[ENGA3-511]: Improve the implementation to prevent the customer entering redirect URL directly in the address bar of the browser

aashishgurung commented 2 years ago

1. Objective

Improve the implementation to prevent the customer entering redirect URL directly in the address bar of the browser

Jira Ticket: #511

2. Description of change

Previously, we relied on Referer header for Safari browser and HTTP_SEC_FETCH_SITE header for other browsers to prevent user from triggering redirect URL manually. We knew Referer is not reliable as some browsers limit access to not allow HTTP_REFERER to be passed but we choose it for Safari because i does not support HTTP_SEC_FETCH_SITE.

This implementation was not 100% reliable as some payment gateway sets the value of HTTP_SEC_FETCH_SITE to none instead of cross-site. This will result in customer being redirected to abandoned cart page even though the transaction was legit.

With this PR, we removed the HEADERs checks. We create a random token, save it to the payment of the order and pass it as the query parameters with the return URI to the gateway. Once, it is redirected back, we check whether the token in the query parameter is same as the token saved in the payment of the concerned order. If yes then we proceed with the transaction else we redirect user to empty card page with message Invalid token. Please contact our support if you have any questions.

3. Quality assurance

Test the cancel and success transaction with any payment methods.
- Examples: 3DS and internet banking
Try entering the redirect URL to the address bar of the browser. It should redirect back to empty car page with error message Invalid token. Please contact our support if you have any questions.
- 3DS: http://localhost:8200/th/omise/callback/threedsecure/
- Offsite: http://localhost:8200/th/omise/callback/offsite/