Authorize.Net Direct Post impending end-of-life

[rhoerr]

Moved from https://github.com/magento/magento2/issues/20230

Summary (*)

Magento 2.0-2.3.0 implements the Authorize.net Direct Post payment method, using Authorize.Net's AIM NVP (name-value pair) and DPM (direct post method) APIs.

Per Authorize.Net's published API Upgrade Guide, both AIM and DPM are deprecated, and DPM will be discontinued entirely on production as of 2019-07-01. At that point, anyone using the Authorize.net Direct Post payment method will presumably be unable to accept further payments.

https://developer.authorize.net/api/upgrade_guide/#dpm

Direct Post Method (DPM) STATUS: Deprecated. To be disabled in Sandbox 7/1/2018. Production End of Life 7/1/2019. ALTERNATIVE SOLUTION: Use Accept.js. DESCRIPTION: With the release of Accept.js, we have begun to deprecate and sunset our legacy DPM product. Going forward, we will correct bugs with DPM, but will not add any new functionality. We will end support for DPM in Sandbox on July 1, 2018, and will discontinue DPM entirely on July 1, 2019. We encourage you to upgrade your DPM solutions to use Accept.js.

Further, Authorize.Net will be disabling the MD5 hash configuration setting by 2019-02-01, at which point it won't be possible for new merchants to configure and enable the Direct Post payment method. https://developer.authorize.net/support/hash_upgrade/

Examples (*)

N/A

Proposed solution

Implement a modern Authorize.Net API.

[styzzz]

I am thinking about just switching to Paypal Payments Advanced and have Paypal handle all the credit cards on the website, to avoid all this nonsense with first data / authorize.net

the Paypal linkup seems super easy to implement, but i know they have higher fees. What do you guys think?

On Tue, Feb 26, 2019 at 12:40 PM Viktor Tymchynskyi < notifications@github.com> wrote:

@Shimon2 https://github.com/Shimon2 There have been no publicly released dates for now. Approximately It should be in March. You can apply this patch for testing #127 (comment) https://github.com/magento/community-features/issues/127#issuecomment-467263806

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-467538360, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGlovR81D1o0TJSQ7TSxokibCqCw02aks5vRXGmgaJpZM4Z-NEk .

[donovandb]

@styzzz It may be a pain, but the AuthNet Direct Post is pretty antiquated. They were bound to deprecate it. Yes, that's a separate issue from the more immediate MD5 issue, but both issues look like they are being taken care of here in one swoop. Happy to finally see some push to get this done!

[styzzz]

i dont see them being taken care of in one swoop. I have to: 1) upgrade from 2.2.1 to 2.2.8 (which is a whole cluster f---K) 2) apply patch and pray it works

thats not one easy swoop!

On Tue, Feb 26, 2019 at 1:03 PM D Brooke notifications@github.com wrote:

@styzzz https://github.com/styzzz It may be a pain, but the AuthNet Direct Post is pretty antiquated. They were bound to deprecate it. Yes, that's a separate issue from the more immediate MD5 issue, but both issues look like they are being taken care of here in one swoop. Happy to finally see some push to get this done!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-467546863, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGlonrGjHqkS5YZHio1EexYAwEvNXNYks5vRXbjgaJpZM4Z-NEk .

[styzzz]

Just to confirm Authorize.net will stop working on March 7th, unless:

1. we upgrade to Magento 2.3 (which we do not know the release date of)
2. Patch Magento 2.2.8 (with a patch we are not sure of exactly works?)

I am on Magento 2.2.1

On Tue, Feb 26, 2019 at 1:09 PM Stergios sterg17@gmail.com wrote:

i dont see them being taken care of in one swoop. I have to: 1) upgrade from 2.2.1 to 2.2.8 (which is a whole cluster f---K) 2) apply patch and pray it works

thats not one easy swoop!

On Tue, Feb 26, 2019 at 1:03 PM D Brooke notifications@github.com wrote:

@styzzz https://github.com/styzzz It may be a pain, but the AuthNet Direct Post is pretty antiquated. They were bound to deprecate it. Yes, that's a separate issue from the more immediate MD5 issue, but both issues look like they are being taken care of here in one swoop. Happy to finally see some push to get this done!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-467546863, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGlonrGjHqkS5YZHio1EexYAwEvNXNYks5vRXbjgaJpZM4Z-NEk .

[rhoerr]

March 14th is the production cutoff. The March 7th cutoff is sandbox (dev accounts) only.

[ArthurSCD]

@ArthurSCD you can try to apply the patch with the fix for 2.2.8 Auth.net.md5.patch.zip

Appreciated, I'm sure that will at least help someone. Would I be correct this patch won't work for 2.3?

Personally, I have a few stores that were built starting at 2.3. I have been surprised there hasn't been more panic towards this issue. Just wanted to provide a little context where I am coming from.

[viktym]

@Shimon2 @ArthurSCD This patch based on 2.2.8 release branch. But you can try to apply it for 2.2.2 and 2.3.0 since this module is not updated frequently.

[Shimon2]

Authorize.net has told me that the Payment Extension on the marketplace ( Extension ) Uses Accept.js which is not affected by MD5. From what I can understand it uses a Signature Key. I am not clear if this is SHA512 .

Has anyone used this? Is this better or worse than the Payment method in M 2.3.1 ( and the patch version of it).

[robolmos]

Authorize.net has told me that the Payment Extension on the marketplace ( Extension ) Uses Accept.js which is not affected by MD5. From what I can understand it uses a Signature Key. I am not clear if this is SHA512 .

I was going to check but I'm unable to install it because composer can't find the package after downloading it from the Marketplace.

[Shimon2]

There is a comment on the Modules page that seems to be similar. There is no support for this module and it is not possible to install in using composer

They answered:

This is not accurate information. The installation with composer is possible. Additionally, support is available, all you have to do is click on "Contact Seller".

So perhaps they have experienced this problem and can help you.

I am hoping that you succeed, so that you can share your experience.

Thanks

[styzzz]

I am switching over to Braintree until this mess is sorted out. . . going to run braintree, until I can upgrade my sites to 2.3.1.....which will be a whole nother mess :(

On Wed, Feb 27, 2019 at 6:32 AM Shimon2 notifications@github.com wrote:

There is a comment on the Modules page that seems to be similar. There is no support for this module and it is not possible to install in using composer

They answered:

This is not accurate information. The installation with composer is possible. Additionally, support is available, all you have to do is click on "Contact Seller".

So perhaps they have experienced this problem and can help you.

I am hoping that you succeed, so that you can share your experience.

Thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-467828025, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGlouHL1b3LLyM6EvSR4_bM3iy0Vj-Tks5vRmyvgaJpZM4Z-NEk .

[nathanjosiah]

@Shimon2 I'm not sure what they mean. Accept.js doesn't affect the hashing algorithm. The new core Magento module uses accept.js and it supports both hashes. As long as their module supports the signature key you should be fine at, least with that issue. Their official SDKs ignore the new hashing algorithm so I would definitely verify they actually support it before switching over for security reasons.

[Shimon2]

@nathanjosiah When I spoke with the gentleman from Authorize.net his answers were a bit hazy. He is a nice guy but not very technical. I read their user manual. It has a wizard that will communicate with their server to fill in all the information by its self. They explain that you need the "Webhooks Signature Key" which "Signature Key verifies the integrity of Webhooks messages.".

Does this mean that it is using the new hashing algorithm ?

[nathanjosiah]

@Shimon2 They are inconsistent with the naming. The docs call it Signature Key, the tech guide and implementation says SHA512 hash, and the API calls it transHashSha2. As long as it supports one of those instead of the old MD5 hash it should be fine at least with that feature.

[robolmos]

@viktym @joni-jones I'm a bit confused on the patch. It's an official patch but I'm not seeing it on the M2 github, nor an issue or PR for it and the 2.2.8 milestone seems to be completed.

I'm guessing it's internal-only at this point?

[joni-jones]

@robolmos, we are still working on the process of how this patch should be published for the community. 2.2.8 branch already contains the fix and this branch is not available for the public community.

You can use the patch https://github.com/magento/community-features/files/2903457/Auth.net.md5.patch.zip for testing now and see if it applies for your Magento instance.

UPD: also, I've attached the composer version. Auth.net.md5.composer.patch.zip

[joni-jones]

The patches are ready for download https://support.magento.com/hc/en-us/articles/360024368392-Update-Authorize-Net-Direct-Post-from-MD5-to-SHA-512

[nohart]

I updated the patch and I entered my security key and saved it successfully. I then went to make a purchase and when I select "Place Order" at the end all that happens is that the page flashes. I don't get any errors. I dont know whats wrong. I contacted Authorize.net and they said to contact Magento. In Magento's backend it shows the sale and labels it "Pending Payment". But the sale won't go through for some reason.

I am already using "Authorize.net" Do I have to do anything? I am not using "Autorize.net Direct Post" in Magento’s backend. Can I just disable "Authorize.net Direct Post" and keep using "Authorize.net"?

[robolmos]

@nohart Which version of Magento? Are you using a third-party extension?

[nohart]

I am on v1.9.3.10 and not using any extension for this. Its under System -> Configuration - > Payment Methods There is one called Authorize.net which I have had set up since 2009 and one called Authorize.net Direct Post. I read that this patch is only for Authorize.net Direct Post. So if you are using it you have 2 choices update it with this patch or switch to Authorize.net. In my case I am already using Authorize.net so I don't think I have anything to worry about. The patch is misleading in my opinion and it makes me think that I have to switch over to Authorize.net Direct Post. I am just trying to find clarification on this.

[robolmos]

@nohart IIRC the Authorize.Net method uses AIM, which the hash isn't really necessary since HTTPS handles all that security good stuff.

The DPM version does need to verify the hash because Auth.Net makes a new connection to the server to update the transaction result, which a malicious actor could also do.

Reviewing the patch and blog language, the changes are only applying to DPM so it doesn't seem like the patch is needed if DPM isn't used.

[nohart]

Awesome Rob thanks for the clarification! Too bad Magento did not include language like this in their update. I got totally mislead. Thanks again!

[smadasam]

The patches are ready for download https://support.magento.com/hc/en-us/articles/360024368392-Update-Authorize-Net-Direct-Post-from-MD5-to-SHA-512

The steps to download the patch for CE are missing. If you click the access my account, it doesn't work, presumably because it would go to the non-CE page which I don't have.

"Magento Commerce and Magento Open Source For Magento Commerce, follow these steps to download and install the patch:

Access My Account."

[smadasam]

@robolmos, we are still working on the process of how this patch should be published for the community. 2.2.8 branch already contains the fix and this branch is not available for the public community.

You can use the patch https://github.com/magento/community-features/files/2903457/Auth.net.md5.patch.zip for testing now and see if it applies for your Magento instance.

UPD: also, I've attached the composer version. Auth.net.md5.composer.patch.zip

It seems like this patch is for 2.2.*?

On my 2.3 install, the files are in different places. ex: ./vendor/magento/module-authorizenet/Model/Directpost.php

vs error: code/Magento/Authorizenet/Model/Directpost.php: No such file or directory

[robolmos]

@smadasam There's two different patches based on how Magento was installed.

The file path for your error sounds like you have a composer-based install but are trying to apply the github (non-composer) patch. Can you verify please?

The option for the patch is in the "select your format" drop down on the Downloads page.

[JoshTheDerf]

Like @smadasam, I'm attempting to apply this to an open source version of Magento (1.9.4 CE) but cannot find the location of the patch for Magento 1.x. The linked "Downloads" page is a blank white screen for me.

Additionally, the relevant link on the knowledgebase page seems to be broken: https://support.magento.com/hc/en-us/360024368392

Any additional details?

[Jeevachezhiyan]

Hi @smadasam ,

Is the patch available for 2.1 version? As like @Tribex said I am getting an empty page after clicking "Downloads" Page.

In Magento official page am getting patch only for 2.2 version only? Where I can get patch for 2.1 version?

[nivens016]

So do these patches work for both Magento 1 and 2?

[jarhody]

Worked like a charm for me. Version 2.2.7 composer install.

For anyone using the composer version this may help. Of course always test in your dev environment first and back up before going live.

-Navigate to the vendor directory via FTP -Upload the patch file -On the command line run - git apply [patch file name] (i.e. - git apply Auth.net.md5.composer-2019-02-27-11-51-12.patch) -Run set-up upgrade command and flush cache -Navigate to M2 Admin panel config setting for auth.net. You should now have the option to add the Signature Key -Save and refresh cache

Run a test transaction and check either sysytem.log or payment.log and you should now see the SHA2_Hash being passed to auth.

Note: The MD5 key field is still in the M2 admin area and the MD5 hash is still being passed. I have not removed my MD5 key so hopefully everything will be good to go on March 15th.

Cheers!

[nivens016]

Jarhody how do i know which version to use?

[jarhody]

@nivens016

Jarhody how do i know which version to use?

I assume your are asking which patch version. Most production environments should be using the composer install I believe. It is my understanding that if your core modules are located in vendor/magento directory then you should use the composer patch version. If your core module files are in app/code/ then you should use the github patch version.

You may want to double check this info as it is only my "best guess" from what I could find out.

[robolmos]

Like @smadasam, I'm attempting to apply this to an open source version of Magento (1.9.4 CE) but cannot find the location of the patch for Magento 1.x. The linked "Downloads" page is a blank white screen for me.

@Tribex Unfortunately the official download instructions are still incorrect.

I downloaded the M1 patch from the release archive page: https://magento.com/tech-resources/download#download2280

[robolmos]

@Jeevachezhiyan

The official Magento notice says "Magento Open Source 2.X.X" so I'm thinking the patch will still work for 2.1. I can't imagine the DPM module changed much or at all between 2.1 and 2.2 but I'm not sure.

Applying a patch is pretty straight forward so best bet is to try and apply the patch and see if it does so cleanly. Then run a transaction test after setting up a signature key and all that good stuff.

[robolmos]

@jarhody FYI the deadline was bumped to March 28th: https://community.magento.com/t5/Magento-DevBlog/Authorize-Net-Direct-Post-Patch-for-M2-and-M1/bc-p/123666/highlight/true#M414

I'd also suggest testing against the sandbox after March 7th to be on the safe side. At least now we have more than a week to test/resolve if there are any issues.

[dikomo]

Has anyone that downloaded M1 patch had it working successfully with sandbox account? I am getting "Response hash validation failed. Transaction declined." even though the transaction was approved.

[robolmos]

For composer-based projects that did not commit vendor directory (the preferred approach I believe), I recommend tracking the patch via composer: https://support.magento.com/hc/en-us/articles/360005484154-Create-a-patch-for-a-Magento-2-Composer-installation-from-a-GitHub-commit

This is what my composer.json "extra" key has:

"extra": { "magento-force": "override", "composer-exit-on-patch-failure": true, "patches": { "magento/module-authorizenet": { "MAGETWO-AuthNetDPM: Authorize.Net Direct Post Method SHA2 verification.": "patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch" } } }

Patch file was modified to remove references to "vendor/magento/module-authorizenet/" and saved in patches/composer directory.

Here's a gist of the modified patch file for reference: https://gist.github.com/robolmos/7a3bf336516b18f8e0bd48a13d93e1ef

Patch applied fine for me on a fresh M2.2.7 project despite odd output messages.

[Jeevachezhiyan]

I have installed this patch in Magento 2.1.15 and I made one order using sandbox credentials. I got the response but the order is canceled.

This error I got in magento2 admin order page Please enter a transaction ID to authorize this payment.

Please check the debug log file,

main.DEBUG: array ( 'request' => array ( 'x_version' => '3.1', 'x_delim_data' => 'FALSE', 'x_relay_response' => 'TRUE', 'x_test_request' => 'FALSE', 'x_login' => '****', 'x_method' => 'CC', 'x_relay_url' => 'https://xxx.com/authorizenet/directpost_payment/response', 'x_type' => 'AUTH_CAPTURE', 'x_fp_sequence' => '83792', 'x_invoice_num' => '000025268', 'x_amount' => 13.0, 'x_currency_code' => 'USD', 'x_tax' => '0.00', 'x_freight' => '4.50', 'x_first_name' => 'Jeeva', 'x_last_name' => 'xxxx', 'x_company' => 'xxxx', 'x_address' => '1701 E Woodfield Rd, Suite 710', 'x_city' => 'Schaumburg', 'x_state' => 'Illinois', 'x_zip' => '60173', 'x_country' => 'US', 'x_phone' => '847-305-4565', 'x_fax' => '', 'x_cust_id' => '', 'x_customer_ip' => '202.168.157.66', 'x_customer_tax_id' => '', 'x_email' => 'jeeva.xx@gmail.com', 'x_email_customer' => '1', 'x_merchant_email' => 'jeevachezhiyan@gmail.com', 'x_ship_to_first_name' => 'Jeeva', 'x_ship_to_last_name' => 'xxxx', 'x_ship_to_company' => 'xxxx', 'x_ship_to_address' => '1701 E Woodfield Rd, Suite 710', 'x_ship_to_city' => 'Schaumburg', 'x_ship_to_state' => 'Illinois', 'x_ship_to_zip' => '60173', 'x_ship_to_country' => 'US', 'x_po_num' => '', 'x_fp_timestamp' => 1551778671, 'x_fp_hash' => 'BF462D0A748CEBB633B1186B2DC0A095F484176CAC79555DF3D2B12B768219B2B4A4DB5A7B2E46F7015FF634A34B51B693B900C97DC8EC8DA5B168F1B9825CFF', ), ) {"is_exception":false} [] [2019-03-05 09:37:53] main.DEBUG: array ( 'response' => array ( 'x_response_code' => '1', 'x_response_reason_code' => '1', 'x_response_reason_text' => '(TESTMODE) This transaction has been approved.', 'x_avs_code' => 'P', 'x_auth_code' => '000000', 'x_trans_id' => '0', 'x_method' => 'CC', 'x_card_type' => 'Visa', 'x_account_number' => 'XXXX1111', 'x_first_name' => 'Jeeva', 'x_last_name' => 'xxx', 'x_company' => 'xxxx', 'x_address' => '1701 E Woodfield Rd, Suite 710', 'x_city' => 'Schaumburg', 'x_state' => 'Illinois', 'x_zip' => '60173', 'x_country' => 'US', 'x_phone' => '847-305-4565', 'x_fax' => '', 'x_email' => 'jeeva.xxx@gmail.com', 'x_invoice_num' => '000025268', 'x_description' => '', 'x_type' => 'auth_capture', 'x_cust_id' => '', 'x_ship_to_first_name' => 'Jeeva', 'x_ship_to_last_name' => 'xxx', 'x_ship_to_company' => 'xxx', 'x_ship_to_address' => '1701 E Woodfield Rd, Suite 710', 'x_ship_to_city' => 'Schaumburg', 'x_ship_to_state' => 'Illinois', 'x_ship_to_zip' => '60173', 'x_ship_to_country' => 'US', 'x_amount' => '13.00', 'x_tax' => '0.00', 'x_duty' => '0.00', 'x_freight' => '4.50', 'x_tax_exempt' => 'FALSE', 'x_po_num' => '', 'x_MD5_Hash' => 'C0BFC900A5244DC9284706A619D8F46A', 'x_SHA2_Hash' => '8C5E185A20832B4A9E05B236F319C181D2DE5D8FFE3F8BE8DE3B008180AD8BFF361D0B40E6CB42B01160A7E239C56C02B5CD069E46BC1875E01241F765C27419', 'x_cvv2_resp_code' => '', 'x_cavv_response' => '', 'x_test_request' => 'true', 'controller_action_name' => 'directpost_payment', 'is_secure' => '1', ), )

Transaction ID is set as "0" in sandbox mode that's the reason order is cancelled.

Can I do live transaction to get successful order? If anybody made order in sandbox mode?

[meticulosity]

@nohart IIRC the Authorize.Net method uses AIM, which the hash isn't really necessary since HTTPS handles all that security good stuff.

The DPM version does need to verify the hash because Auth.Net makes a new connection to the server to update the transaction result, which a malicious actor could also do.

Reviewing the patch and blog language, the changes are only applying to DPM so it doesn't seem like the patch is needed if DPM isn't used.

@robolmos Is this true though? It seems like if you use either you need to upgrade. To quote "Magento implements the Authorize.Net Direct Post payment method, using Authorize.Net's AIM (Advanced Integration Method) and DPM (Direct Post method) APIs, which use MD5 based hash.

Authorize.net will stop supporting MD5 based hash usage on March 14, 2019. Starting from this date, Magento Open Source, Magento Commerce and Magento Cloud merchants will not be able to process payments using Authorize.Net Direct Post payment method. To be able to continue successfully process payments using these methods, merchants need to apply the patch provided by Magento and replace the existing MD5 hash with a Signature Key in the Magento Admin configuration settings."

They are mentioning AIM and DP and using a plural for when saying payment methods.

[nohart]

Authorize.net emailed me and confirmed this patch is for "Authorize.net Direct Post". I told them that it's not really their fault but the language that is used in the patch is ambiguous and misleading. It is making people think they have to switch to and or if using currently patch "Authorize.net Direct Post" but from what I understand if you are already using" Authorize.net" you don't have to switch. So that leaves you with 2 choices. If you are using "Authorize.net Direct Post" you either have to patch it or switch to "Authorize.net". If you are currently using "Authorize.net" you don't have to do anything. If they email with anything different I will post the reply.

[Shimon2]

We installed the Authorize.net payment extension on a development subdomain. It did not work. We are trying to debug it now. The support for the extension has not responded to our queries. If anyone knows a good consultant with experience with the extension who wants a project, please let me know.

[gisjohn]

Anyone else getting this in Magento 1 (in various 1.x versions)?

Fatal error: Can't use method return value in write context in [path]../app/code/core/Mage/Authorizenet/Model/Directpost.php on line 391

After the patch is applied in checkout, even when Authorize.net Direct Post is NOT enabled?

I'm now at 5 sites and counting that I've applied the patch to and immediate had to revert.

[styzzz]

I don't remember whether I installed Magento manually or whether I used composer? I also had one installation that I installed manually but then use composer to update? Is there a way to check which patch you should be using?

On Tue, Mar 5, 2019, 8:30 PM John Winningham notifications@github.com wrote:

Anyone else getting:

Fatal error: Can't use method return value in write context in [path]../app/code/core/Mage/Authorizenet/Model/Directpost.php on line 391

After the patch is applied in checkout, even when Authorize.net Direct Post is NOT enabled?

I'm now at 5 sites and counting that I've applied the patch to and immediate had to revert.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-469929121, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGloulX1s94fzbY3o7PX433LRBGddnGks5vTxoqgaJpZM4Z-NEk .

[styzzz]

So we have till March 28th right? And authorize.net will work the old way up until March 28th ???

On Tue, Mar 5, 2019, 9:43 PM Stergios sterg17@gmail.com wrote:

I don't remember whether I installed Magento manually or whether I used composer? I also had one installation that I installed manually but then use composer to update? Is there a way to check which patch you should be using?

On Tue, Mar 5, 2019, 8:30 PM John Winningham notifications@github.com wrote:

Anyone else getting:

Fatal error: Can't use method return value in write context in [path]../app/code/core/Mage/Authorizenet/Model/Directpost.php on line 391

After the patch is applied in checkout, even when Authorize.net Direct Post is NOT enabled?

I'm now at 5 sites and counting that I've applied the patch to and immediate had to revert.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-469929121, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGloulX1s94fzbY3o7PX433LRBGddnGks5vTxoqgaJpZM4Z-NEk .

[psych360]

I haven't been able to fully test the patch on 2.2.6 yet, but for anyone who was having trouble locating the Downloads tab (for me it wasn't there on my Account page), I found the link at https://magento.com/tech-resources/download and was able to download.

[styzzz]

Is there a way to rollback the patch in case it fails? Or will I have to do a whole website restore??

On Wed, Mar 6, 2019 at 1:47 PM psych360 notifications@github.com wrote:

I haven't been able to fully test the patch on 2.2.6 yet, but for anyone who was having trouble locating the Downloads tab (for me it wasn't there on my Account page), I found the link at https://magento.com/tech-resources/download and was able to download.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/magento/community-features/issues/127#issuecomment-470227400, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGlovaXnDiFUW9jUh4C10bN9u5vrWptks5vUA0ogaJpZM4Z-NEk .

[FS-FIT]

Hi, I used a bitnami installation of Magento Commerce 2.2.7. has one of you access to the Magento Commerce 2.x patch?

[psych360]

You could always try git apply -R <patch> to revert the patch. Then the usual upgrade and cache clearing.

But I'd backup your Magento instance before you try applying the patch especially if you aren't testing on a dev server.

Is there a way to rollback the patch in case it fails? Or will I have to do a whole website restore?? … On Wed, Mar 6, 2019 at 1:47 PM psych360 @.***> wrote: I haven't been able to fully test the patch on 2.2.6 yet, but for anyone who was having trouble locating the Downloads tab (for me it wasn't there on my Account page), I found the link at https://magento.com/tech-resources/download and was able to download. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#127 (comment)>, or mute the thread https://github.com/notifications/unsubscribe-auth/AdGlovaXnDiFUW9jUh4C10bN9u5vrWptks5vUA0ogaJpZM4Z-NEk .

[adriancr]

Anyone else getting this in Magento 1 (in various 1.x versions)?

Fatal error: Can't use method return value in write context in [path]../app/code/core/Mage/Authorizenet/Model/Directpost.php on line 391

After the patch is applied in checkout, even when Authorize.net Direct Post is NOT enabled?

I'm now at 5 sites and counting that I've applied the patch to and immediate had to revert.

I got the same error. 2 different sites running Magento 1.9.3.10. Gotta say that this Auth.net Direct Post situation is pretty freaking frustrating... I was hoping to find an answer here... I'll try to debug it and see if it can be easily fixed.

[adriancr]

Anyone else getting this in Magento 1 (in various 1.x versions)?

Fatal error: Can't use method return value in write context in [path]../app/code/core/Mage/Authorizenet/Model/Directpost.php on line 391

After the patch is applied in checkout, even when Authorize.net Direct Post is NOT enabled?

I'm now at 5 sites and counting that I've applied the patch to and immediate had to revert.

Hey man, the fix is pretty simple. Copy paste that file into app/code/local/Mage/Authorizenet/Model/Directpost.php. Then open that file and go to line 392, you'll see this code: $hashConfigKey = !empty($response->getData('x_SHA2_Hash')) ? 'signature_key' : 'trans_md5';

Just change that to $responseKey = $response->getData('x_SHA2_Hash'); $hashConfigKey = !empty($responseKey) ? 'signature_key' : 'trans_md5';

Not really sure why this file is been used since we DO NOT have direct post enabled. Furthermore, this error is thrown when loading the checkout page, not when making the actual purchase/payment, which makes it even more weird...

Given the fact that this file is executed for something, I will thoroughly test with real transactions, you should the same too.

It would be great if somebody from the Magento team clarifies why is this file used even when Direct Post is not enabled.

[ray-moncada]

I am running Magento 2.2.5 CE. PHP 7.0.33

I load the git patch to "mage_root/app" make patch +x and change owner to www-data I run the command below as root

git apply Auth.net.md5-2019-02-27-11-48-58.patch

I get the following error (This is ok, I do not care about the test file) error: patch failed: code/Magento/Authorizenet/Test/Unit/Model/Directpost/ResponseTest.php:13 error: code/Magento/Authorizenet/Test/Unit/Model/Directpost/ResponseTest.php: patch does not apply

Next, I run php bin/magento setup:upgrade

I open the updated files but the patch seems to not take place.

Not sure what is going on.

Any suggestions.