search

craftcms / commerce-paypal-checkout

PayPal Checkout gateway for Craft Commerce.
https://plugins.craftcms.com/commerce-paypal-checkout
MIT License
5 stars 10 forks source link

CSRF Protection? #53

Closed clowerweb closed 2 years ago

clowerweb commented 2 years ago

Description The plugin works if I disable CSRF validation on the site, otherwise, I get a 400 and an alert "Unable to verify your data submission."

To Reproduce How, and what happened?

  1. Enable CSRF protection on a site.
  2. Try to checkout using PayPal.

Expected behavior The plugin should pass the CSRF token into the request to /index.php/actions/commerce/payments/pay.

Additional info

Additional context image image

Also generates the following in the console ("Expected an order id to be passed"): image

Gateway settings: image image

Nellyaa commented 2 years ago

I have the same problem with Craft 4 (4.0.0.1) and the PayPal Checkout (2.0.0)

nfourtythree commented 2 years ago

Hi Both

Is this just with the example templates too?

Thanks!

Nellyaa commented 2 years ago

I'm using the following twig code to display the PayPal buttons: {{ craft.commerce.gateways.getGatewayByHandle('paypal').getPaymentFormHtml({})|raw }}

nfourtythree commented 2 years ago

Hi @Nellyaa

You mentioned you are on Craft and Commerce 4.

Can I just check, are you namespacing the form as mentioned in the upgrade guide?

Thanks!

Nellyaa commented 2 years ago

Hi @Nellyaa

You mentioned you are on Craft and Commerce 4.

Can I just check, are you namespacing the form as mentioned in the upgrade guide?

Thanks!

I tried with and without with the same outcome.

nfourtythree commented 2 years ago

Hi @Nellyaa

Would it be possible to send you composer.json, lock file and relevant templates across to support@craftcms.com.

That would give us the ability to look into this further.

Thanks!

Nellyaa commented 2 years ago

Hi @Nellyaa

Would it be possible to send you composer.json, lock file and relevant templates across to support@craftcms.com.

That would give us the ability to look into this further.

Thanks!

I just did so. Thank you for looking into this issue!

nfourtythree commented 2 years ago

Contact has been made through support and the initial outlook seems that it might have been a templating issue.

This issue will be closed for now, but if further information comes through to suggest this is a bug the issue will be reopened.

Thanks.

ghost commented 1 year ago

For anyone who gets this error in the future

when i printed the form i just used this: {{ cart.gateway.getPaymentFormHtml({ currency: cart.paymentCurrency, orderNumber: cart.number, orderID: cart.number, smartWalletOrderID: cart.number })|raw }}

What fixed it was placing it inside A FORM TAG: \<form id="paypal-form"> {{ csrfInput() }} {{ actionInput('commerce/payments/pay') }} {{ redirectInput("success?order=" ~ cart.number) }} {{ hiddenInput('cancelUrl', "checkout/payment"|hash) }} {{ cart.gateway.getPaymentFormHtml({ currency: cart.paymentCurrency,orderNumber: cart.number,orderID: cart.number,smartWalletOrderID: cart.number})|raw }} </form>

I thought that this function "getPaymentFormHtml" was going to print the whole thing, appreantly not