search

jazzband / django-payments

Universal payment handling for Django.
https://django-payments.readthedocs.io
Other
1.06k stars 282 forks source link

DotPay Access Denied 403- CSRF token missing or incorrect. #160

Closed maltitco closed 6 years ago

maltitco commented 6 years ago

After making the payment and returning from the DotPay website to the store, I have a Access Denied 403- CSRF token missing or incorrect.

In console:

WARNING django.security.csrf Forbidden (CSRF token missing or incorrect.): /order/d02ef4b9-498c-4095-91cc-7e322e590b87/create-password/ [PID:50728:Thread-132]

maltitco commented 6 years ago

I am looking for what may be the reason for the error and I determined that the return address should be from https, but after fixing the return address I have:

Referer checking failed - https://ssl.dotpay.pl/test_payment/result/M9633-7016/f08c161fd8d50e04f480ba9d188b9e5f8ea53f83c916d031d536b8b1b63cead6/ does not match any trusted origins.

OK adding CSRF_TRUSTED_ORIGINS = ['.dotpay.pl'] to settings.py repairs: Referer checking failed. But still I have: CSRF token missing or incorrect.

I have no idea where to look for the cause of the error.

szymi- commented 6 years ago

Hi, I have the same problem, and I found a sort of a solution.

The parameter is called csrfmiddlewaretoken in django. If Dotpay uses an equivalent parameter, you'd have to configure django-payments to use a different parameter name with the token. But that would require changes in django-payments, as at the moment this parameter is not configurable from what I saw. And anyway, I did not find such parameter in documentation provided by Dotpay, so this route is closed for now.

So my quick and potentially insecure solution was to decorate the checkout_success view in Saleor with @csrf_exempt from django.views.decorators.csrf. This decorator is used in several places by django-payments anyway, so from security point of view it does not make things much worse.

maltitco commented 6 years ago

Hi @szymi- did you test @csrf_exempt z django.views.decorators.csrf?

szymi- commented 6 years ago

Yes, it works with dotpay's test environment.

maltitco commented 6 years ago

@szymi- How do you set the "type" parameter, and what API version for the dotpay store configuration you use: dev or legacy?

Jak możesz to odpal chat Gitter-a ;)

szymi- commented 6 years ago

For that, I had to modify django-payments. I also added possibility to specify channel_groups. I will push that to my fork when I get a chance and create a PR to django-payments.

maltitco commented 6 years ago

I was more concerned with the parameters you set, not how you did it. I will look at your fork and compare it with what I have. As far as I know, the DotPay API has changed a bit since the release of django-payments.

NyanKiyoshi commented 6 years ago

Was this fixed?

maltitco commented 6 years ago

Yes, after the corrections made by @szymi- , the error no longer appears.