Closed Arcadier-Support closed 3 years ago
tanoojoy
commented
3 years ago Could I have the ZIP file of your PHP endpoint and some instructions on how to use it? :
The purpose of it is to try to replicate your issue - only then I can know how to help you.
MAcostaTowa
commented
3 years ago Steps to reproduce the error (i.e Postman).
Zip File: xxx
Custom Fields and Custom tables required, setup: xxx
URL: xxx
With your marketplace could be: xxx
This endpoint it’s triggered by a third party (Gravity Payments) when a success payment occurs sending the payment information (json content) as well some headers, then this endpoint verify the source of the request, for that, the endpoint check if the headers sent of the requester with the one that the endpoint have, if those strings match, then, it will update the invoice as Paid/Failed.
Method: Post
Only one header is required: xxx Value for HMAC-Signature: this one xxx or any string for test purposes.
Body content to send:
{
"accountCardType": "VS",
"accountEntryMethod": "Keyed",
"accountExpiryDate": "0421",
"amount": "15.00",
"amountBalance": "",
"amountProcessed": "15.00",
"amountTipped": "0.00",
"approvalNumberResult": "025583",
"avsResponseCode": "Y",
"avsResponseText": "Address: Match & 5 Digit Zip: Match",
"batchNumber": "1",
"billingName": "",
"cashier": "",
"cvvResponseCode": "N",
"cvvResponseText": "No Match",
"externalTransactionId": "xxx",
"isPartialApproval": false,
"maskedAccount": "************9016",
"resultMessage": "Approved",
"resultStatus": "true",
"transactionReference": "xxx",
"transactionType": "CreditSale",
"uniqueTransId": "xxx"
}If you want to send this in your marketplace make sure that transactionReference matches with any OrderId you have created.
Response: Since this endpoint (subPostBackGravityTransaction_service.php) we have currently turned off the header verificator, the response, due the issue, will update the Invoice as paid/failed always, this resultant response could be skipped for this time, anyway, in order to see which headers came with the transaction this endpoint also log the last headers list from the previous transaction made in a Custom Field called PostbackResponse allocated in marketplace CF, which can be displayed using the Arcadier API https://shieldmedical.sandbox.arcadier.io/api/v2/marketplaces
How you can see on this response:
{
"Code": "xxx",
"Name": "PostbackResponse",
"DataFieldType": "string",
"Values": [
"{\"headers\":{\"Content-Type\":\"text/plain; charset=utf-8\",\"Content-Length\":\"886\",\"X-Newrelic-Transaction\":\"PxRTAgVUXFAFUwBXDwkEVFwBFB8EBw8RVU4aBltbA1ZQUA4ABFkLUVYOB0NKQVwFVVcAUwAIFTs=\",\"X-Newrelic-Id\":\"VwYCUVNWARAIVFVSDggCVlM=\",\"Host\":\"php.local\",\"Expect\":\"100-continue\",\"Cookie\":\"marketplace=shieldmedical.sandbox.arcadier.io; protocol=https\"},\"jsonBody\":{\"accountCardType\":\"VS\",\"accountEntryMethod\":\"Keyed\",\"accountExpiryDate\":\"0421\",\"amount\":\"15.00\",\"amountBalance\":\"\",\"amountProcessed\":\"15.00\",\"amountTipped\":\"0.00\",\"approvalNumberResult\":\"025583\",\"avsResponseCode\":\"Y\",\"avsResponseText\":\"Address: Match & 5 Digit Zip: Match\",\"batchNumber\":\"1\",\"billingName\":\"\",\"cashier\":\"\",\"cvvResponseCode\":\"N\",\"cvvResponseText\":\"No Match\",\"externalTransactionId\":\"9B0EB890-928A-41FD-9EA9-D37B0D278819\",\"isPartialApproval\":false,\"maskedAccount\":\"************9016\",\"resultMessage\":\"Approved\",\"resultStatus\":\"true\",\"transactionReference\":\"680d8c73-3adc-4db1-9b31-4fc72d8f462f\",\"transactionType\":\"CreditSale\",\"uniqueTransId\":\"3a518c9a21b54111b6ef4e0de859ba8b-3928d9faed59457da9308389e7c2ac5c\"},\"ackResponse\":\"{\"intStatusCode\":200}\",\"arcadierTransactionResponse\":\"{\"result\":\"Order cart successfully cleaned, Order updated successfully, Invoice updated successfully for invoice: SHIELDM161369615469XX\"}\"}"
],
"IsComparable": false
}Those headers are not the same ones that were sent with Postman.
This is the way to verify the headers we sent, everything else it’s working fine, it’s update correctly the invoice as long as we let the verifier always off, otherwise it always will reject the request due that the HMAC-Signature header doesn't found.
tanoojoy
commented
3 years ago Solution given on Slack. Will be closing this for now.
Hi guys, We are presenting some problems related to the headers that come to us in a plugin that we have created for Arcadier, we have the following scenario:
I created an endpoint in PHP in a plugin that's installed on our marketplace (https://shieldmedical.sandbox.arcadier.io/) which finishes the payment-process and updates the invoice record whether the transaction-payment was succeeded or not. When Gravity Payment finishes processing a payment, it sends a POST request (that POST request doesn’t required/use the Arcadier Bearer Auth) to that endpoint within a JSON response as body content as well the following headers: {
"Content-Type": "application/json",
"xxx": "xxx"
}
Specifically we need xxx header in order to validate the source of the POST request in order to continue the process to update the invoice as paid/failed. The headers we received to our endpoint seems to not be received as we expected, or seems to be overridden in some way from Arcadier when reach the endpoint: {\"Content-Type\":\"text/plain; charset=utf-8\",\"Content-Length\":\"723\",\"xxx\":\"xxx\",\"xxx\":\"xxx\",\"Host\":\"php.local\",\"Expect\":\"100-continue\",\"Cookie\":\"marketplace=shieldmedical.sandbox.arcadier.io; protocol=https\"}
As final note, we are fetching all headers using this PHP function getallheaders()
We would like to know what we can do about it, since our client for security reasons wants to implement this validation.