search

magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.53k stars 9.31k forks source link

Vault/Stored Payment Methods are not saved per store #34253

Closed lilbumblebear closed 1 year ago

lilbumblebear commented 3 years ago

Preconditions (*)

  1. Magento 2.4.3
  2. Braintree Payment Method (with Stored Cards)

Steps to reproduce (*)

  1. Create 2 websites (ex: A and B)
  2. Stores - Configuration - Customers - Customer Configuration - Share customer accounts --> global
  3. Reindex and cache clear
  4. Admin - Stores - Configuration - Sales - Payment Methods - Scope - Default Scope - Configure Braintree with Sandbox account credentials and Save
  5. Change scope to other Store view - Configure Braintree with different Sandbox account credentials and save (Different payment credentials for each website (testing with braintree, with 2 different sandbox accounts)
  6. Reindex and clear cache
  7. Create 1 customer
  8. (on Admin) Create an order on website A for customer 1 and store card info
  9. (on Admin) Start creating an order on website B for customer 1 and the stored card from website A appears
  10. Front end - Login to Website B using same customer - Checkout page - Stored card payment method is displayed however payment is not working.

    Expected result (*)

  11. Card information should be saved per store, not globally for the customer
  12. I should not be able to see stored cards unless I am checking out in the same store in which they were saved.

Actual result (*)

  1. I am able to see the stored card from website A when I choose payment information for website B
  2. If I try to process the order, there is an error (expected, because the processor credentials are different)

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

m2-assistant[bot] commented 3 years ago

Hi @lilbumblebear. Thank you for your report. To help us process this issue please make sure that you provided the following information:

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

m2-assistant[bot] commented 3 years ago

Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

lilbumblebear commented 3 years ago

any updates on this? seems like there is a security issue here with stored payments being shown on stores without the same processor credentials

hostep commented 3 years ago

@lilbumblebear: I fail to see how this is an issue when the customer account is shared across multiple websites? If it would happen when the "Customers > Customer Configuration > Account Sharing Options" setting is set to "Per Website", then this would be a valid issue. But that's not the case here if I understand you correctly? The creditcard info belongs to the customer, not to the payment method, right?

lilbumblebear commented 3 years ago

@hostep I understand your point, however, a vault payment token should technically be tied to the customer AND store in which it was used.

Sharing customer accounts across websites does not mean the websites share payment processor information.

Ex: Braintree credentials are saved at the store_view level. Let's say a store owner has 2 brands, each brand has its own website. Most processors require different accounts for each of these websites in order to display the correct brand in the transaction description. The customers can order from either website, with a shared account, but cannot use the same vault tokens because they are different processor accounts.

hostep commented 3 years ago

Hmm okay, this is pretty complex apparently and far beyond my knowledge 😄

@nathanjosiah: since this could be a potential security related issue, I'm including you here, but if you're not the right person, feel free to include people in here that know more about this functionality.

nathanjosiah commented 2 years ago

I don't think there are any security issues here. Based on the description of the problem it does look like a valid bug but I expect the only unexpected/bad behavior with this would be an error message if a token was used for a different payment account than what it was created for.

CC @vkublytskyi

m2-assistant[bot] commented 2 years ago

Hi @engcom-November. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

engcom-November commented 2 years ago

Verified the issue on Magento 2.4-develop branch and the issue is reproducible. Admin: image

Front end - Stored card info is displayed however payment is not working. Page not loading. image

github-jira-sync-bot commented 2 years ago

:white_check_mark: Jira issue https://jira.corp.magento.com/browse/AC-2016 is successfully created for this GitHub issue.

m2-assistant[bot] commented 2 years ago

:white_check_mark: Confirmed by @engcom-November. Thank you for verifying the issue.
Issue Available: @engcom-November, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

fredden commented 2 years ago

@nathanjosiah I think there is a security issue here.

Consider a case where the payment gateway gives weak / colliding tokens. This is fine, because the token means nothing to us, and the association with actual payment happens at the payment gateway side. Let's say (for ease of discussion here) that the payment gateway gives sequential numeric identifiers per account as its tokens.

With the above, let's follow the flow of two users in Magento using the Vault.

  1. Alice creates an account in Store1 (configured with Sandbox1 payment gateway account).
  2. Alice goes through checkout in Store1 and saves their card, getting a token of Vault1 from the payment gateway.
  3. Bob creates an account in Store2 (configured with Sandbox2 payment gateway account).
  4. Bob goes through checkout in Store2 and saves their card, getting a token of Vault1 from the payment gateway.
  5. Alice goes through checkout in Store1 using their saved card. The payment gateway sees Vault1 for Sandbox1 and takes payment. All is well.
  6. Bob goes through checkout in Store2 using their saved card. The payment gateway sees Vault1 for Sandbox2 and takes payment. All is well.
  7. Alice goes through checkout in Store2 using their saved card. The payment gateway sees Vault1 for Sandbox2 and takes payment from the wrong person. Magento thinks all is well, as the payment gateway reports that it has successfully transferred funds.

Another similar problem could exist if the website administrator changes the payment gateway account credentials. For example (following on from above):

  1. The website administrator changes the payment details for Store1 to use payment gateway account Production1.
  2. Charlie goes through checkout and saves their card, getting a token of Vault1 from the payment gateway.
  3. Alice goes through checkout in Store1 using their saved card. The payment gateway sees Vault1 for Production1 and takes payment from the wrong person. Magento thinks all is well, as the payment gateway reports that it has successfully transferred funds.

From what's being described here, no collisions have been detected so far. (This is most likely because payment gateways are likely producing globally unique tokens.) When there's no collision, the payment gateway is rejecting the token and the user gets an error.

Yes, the token belongs to the user, but also to the payment method / gateway account. When these match what's on the store being visited, the Vault payment methods / options should show. When either is not applicable, the Vault payment methods should not be displayed.

github-jira-sync-bot commented 2 years ago

:white_check_mark: Jira issue https://jira.corp.magento.com/browse/AC-2901 is successfully created for this GitHub issue.

m2-assistant[bot] commented 2 years ago

:white_check_mark: Confirmed by @sidolov. Thank you for verifying the issue.
Issue Available: @sidolov, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

fredden commented 1 year ago

@sidolov why was this closed? The labels suggest that this has been 'done', but I don't see any details here about what has been changed in order to fix this.

engcom-Bravo commented 1 year ago

Hello,

As I can see this issue got fixed in the scope of the internal Jira ticket AC-2901 by the internal team Related commits: https://github.com/search?q=repo%3Amagento%2Fmagento2+AC-2901&type=commits

Based on the Jira ticket, the target version is 2.4.7-beta2.

Thanks