search

progressivetech / net.ourpowerbase.remoteform

Remoteform allows you to easily create CiviCRM forms on a remote web site using a few lines of javascript code.
Other
13 stars 8 forks source link

Donation Hanging on Contribution Page with Drupal 10 #52

Closed graceolivia closed 5 months ago

graceolivia commented 6 months ago

First of all, thank you so much for this extension! It's filling a really important need. Much appreciated.

Environment:

Drupal Version: 10 Payment Processor: Stripe

Description

I have successfully processed Stripe transactions using both the Test-drive and Live links on a Contribution Page created in CiviCRM. However, when attempting transactions through a remote form, the process hangs and returns a "Bad Request" error from Stripe.

Steps To Reproduce

  1. Set up Stripe payment processor with correct test and live keys
  2. Create Contribution page and allow Contribution amounts, set Stripe as payment processor
  3. Check that payments go through on both Test-drive and Live links on CiviCRM website
  4. Enable remote form and put on remote website (Drupal 10)
  5. Put in valid credit card info
  6. Receive "Bad Request" at handleServerResponse at remoteform.stripe.js. The loading wheel spins continuously without resolution.

Issue



The Bad Request error from Stripe apparently often indicates missing fields according to Stripe's documentation. I’m a little stumped, though, because this gives so little information. On the Stripe log side after the failed/hanging Remote Form submission, only a payment_methods post request is registered and no payment_intent is created. The payment_methods contains the card information. By contrast, successful transactions made with the Contribution Page directly on CiviCRM create a payment_intent request that includes the amount.

I’m a little stumped here. The error from Stripe is not very descriptive. When I check the logs, the actual payment amount (and also payment intent) is not getting transmitted to Stripe, and the "Bad Request" seems to hint at a field being missing. But what field would be missing?

Thank you so much!

jmcclelland commented 6 months ago

Hi @graceolivia - If you right click on the page that you inserted the remote form javascript code, and then click "Inspect" - you should get a window to open (assuming you are using either Firefox or Chrome). Then, if you click the "console" tab in that window, you will see some debugging information. If you can repeat the steps that caused the error and then watch the console, you may get additional information about what went wrong. Feel free to follow up with the information that is displayed in the console.

graceolivia commented 6 months ago

Hi @jmcclelland , sure, thanks for taking a look! Here's the complete log of the errors that happen after submission:

 remoteform.stripe.js:47 handleServerResponse 
{is_error: 1, error_message: 'Bad Request'}
 remoteform.stripe.js:50 Error:  
{is_error: 1, error_message: 'Bad Request'}
remoteform.js:710 XHR finished loading: POST "myurlhere"

And just for good measure here's a screenshot with key and urls blackedout:

[

043024 Remote Forms Error Log

](url)

I wasn't able to find a lot of leads in these error logs. The only clue is the fact that no payment intent is being created on the Stripe side, and that 'Bad Request' apparently often corresponds to missing fields - so perhaps no payment amount is being transmitted?

jmcclelland commented 6 months ago

I'm sorry I can't really tell what's going wrong either. Have you checked the CiviCRM ConfigAndLog file? There might be a clue there?

jitendrapurohit commented 6 months ago

Got the same error, it seems to be due to https://lab.civicrm.org/extensions/firewall/-/issues/35

jmcclelland commented 5 months ago

I'm not able to replicate it, but I suspect that's because I'm not using Drupal 10 (yet).

To ensure we have a matching session_id, the remote form asks for the session id used to create the CSRF Token, and then sends it's response along with the session id when submitting the data. Then, remote form uses that session id to initiate the session.

So, the session ids should always match, right? But, maybe in Drupal 10 the session is started before the Remote Form code can initialize the session? That's my best theory.

The whole session id business is my fault to begin with. A CSRF token, by definition, should include a session id, hence that MR. But, since we are submitting the credit card donation to CiviCRM as an anonymous user, we really don't need a CSRF token.

Maybe the Firewall extension should only include the session id in the token if it detects someone is logged in?

jmcclelland commented 5 months ago

I created a d10 environment and has able to replicate it. I just patched the Firewall extension and it seems to fix this problem. Please re-open if that patch does not fix it for you.

graceolivia commented 5 months ago

@jmcclelland Thank you so much for taking the time to make the patch, it worked!

jmcclelland commented 5 months ago

Oh good @graceolivia, thanks for letting us know!