Not able to pay with credit card in incognito mode

ITISFoundation / osparc-simcore

🐼 osparc-simcore simulation framework

https://osparc.io

MIT License

46 stars 27 forks source link

Not able to pay with credit card in incognito mode #6348

Open matusdrobuliak66 opened 2 months ago

matusdrobuliak66 commented 2 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Which deploy/s?

No response

Current Behavior

Not able to pay or add credit card in incognito mode

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

matusdrobuliak66 commented 1 month ago

Something I found: https://stackoverflow.com/questions/52583886/post-request-in-laravel-error-419-sorry-your-session-419-your-page-has-exp?page=2&tab=scoredesc#tab-top

Laravel is the framework APP Motion used for developing Payment Gateway

matusdrobuliak66 commented 1 month ago

After some manual testing with @odeimaiz we observed that it works in incognito mode for the "primary" product, but it doesn't work for the "secondary" lite one. Somehow the issue might also be connected with the different stripe "URL"?

matusdrobuliak66 commented 1 month ago

Issue was also reported here: https://z43.fogbugz.com/f/cases/206619 (we do not know whether he used incognito mode, but it was done on the secondary lite product and there is also 419 status code error reported)

matusdrobuliak66 commented 1 month ago

Its probably a CORS related issue: https://http.dev/419

Observation:

In incognito it works for

:heavy_check_mark: pay address/payment-methods:create FROM tip.science
:name_badge: it doesn't work for pay address/payment-methods:create FROM tip-lite.science

both are using the same pay address

GitHK commented 1 month ago

Its probably a CORS related issue: https://http.dev/419

Observation:

In incognito it works for

✔️ pay address/payment-methods:create FROM tip.science

📛 it doesn't work for pay address/payment-methods:create FROM tip-lite.science

It is expected that the second one will not work. You are doing a cross domain attack from its point of view.

There should also be a pay address address that points to the same server where foo.science is exposed. Could we maybe try and add this domain to that machine?

Then we also need to generate an appropriate url from osparc backend based on the product. This should then work as expected, unless there is more hidden logic inside the payment gateway, but at least it will solve the CORS issue.

pcrespov commented 1 month ago

Its probably a CORS related issue: https://http.dev/419

Observation:

In incognito it works for

✔️ pay address/payment-methods:create FROM foo.science

📛 it doesn't work for pay address/payment-methods:create FROM foo-lite.science

both are using the same pay address

The Takeway of the article is what we concluded: The 419 Page Expired status code is a Larval-specific client error sent to indicate that the CSRF validation has failed.