Open Fifciu opened 2 years ago
Hi @Fifciu,
Just to be sure that we are on the same page are you talking about the following scenario?
If so, is there any particular reason why you wouldn't use the GraphQl request to get the payment methods?
Thanks, Jean Adyen
Hi here,
I'm working with a framework who use the same web-service call and I got the same blocking issue.
At this time the framework don't use directly the GQL call.
Stéphane.
Hi @AIMAR-S,
Thank you for confirming the issue, your feedback is highly appreciated.
@Fifciu, could you please let us know whether you are indeed logging in via GraphQl and not using a GraphQl request to retrieve the payment methods? If this is indeed the case, could you please elaborate on the reason you are not using the GraphQl request for the call?
Thank you in advance,
Kind regards, Rok, Adyen
Hi @RokPopov . Yes, I confirm that. So I am connecting to the integration created by a totally different team. My integration based on Rest API since the beginning and rewriting it to the GQL is too big for now.
Hi @Fifciu,
Just to check, are you also including the Access Token
mentioned in point 2(c) here when attempting the retrieve-adyen-payment-methods
call?
Thanks, Jean Adyen
Hi @Fifciu,
Just to check, are you also including the
Access Token
mentioned in point 2(c) here when attempting theretrieve-adyen-payment-methods
call?Thanks, Jean Adyen
Only in "My temporary solution" (check section in the main post). I've expected user to be able to access own payment just with own customerToken
it seems like we have the same problem as well. I'm a bit surprise that we can't access this API as a customer.
Just to check, are you also including the Access Token mentioned in point 2(c) here when attempting the retrieve-adyen-payment-methods call?
the documentation is not super clear there. @Morerice By Access Token, you mean this one:
That does not look to work with an integration that grant access access to all resources.
Hi @dpobel,
Apologies for the delay. Yes that is the access token that we're referring to. However if you don't want to use the OAuth-based Authentication that Magento recommends, you will also need to run that console command to restore using the access token as a bearer token.
Regards, Jean Adyen
Hi,
Just to add more context. Up to version 7.x, the endpoint /V1/carts/mine/retrieve-adyen-payment-methods
required the self
resource (i.e. the Bearer token needed to authenticate this resource was the user's session token). That was OK and in line with all other Magento endpoint that has /mine/
as part of their URL and are used to request logged-in users info.
However, in version 8.0 the resource for this endpoint was changed to Adyen_Payment::paymentMethods
, which is a breaking change, since any existing app now needs to send an Admin Magento token as Bearer token, instead of the user's token.
Not sure what was the rationale for that change, but in my opinion it was wrong since it has modified the API contract and broken pre-existing apps that used this endpoint (which was our case, so we have created a patch to patch it back to self
)
Today I had to work on a fix (well a workaround) for a headless checkout we are working on due to this bizarre architectural decision.
Looking at this definition:
<route url="/V1/carts/mine/retrieve-adyen-payment-methods" method="POST">
<service class="Adyen\Payment\Api\AdyenPaymentMethodManagementInterface" method="getPaymentMethods"/>
<resources>
<resource ref="Adyen_Payment::paymentMethods"/>
</resources>
<data>
<parameter name="cartId" force="true">%cart_id%</parameter>
</data>
</route>
Why is the role for this Adyen_Payment::paymentMethods
and not self
? The role it is currently configured with is an admin/integration specific role. I'm curious if this endpoint actually works because the %cart_id%
param is set to force="true"
meaning there will never be a cartId
passed to this method because admin/integration roles don't have a cartId
available to them. On top of that shouldn't this be a GET
request as we are getting the payment methods and not saving anything.
Then we looked at using this one. It's got the anonymous role so will work with %cart_id%
, it's still a POST
when it really should be a GET
, however looking at the method signature it requires a form key? Why!?!
<route url="/V1/internal/carts/mine/retrieve-adyen-payment-methods" method="POST">
<service class="Adyen\Payment\Api\Internal\InternalAdyenPaymentMethodManagementInterface" method="handleInternalRequest"/>
<resources>
<resource ref="anonymous"/>
</resources>
<data>
<parameter name="cartId" force="true">%cart_id%</parameter>
</data>
</route>
I feel these endpoints have been massively overcomplicated by requiring a user to follow this guide instead of simply using Magento's core functionality that will handle the current cart in the session for you.
Hi guys,
Based on your feedback we will be reviewing the access rights of these endpoints. However these changes may only be added on our next major release which for now is scheduled for Q1 2023. They cannot be done on the current v8, since they would be breaking for any merchants that have followed our suggestion and implemented an oath integration.
Thanks, Jean Adyen
Hey guys,
We're currently considering to implement the following resources and permissions. Do you have any feedback about this?
/V1/guest-carts/:maskedCartId/retrieve-adyen-payment-methods
- anonymous/V1/carts/mine/retrieve-adyen-payment-methods
- self/V1/adyen/guest-carts/:maskedCartId/payment-details
- anonymous/V1/adyen/carts/mine/payment-details
- self/V1/adyen/guest-carts/:maskedCartId/donations
- anonymous/V1/adyen/carts/mine/donations
- self/V1/adyen/guest-carts/:maskedCartId/payment-status
- anonymous/V1/adyen/carts/mine/payment-status
- self/V1/adyen/guest-carts/:maskedCartId/state-data
- anonymous/V1/adyen/carts/mine/state-data
- self/V1/adyen/initiate-terminal
- anonymousRegards, Jean Adyen
Updated proposal:
Resource | Permission | Additional info |
---|---|---|
/V1/guest-carts/:maskedCartId/retrieve-adyen-payment-methods | anonymous | |
/V1/carts/mine/retrieve-adyen-payment-methods | self | |
/V1/adyen/guest-carts/:maskedCartId/payment-details | anonymous | |
/V1/adyen/carts/mine/payment-details | self | |
/V1/adyen/guest-carts/:maskedCartId/state-data | anonymous | |
/V1/adyen/carts/mine/state-data | self |
Resource | Permission | Additional info |
---|---|---|
/V1/adyen/orders/carts/:maskedCartId/donations | anonymous | Require the order to be in specific states |
/V1/adyen/orders/carts/:maskedCartId/payment-status | anonymous | Require the order to be in specific states |
Resource | Permission | Additional info |
---|---|---|
/V1/adyen/initiate-terminal | anonymous |
It makes sense to me. Also, it's worth emphasizing breaking changes in docs because I see:
/V1/adyen/paymentDetails
path has been modified from camelCase to kebab-case,/V1/adyen/paymentDetails
separated into two endpoints based on whether it's a customer or a guest.Thanks for your feedback @Fifciu. Yes, this will be emphasized on the respective PR, on the release notes and also on our adyen docs once it's released.
Regards, Jean Adyen
@Morerice Thanks for reaching out for community feedback. I haven't had time to look into this yet (Will review when I get a moment 🙂 ) but I have shared it with the dev team at work as we use Adyen on a number of clients with varying levels of custom checkout integration.
Describe the bug It is impossible to fetch available payment methods as a customer via Rest API if the customer signed in via GQL.
To Reproduce Steps to reproduce the behavior:
/V1/carts/mine/retrieve-adyen-payment-methods
Expected behavior Resource should be
anonymous
or maybe(?)self
. Here. The customer is able to use native endpoints likeGET /V1/customers/me
orGET /V1/carts/mine
with GQL token so they should be able to usePOST /V1/carts/mine/retrieve-adyen-payment-methods
too.Magento version 2.4.3
Plugin version 8.2.5
Additional context I am conscious there is GQL approach for Adyen M2 integration but I don't want to be one of their early adapters.
My temporary solution I am sending cartId (as hash) and customerToken from the frontend to my middleware. There I compare if the customer is owner of the cart if so - I am fetching unmasked cart ID and sending it to the endpoint but I am using newly generated integration token instead of customer token. Is it fine in your opinion?