Jump to:

2076 Posts in 857 Topics by 449 members

E-Commerce Modules

SilverStripe Forums » E-Commerce Modules » PayPalPayment->AuthorisationCode

Discuss about the various e-commerce modules available:
Ecommerce, SS Shop, SilverCart and SwipeStripe
Alternatively, have a look the shared mailinglist.

Moderators: martimiz, Nicolaas, Sean, frankmullenger, biapar, Willr, Ingo, Jedateach, swaiba, simon_w

Page: 1 2
Go to End
Author Topic: 2649 Views
  • dio5
    Avatar
    Community Member
    501 Posts

    PayPalPayment->AuthorisationCode Link to this post

    I'm trying to get the trunk Payment module working on Paypal, with trunk e-commerce.

    However there seems to be an issue with the AuthorisationCode, I cannot find anything in the code that sets this.

    On the PayPalForm it's put as:

    $inputs['custom'] = $this->ID . '-' . $this->AuthorisationCode;

    which is always like '5-'.

    Paypal returns this, but in the 'complete' method of the handler this is checked:

    if(isset($_REQUEST['custom']) && $custom = $_REQUEST['custom']) {
             $params = explode('-', $custom);
             if(count($params) == 2) {
                if($payment = DataObject::get_by_id('PayPalPayment', $params[0])) {
                   if($payment->AuthorisationCode == $params[1]) {
    ...

    But, as $params[1] is never set, nothing of this ever happens and I get errors.

    Anything I'm missing here?

    Someone on IRC apparently had this problem as well and changed the code, set the AuthorisationCode on the form as the order uid:

    $this->AuthorisationCode = $order->UID;
    $this->write();

    However, what is the real purpose of AuthorisationCode? I cannot see it working as currently implemented in trunk?

  • Pigeon
    Avatar
    Community Member
    243 Posts

    Re: PayPalPayment->AuthorisationCode Link to this post

    Hi Dio5,

    Now i remember, that was an issue that i had. I just generated my own authorisation code if i remember correctly, or i removed it from the code. It didnt seem to serve any purpose whatsoever.

    EDIT:
    Lol, i just read all of your post and realised that you had seen i made up my own! I have no idea of its point!

  • Nicolaas
    Avatar
    Forum Moderator
    213 Posts

    Re: PayPalPayment->AuthorisationCode Link to this post

    as the author of most of the PP code, let me start with an apology for it not working...

    From memory, the authorisation code is there to prevent people from faking a payment. That is, you can go all the way to the checkout then you get forwarded to PP, at this stage, you dont pay, but fake the return variables from PP. Doing so, can make it look like you have paid. The idea of the Authorisation code was to save some sort of code that is being checked against your return variables, thereby making it more secure (i.e. code must match with payment ID). Well, that was the theory.

    I just had a look at the code, and it is indeed a mess. Does anyone want to write a patch. I dont really have time this week or next week to fix it unfortunately.

    Sorry

    Nicolaas

  • michaelmitchell
    Avatar
    Community Member
    3 Posts

    Re: PayPalPayment->AuthorisationCode Link to this post

    **Removed**

    Read the post about potential security bugs and decided to remove this post.

  • Normann
    Avatar
    Forum Moderator
    12 Posts

    Re: PayPalPayment->AuthorisationCode Link to this post

    Yes, that bits of code is originally designed for using IPN, but lost its functionality during version merge and introduce bugs. For now, you could simply add this piece of code to solve the problem to PayPalPayment class:

       function populateDefaults() {
          parent::populateDefaults();
          $this->AuthorisationCode = md5(uniqid(rand(), true));
       }

    This piece of code is picked up by me from the last version where the db field AuthorisationCode is moved from Payment class to PayPalPayment class but its population is just simply dropped from Payment class.

    The solution is not added for solve the security problem until somebody can summit a pitch for IPN, though I am not convinced that IPN is fully secured, ie. what happen if somebody fake IPNs?

  • dio5
    Avatar
    Community Member
    501 Posts

    Re: PayPalPayment->AuthorisationCode Link to this post

    I had a feeling something odd was going on with this, and even with authorisationcode implemented it would be obviously insecure.

    Still fail to understand how so little people had this problem, unless nobody's using this Paypal class?

  • michaelmitchell
    Avatar
    Community Member
    3 Posts

    Re: PayPalPayment->AuthorisationCode Link to this post

    Hey Norman,

    I've implemented IPN in a new PayPalPayment Class, however I need to tidy it up and remove some extra crap I put in there for what I was using it for and then its free for all to use.

    In regards to the security of IPN, It is just as secure as any other type of commercial Credit Card/Payment processing method and would be very hard to fake. IPN works by a request being made from the server to PayPal and the response of the IPN being the body of that request, therefore unless someone could somehow modify the PHP code its self to use a different IPN address or use a "man in the middle" type attack to change where the IPN address really points (which would work on all types of Credit Card/Payment processing methods and points to a larger security concern) it is perfectly secure and accurate to use.

    I've used it in several successful sites that require instant access to purchased and am happy to share what I've got after I tidy it up.

  • dio5
    Avatar
    Community Member
    501 Posts

    Re: PayPalPayment->AuthorisationCode Link to this post

    Hey Michael,

    any idea when you can share the code with IPN?

    I'd have a throw it at myself but no use going into the trouble if you're happy to share

    Cheerz,

    Dieter

    2649 Views
Page: 1 2
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.