I am writing a refund function for our ecommerce site and I'm getting error code 3033 : The RelatedSecurityKey is required.
I have checked and the documentation says this key should be returned when the original transaction was made. We save the details without any modifications to the database, but I can't find it. The return values for my test transaction are:
VendorTxCode=241****
&VPSTxId={EBA625AB-955E-75C8-4409-*********}
&Status=OK
&StatusDetail=0000 : The Authorisation was Successful.
&TxAuthNo=763****
&AVSCV2=SECURITY CODE MATCH ONLY
&AddressResult=NOTMATCHED
&PostCodeResult=NOTMATCHED
&CV2Result=MATCHED
&GiftAid=0
&3DSecureStatus=NOTCHECKED
&CardType=VISA
&Last4Digits=0006
&Amount=25.00
Any suggestions?
SecurityKey - Only present if Status is OK.
To register the initial transaction, you post to Sage Pay via the Transaction Registration URL (A1).
Sage Pay send a server reponse to the tranasction registration POST in the Server protocol (see A2 in Sage Pay Server Protocol). The response includes the following - VPSProtocol, Status, StatusDetail, VPSTxId, SecurityKey and NextURL.
[A Security key which Sage Pay uses to generate a MD5 Hash to sign the Notification message (step A3 from the Sage Pay Server protocol, which is the example you are providing in response to the Notification post via the Notification URL). The signature is called VPSSignature. This value is used to allow detection of tampering with notifications from the Sage Pay Server. It must be kept secret from the Customer and held in your database. Only present if Status is OK.] You need the SecurityKey incase want to refund against the transaction in future as this will become the RelatedSecurityKey.
The NextURL redirects the customer/shopper to the Sage Pay payment page.
Sage Pay then notify you via the NotificationURL with the VPSSignature. (A3)
You then acknowledge receipt of the post and the customer is redirected via the RedirectURL back to a page on your website.
Related
I'm getting 417 error when calling https://apple-pay-gateway.apple.com/paymentservices/startSession with body:
{
"merchantIdentifier": "merchant.com.***",
"displayName": "***",
"initiative": "web",
"initiativeContext": "***"
}
The response I get:
{
"statusMessage": "Payment Services Exception merchantId=2B4D7F37BB3374A2C6B9F28C1042C408F9727EFE09C21EE71297302EBC830DF0 not registered for service",
"statusCode": "417"
}
Strange thing is with the same setup approximately 1% of calls returned the correct session, but most of the time api responds with 417. I've already tried to remove whole merchant identntifier and created new with all the new certs and domain registration - didn't help, now I get 417 for all requests. Any ideas? I could not find any information on apple docs what this error actually means.
Config below:
I've already tried:
creating new apple merchant identifier, merchant certificate, payment processing certificate from scratch three times
I've added and validated domain for frontend website and api
I've tried to make a request locally from postman and from the deployed api on validated domain - in both cases I'm using mechant certificate and private key
I've also tried to cnofigure the merchant identifier I'm using as part of Apple App ID Configuration - so it's assigned to Apple Pay Payment Processing capability. I want to use apple pay web integration, so this step does not make much sense anyway.
This is my current understanding of recaptcha (using v2 invisible)
We load the api.js script onto our site
We add data attributes to the button
User clicks button
A listener somewhere in the api.js script fires because it's listening for an event on a tag with those data attributes
This is where it gets fuzzy and I start guessing:
api.js gathers browsing info from the user's cookies and information about how they interacted with the site. Based on this it determines how likely you are are to be a bot and if you are below a certain threshold it gives you a test. Whether you pass the test then gets further factored into your score and all of that gets encoded into a token, which we receive in our callback that we specified on the button's data attribute.
We pass this token to the back end with the rest of our form
From the backend, we make an API request to Google to convert the token into usable information about whether the user passed or failed.
At this point I get confused about why this wasn't just what the api.js script returned in the first place. Does this step only exist in order to give Recaptcha information to further improve it? I just don't understand why this step is here, unless I'm misunderstanding what is going on earlier in the process. Am I getting these we steps wrong? Thanks.
The whole point for captchas is that your server (instead of client in the browser) can verify that the (HTTP) request it received was generated from a real person's actions, when interacting with your application.
This is why your client sends a recaptcha token to your server and your backend consults with the captcha provider about this token and receives trusted information about the original client. In this scenario, your server does not trust the client, so it receives only a token from it. Then it communicates with the trusted captcha provider server-to-server and validates that the token it received from the client is valid and the user behind it is legitimate.
If your client sent the original response from the captcha provider to your backend server, there would be no way for your server to know whether this was a legitimate response from the captcha provider, or a fake one from the client.
I use paypal button in a spring boot web application with thymeleaf, that work fine.
In the js script of the paypal button there is an
onApprove: function(data, actions) {
return actions.order.capture().then(function(orderData) {
// Full available details
console.log('Capture result', orderData, JSON.stringify(orderData, null, 2));
// Show a success message within this page, e.g.
const element = document.getElementById('paypal-button-container');
element.innerHTML = '';
element.innerHTML = '<h3>Thank you for your payment!</h3>';
// Or go to another URL: actions.redirect('thank_you.html');
});
},
I need to know if payment was ok to activate subscription of the user.
I could use this onApprove to send value to the backend but don't think is very secure.
I checked key paypal and it seem webhook exist. Maybe it's the way to go?
Don't know if I need to check
PAYMENT.CAPTURE.COMPLETED
or
INVOICING.INVOICE.PAID
to know if the payment made by the user was ok
For regular one-time PayPal payments (not subscriptions), use a server integration. There is a full stack example in node at https://developer.paypal.com/docs/checkout/standard/ , but the server side of it can be implemented in any environment. You can use the Checkout-Java-SDK to communicate with the PayPal API from your server, or implement your own HTTPS functions for v2/checkout/orders create and capture.
On the client, the approval flow will use its JS functions to call those two routes on your server as needed: the first happens when the button is clicked, to create the order, and the second after a payer approves the payment, to capture the order. The capture route of your server in particular should check the API response received directly from PayPal and verify the totals are as expected before marking the payment as successful.
For PayPal Subscriptions (payment that recurs automatically), the webhook to listen for PAYMENT.SALE.COMPLETED.
I have integrate my paypal account with my magento ecommerce website but when trying to checkout using paypal I am getting the error "PayPal gateway has rejected request. Timeout processing request (#10001: Internal Error"
It looks like a specific payment model configuration issue. Better to contact Paypal technical team to help you on it.
We integrate with SagePay Server using ASP.Net and we seem to have a problem getting session on our NotificationUrl.
We get no information when we try to read session on the Notification page, but strangely the page we set as RedirectUrl can read all the values from session. Can you please advise if we are doing anything wrong or if we have to pass any parameter to access session information on the notification page?
Thanks,
PS: I have also posted the question on SagePay support forum
If I'm not mistaken, the request to NotificationUrl will be done from SagePay server and not customer PC, therefore request will not have customer's cookie/session id that is valid on your server. From your server point of view they (customer and request to NotificationUrl page) would be 2 different persons. Check your web server logs -- they will have different IPs and most (if not all) requests to NotificationUrl would be from the same IP (or IPs in the same subnet).
The RedirectURL is usually a page hosted on your own site which is designed to be an order complete page that we redirect the shopper's web browser to upon transaction completion.
For more information on this, please check Sage Pay Server Protocol and Integration Guidelines.