Getting an "Invalid serial number" response from Checkout servers due to inserted CLRF

[GoogleCodeExporter]

I am following the Custom Order Processing tutorial at
http://code.google.com/intl/de-DE/apis/checkout/developer/Google_Checkout_Custom
_Processing_How_To.html

The new-order-notification works fine and I am able to store the order serial 
number in the Google datastore. However subsequent callbacks (such as 
authorization-amount-notification) generate an "Invalid serial number" response 
from the Checkout servers. I guess the problem is due to a Carriage Line Return 
Feed (
) being appended to the serial number during the notification 
details request. However, I am unable to find the source of the issue in the 
code.

I am using SDK version 2.5.1 on GAE and the sandbox environment.

Please see attached stackstrace.txt for a formatted version of what follows:

--------------------------------------
/checkoutcallback
com.google.checkout.sdk.util.HttpUrlException: Response Code:   400
With Url:   [ 
https://sandbox.google.com/checkout/api/checkout/v2/reports/Merchant/91036504264
5016 ]
Request:    [ <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<notification-history-request xmlns="http://checkout.google.com/schema/2">
    <serial-number>745775074453986-00005-6 
</serial-number>
</notification-history-request>

 ]
Response:   [ <?xml version="1.0" encoding="UTF-8"?> 
<error xmlns="http://checkout.google.com/schema/2" 
serial-number="b4afc660-7809-48d6-a878-fb0d29966b12"> 
  <error-message>Invalid serial number: 745775074453986-00005-6&#xD; 
</error-message> 
</error> 

 ]
    at com.google.checkout.sdk.util.Utils.makeUrlException(Utils.java:243)
    at com.google.checkout.sdk.util.Utils.postJAXB(Utils.java:149)
    at com.google.checkout.sdk.commands.ApiContext.postCommand(ApiContext.java:228)
    at com.google.checkout.sdk.commands.ReportsRequester.postRequest(ReportsRequester.java:83)
    at com.google.checkout.sdk.commands.ReportsRequester.requestNotification(ReportsRequester.java:59)
    at com.google.checkout.sdk.notifications.NotificationHandler.getNotificationFromRequest(NotificationHandler.java:127)
    at com.google.checkout.sdk.notifications.NotificationHandler.handleNotification(NotificationHandler.java:73)
    at com.google.checkout.sdk.commands.ApiContext.handleNotification(ApiContext.java:165)
    at com.appspot.cirrusmanager.server.payment.CheckoutCallback.doPost(CheckoutCallback.java:43)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
    at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
    at com.google.apphosting.utils.servlet.ParseBlobUploadFilter.doFilter(ParseBlobUploadFilter.java:97)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.apphosting.runtime.jetty.SaveSessionFilter.doFilter(SaveSessionFilter.java:35)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
    at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
    at com.google.apphosting.runtime.jetty.AppVersionHandlerMap.handle(AppVersionHandlerMap.java:238)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
    at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:923)
    at com.google.apphosting.runtime.jetty.RpcRequestParser.parseAvailable(RpcRequestParser.java:76)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
    at com.google.apphosting.runtime.jetty.JettyServletEngineAdapter.serviceRequest(JettyServletEngineAdapter.java:135)
    at com.google.apphosting.runtime.JavaRuntime.handleRequest(JavaRuntime.java:261)
    at com.google.apphosting.base.RuntimePb$EvaluationRuntime$6.handleBlockingRequest(RuntimePb.java:8486)
    at com.google.apphosting.base.RuntimePb$EvaluationRuntime$6.handleBlockingRequest(RuntimePb.java:8484)
    at com.google.net.rpc.impl.BlockingApplicationHandler.handleRequest(BlockingApplicationHandler.java:24)
    at com.google.net.rpc.impl.RpcUtil.runRpcInApplication(RpcUtil.java:418)
    at com.google.net.rpc.impl.Server$RpcTask.runInContext(Server.java:572)
    at com.google.tracing.TraceContext$TraceContextRunnable$1.run(TraceContext.java:448)
    at com.google.tracing.TraceContext.runInContext(TraceContext.java:688)
    at com.google.tracing.TraceContext$AbstractTraceContextCallback.runInInheritedContextNoUnref(TraceContext.java:326)
    at com.google.tracing.TraceContext$AbstractTraceContextCallback.runInInheritedContext(TraceContext.java:318)
    at com.google.tracing.TraceContext$TraceContextRunnable.run(TraceContext.java:446)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:636)

Original issue reported on code.google.com by d.wisskirchen on 11 Nov 2010 at 12:28

Attachments:

• stacktrace.txt

[GoogleCodeExporter]

Original comment by mihai.io...@gmail.com on 28 Mar 2011 at 11:47

• Changed state: Accepted

[GoogleCodeExporter]

bump...

I've added:

m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, false);

in com.google.checkout.sdk.util.Util.toXML(JAXBElement<?> jaxbElement, 
OutputStream os)

but it seems as if the AppEngine implementation of JAXB ignores this property.

Here's the full function...

public static void toXML(JAXBElement<?> jaxbElement, OutputStream os) {
  //JAXB.marshal(jaxbElement, os);
  try {
     JAXBContext context = JAXBContext.newInstance(jaxbElement.getDeclaredType());
     Marshaller m = context.createMarshaller();
     m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, false);
     m.marshal(jaxbElement, toResult(os));
  } catch (JAXBException e) {
     throw new DataBindingException(e);
  } catch (IOException e) {
     throw new DataBindingException(e);
  }  
}

Original comment by cirrusl...@gmail.com on 14 Jun 2011 at 8:18

[GoogleCodeExporter]

Is anybody looking into this issue? I am getting the same "Invalid serial 
number" error everyday on some of my orders.

Original comment by Lind...@gmail.com on 1 Mar 2012 at 9:13

[GoogleCodeExporter]

I have not been able to reproduce this error in my development environment 
however. Does anyone knows what causes the problem with some 
notification-history-requests and not others?

Original comment by Lind...@gmail.com on 1 Mar 2012 at 9:17

[GoogleCodeExporter]

I am getting this bug too, using the Play Framework and the GoogleCheckout 
module. Simply send an order to the checkout and log the serial number you get 
back:

10:41:33,627 INFO  ~ Request: POST /google-checkout-callback
10:41:33,627 INFO  ~ Response: play.mvc.Http$Response@637a7476
10:41:33,627 INFO  ~ Serial Number :[909671410457277-00001-7]
10:41:33,628 INFO  ~ Serial Number Length:23
10:41:33,628 INFO  ~ Delegated dispatcher created in GoogleCheckout.java
10:41:34,483 INFO  ~ .. startTransaction called.
10:41:34,483 INFO  ~ .. alreadyHandled called on :909671410457277-00001-7
10:41:34,487 INFO  ~ .... serial has not been handled :909671410457277-00001-7
10:41:34,487 INFO  ~ .. all called.
10:41:34,487 INFO  ~ .. newOrder called.
10:41:34,487 INFO  ~ .. rememberSerialNumber called :909671410457277-00001-7
10:41:34,500 INFO  ~ .... serial number stored :909671410457277-00001-7
10:41:34,500 INFO  ~ .. commitTransaction called.
10:41:34,500 INFO  ~ ....charge ammount :GBP0.0
10:41:34,500 INFO  ~ ....no avs response.
10:41:34,500 INFO  ~ ....no cvn response.
10:45:36,066 INFO  ~ Callback received by GoogleCheckout.java, processing...
...

10:45:36,067 INFO  ~ Request: POST /google-checkout-callback
10:45:36,067 INFO  ~ Response: play.mvc.Http$Response@57c40e95
10:45:36,067 INFO  ~ Serial Number :[909671410457277-00005-6
]
10:45:36,067 INFO  ~ Serial Number Length:25
10:45:36,067 INFO  ~ Delegated dispatcher created in GoogleCheckout.java

Note that halfway through the process there is a <cr> appended and the logging 
jumps  a line.

It is also evident in the xml response sent from the checkout:

10:45:36,067 INFO  ~ Params: 
{body=_type=authorization-amount-notification&authorization-amount.currency=GBP&
authorization-amount=1000.0&authorization-expiration-date=2012-03-19
T11%3A27%3A07.000Z&avs-response=Y&cvn-response=M×tamp=2012-03-12T11%3A31%3A10.1
18Z&google-order-number=909671410457277&order-summary.total-chargeback-amount.cu
rrency=GBP&or
der-summary.total-chargeback-amount=0.0&order-summary.google-order-number=909671
410457277&order-summary.total-charge-amount=0.0&order-summary.total-charge-amoun
t.currency=GBP&or
der-summary.total-refund-amount.currency=GBP&order-summary.total-refund-amount=0
.0&order-summary.risk-information.ip-address=46.208.131.199&order-summary.risk-i
nformation.billin
g-address.email=<snip>&order-summary.risk-information.billing-address.contact-na
me=<snip>&order-summary.risk-information.billing-address.company-name=&order-s
ummary.risk-information.billing-address.address1=somwhere&order-summary.risk-inf
ormation.billing-address.address2=&order-summary.risk-information.billing-addres
s.phone=070+5018+
6186&order-summary.risk-information.billing-address.fax=&order-summary.risk-info
rmation.billing-address.country-code=GB&order-summary.risk-information.billing-a
ddress.city=here&
order-summary.risk-information.billing-address.region=ESSEX&order-summary.risk-i
nformation.billing-address.postal-code=EC1Y+8SY&order-summary.risk-information.a
vs-response=Y&ord
er-summary.risk-information.cvn-response=M&order-summary.risk-information.eligib
le-for-protection=true&order-summary.risk-information.partial-cc-number=1414&ord
er-summary.risk-i
nformation.buyer-account-age=12&order-summary.authorization.authorization-amount
=1000.0&order-summary.authorization.authorization-amount.currency=GBP&order-summ
ary.authorization
.authorization-expiration-date=2012-03-19T11%3A27%3A07.000Z&order-summary.purcha
se-date=2012-03-12T11%3A27%3A07.000Z&order-summary.archived=false&order-summary.
shopping-cart.ite
ms.item-1.item-name=Gold+Package&order-summary.shopping-cart.items.item-1.item-d
escription=The+complete+set+of+policies+and+templates+including+processing+the+C
QC+application+fo
rm&order-summary.shopping-cart.items.item-1.unit-price.currency=GBP&order-summar
y.shopping-cart.items.item-1.unit-price=1000.0&order-summary.shopping-cart.items
.item-1.quantity=1&order-summary.shopping-cart.items=order-summary.shopping-cart
.items.item-1&order-summary.order-adjustment.total-tax=0.0&order-summary.order-a
djustment.total-tax.currency=GBP&order-summary.order-adjustment.adjustment-total
.currency=GBP&order-summary.order-adjustment.adjustment-total=0.0&order-summary.
buyer-id=<snip>&order-summary.buyer-shipping-address.email=mrceej%40gmail.com&or
der-summary.buyer-shipping-address.contact-name=<snip>&order-summary.buyer-shipp
ing-address.company-name=&order-summary.buyer-shipping-address.address1=somwhere
&order-summary.buyer-shipping-address.address2=&order-summary.buyer-shipping-add
ress.phone=<snip>&order-summary.buyer-shipping-address.fax=&order-summary.buyer-
shipping-address.structured-name.first-name=<snip>&order-summary.buyer-shipping-
address.structured-name.last-name=Tongue&order-summary.buyer-shipping-address.co
untry-code=GB&order-summary.buyer-shipping-address.city=here&order-summary.buyer
-shipping-address.region=ESSEX&order-summary.buyer-shipping-address.postal-code=
EC1Y+8SY&order-summary.buyer-marketing-preferences.email-allowed=true&order-summ
ary.order-total=1000.0&order-summary.order-total.currency=GBP&order-summary.fulf
illment-order-state=NEW&order-summary.financial-order-state=CHARGEABLE&serial-nu
mber=909671410457277-00005-6
, order-summary.risk-information.partial-cc-number=1414, 
order-summary.buyer-shipping-address.contact-name=Mr C J Tongue, 
order-summary.shopping-cart.items.item-1.unit-price.currency=GBP, 
authorization-amount=1000.0, _type=authorization-amount-notification, 
order-summary.buyer-shipping-address.company-name=, 
order-summary.total-refund-amount=0.0, 
order-summary.risk-information.billing-address.fax=, 
order-summary.order-total=1000.0, 
order-summary.risk-information.buyer-account-age=12, 
order-summary.risk-information.avs-response=Y, 
order-summary.order-total.currency=GBP, 
authorization-expiration-date=2012-03-19T11:27:07.000Z, 
order-summary.archived=false, order-summary.total-refund-amount.currency=GBP, 
order-summary.buyer-shipping-address.email=mrceej@gmail.com, cvn-response=M, 
order-summary.risk-information.billing-address.country-code=GB, 
google-order-number=<snip>, 
order-summary.risk-information.billing-address.address1=somwhere, 
order-summary.risk-information.billing-address.address2=, 
order-summary.buyer-shipping-address.structured-name.last-name=<snip>, 
order-summary.authorization.authorization-amount=1000.0, 
order-summary.order-adjustment.total-tax.currency=GBP, 
order-summary.shopping-cart.items.item-1.item-description=The complete set of 
policies and templates including processing the CQC application form, 
order-summary.shopping-cart.items.item-1.item-name=Gold Package, 
order-summary.order-adjustment.adjustment-total=0.0, 
order-summary.financial-order-state=CHARGEABLE, 
order-summary.risk-information.billing-address.postal-code=EC1Y 8SY, 
order-summary.risk-information.billing-address.region=ESSEX, 
order-summary.risk-information.billing-address.phone=<snip>, 
order-summary.buyer-shipping-address.city=here, 
order-summary.risk-information.billing-address.company-name=, 
order-summary.risk-information.billing-address.email<snip>, 
order-summary.buyer-marketing-preferences.email-allowed=true, avs-response=Y, 
order-summary.risk-information.cvn-response=M, 
timestamp=2012-03-12T11:31:10.118Z, authorization-amount.currency=GBP, 
order-summary.fulfillment-order-state=NEW, 
order-summary.order-adjustment.total-tax=0.0, 
order-summary.risk-information.eligible-for-protection=true, 
serial-number=909671410457277-00005-6
, order-summary.risk-information.billing-address.city=here, 
order-summary.buyer-id=<snip>, 
order-summary.risk-information.ip-address=46.208.131.199, 
order-summary.authorization.authorization-expiration-date=2012-03-19T11:27:07.00
0Z, order-summary.authorization.authorization-amount.currency=GBP, 
order-summary.total-chargeback-amount.currency=GBP, 
order-summary.buyer-shipping-address.address1=somwhere, 
order-summary.purchase-date=2012-03-12T11:27:07.000Z, 
order-summary.total-chargeback-amount=0.0, 
order-summary.shopping-cart.items.item-1.unit-price=1000.0, 
order-summary.buyer-shipping-address.address2=, 
order-summary.order-adjustment.adjustment-total.currency=GBP, 
order-summary.google-order-number=909671410457277, 
order-summary.buyer-shipping-address.structured-name.first-name=<snip>, 
order-summary.shopping-cart.items=order-summary.shopping-cart.items.item-1, 
order-summary.risk-information.billing-address.contact-name=Mr C J Tongue, 
order-summary.buyer-shipping-address.country-code=GB, 
order-summary.buyer-shipping-address.region=ESSEX, 
order-summary.shopping-cart.items.item-1.quantity=1, 
order-summary.total-charge-amount=0.0, 
order-summary.buyer-shipping-address.phone=<snip>, 
order-summary.buyer-shipping-address.fax=, 
order-summary.total-charge-amount.currency=GBP, 
order-summary.buyer-shipping-address.postal-code=EC1Y 8SY}

Original comment by merchant...@tactix4.com on 12 Mar 2012 at 11:40

[GoogleCodeExporter]

Spurious Carriage Line Return Feed (
) being appended to the serial number ... 
wtf? Is my nginx breaking this or is the API/SDK at fault?

Original comment by robd...@gmail.com on 12 Mar 2012 at 11:43

[GoogleCodeExporter]

Sorry I forgot to add I was using the sandbox checkout, obviously these issues 
are delaying the move to UAT and release, so if the issue is ´only in sandbox 
mode´ that is no help to us as without the checkout working properly in 
sandbox mode there is no way we can take it live.

It seems from the above posts that the issue is present in the live version 
(although possibly intermittently).

I would have thought a defect that prevents people checking out from what is 
ostensibly a checkout service to be slightly higher than ´medium´ priority, 
however I have not exhausted all possibilities so it could be that I have 
misconfigured something and it is more of a documentation / undocumentation 
error than an actual code issue.

Original comment by merchant...@tactix4.com on 12 Mar 2012 at 11:51