to the user id, and fake a js call back to Google once the goal is reached, as if the user were viewing a success page?
You can fetch the client id from the cookie. Google recommends to use their get function:
ga(function(tracker) {
var clientId = tracker.get('clientId');
});
as
developers should not directly access the cookie analytics.js sets as
the cookie format might change without warning.
You can then send an event or virtual url using the measurement protocol and set up a goal based on that url or event (btw. there is nothing "fake" about it, this is exactly the thing the measurement protocol is supposed to cover).
The caveat is that the data will probably end up in a new session, so the original source might get lost (that's an issue if you do advertising).
Another approach, if your users are usually logged in, would be the User-ID feature (despite it's name it does not ID individual users, but it allows to collect user data across devices as long as an unique ID is sent per user from each device. The Id is not exposed in the interface).
You would again use the measurement protocol but this time send along the user id (you still need to send a client id, but it will be overwritten by the user id). If you enable session unification the logged-in visits of the users (and your measurement protocol calls) will be stitched together into a user-level reporting (this required a special data view which will include only data from visits that have a User Id set). Unlike the client id, which is generated by the Google Analytics Javascript code, the User ID is generated on your server and passed in to GA.