PAYONE-GmbH / magento-2

PAYONE Payment Extension for Magento 2
28 stars 59 forks source link

Error 1380 because HTTP_X_FORWARDED_FOR is not handled correctly #551

Closed mfickers closed 2 months ago

mfickers commented 3 months ago

Since upgrade to v3.11.0 on Magento 2.4.6-p6 it is no longer possible to place an order using Payone payment methods in our production environment. Cicking the "place order" button results in an error of type 1380 ("Parameter {ip} faulty or missing") every time. This does not occur on our staging environment.

I've compared the body of Payone authorization requests between both environments and noticed that the IP address looks different: Staging: "" Live: "<client_ip, 127.0.0.1" payone_authorization_ip_address

There is an additional load balancing proxy in the live environment, that is missing in the staging environment.

I believe this bug was introduced in this commit: https://github.com/PAYONE-GmbH/magento-2/commit/18990d43ed10960922b7350f0062fad4cfd95bfa

The Payone module now uses \Magento\Framework\HTTP\PhpEnvironment\Request::getClientIp to get the client IP address. In our case the client IP address is available inside the HTTP_X_FORWARDED_FOR header.

While the correct header is loaded, the HTTP_X_FORWARDED_FOR header contains not just the client IP, but the whole proxy chain's addresses like this:

X-Forwarded-For: <client>, <proxy1>, <proxy2>

As the Payone API expects a single IP address, sending the raw value from this header will result in the error.

FatchipRobert commented 2 months ago

I added a fix to handle those comma separated IP lists by returning the first IP from that list instead of the full string.

I can't test it though since I don't have a proxy setup.