Setting browser cookies after triggering a stripe webhook handler - next.js

I've no backend experience background and I wanted to know if it's possible to set the browser cookies of the customer after he/she fulfills a payment procedure and stripe triggers the checkout session completed event. I'm using NextJs framework and I implemented an API webhook endpoint to listen to that event for some other tasks. Would really appreciate your help.
I've used the Stripe-cli to simulate a checkout being made and installed the cookies npm module to set browser cookies in the backend but that's totally not the way to go since I'm only just testing the webhook endpoint via the stripe commands(trigger, listen).

Not really, since a webhook has nothing to do with the customer and their browser. A webhook is a HTTP request sent by Stripe's server to yours to let up update your backend systems. So if you were to respond back to it with Set-Cookie headers or so on, you're just attempting to set cookies on Stripe's server HTTP client(which won't do anything).
If you want to set cookies on the customer, you might do that for example when they visit the success_url page on your server, which you provided to the CheckoutSession. Note that anyone can visit that URL so you shouldn't set some access/ship a product based only on that. What you might do is set a cookie identifying the customer, and then when they try to access your product or whatever it is they've paid for, you can check your database to see if you've updated it from the Stripe webhook to indicate they've paid.
https://stripe.com/docs/payments/checkout/custom-success-page
https://stripe.com/docs/payments/checkout/fulfill-orders

Related

How should I implement an Auth handler that takes effect on response?

I wish to implement an Auth handler for requests that handles authentication with an OAuth Authorization server to allow the following:
import requests
requests.get(url, auth=KeycloakAuth())
What I've done so far is to apply a response hook when KeycloakAuth is called, so that when the client redirects the caller to Keycloak, the hook will see the Keycloak login page, post the credentials to Keycloak and get redirected back to the client.
However, this does not work for a POST, as requests makes a POST to Keycloak's login page instead of a GET due to the redirect. Keycloak doesn't return the login form in response to a POST and this fails.
I considered checking for the redirect in the response hook so that I can modify the redirect to do a GET to Keycloak instead, but it seems like requests' implementation of redirects bypasses all the hooks.
After poking into this a bit more, I believe this may be the wrong question to ask.
I was seeking a solution where, regardless of the original HTTP method used on the client (GET, POST, HEAD, etc), the library would automatically login to Keycloak, and then "replay" the original request to the client and make it effectively transparent to the user of the library.
However, this can't possibly work with OAuth 2.0 without further state management on either the part of the library or the client, due to the redirecting.
Suppose the original request was a POST, with some data. After finding that the user is not logged in, the User-Agent will be redirected to the Authorization Server for authentication.
This means that the original request's POST data will be lost, removing the opportunity for any replay, upon the User-Agent being redirected back to the client after authentication.
With some state management, the POST data could be stored for replay - it doesn't make sense to store the data on the server side since the data could be arbitrarily large, which leaves us with the user of the library to do the state management.
However, that amount of state management should probably not belong in a library, since the library will have to handle lots of cases to guarantee only-once delivery of the request, for example, which would be expected by the user of the requests library.
As such, this Auth handler is probably not something we can implement in a library.

Fortumo Web SDK processing

I am setting up Fortumo Web SDK payment for my website,
I am putting the url in "To which URL will your payment requests be forwarded to?"
I am using some DB related code here so that it would insert the code in DB and I could check it afterwards,
But when I test the payment it doesn't touch the GET URL and didn't send any request to this URL.
Need Support,
thanks
Finally, I am able to solve the issue, actually the main problem is that fortumo Web SDK works only with HTTPS links and send payment response as a GET Request to the specified link at fortumo configuration.
so no my link starts with https://multanwebtech.com/.......php

How to intercept UI routes in Angular for user session management?

We have an angular application with node as the back end. We have an authenticate server where session management is done. There is a http interceptor that we are using in order to check whether a session is live in order to execute the http request. If the session has expired we navigate to Login page. And this works for most of the pages as we have some or the other http request in ngOnInit and hence they work fine. But I want to know how to intercept when there are no http requests on load. How do I encounter this? Should I use canActivate? Any suggestions would be helpful.
Thanks
Yes, you can use the canActivate hook of the Angular Router for doing this. You don't want to repeat the login check code in every component, canActivate can by reused in other parts of the application in the router config declaration. You can also check if the user has permissions to see this page.
What you can also do is to make the request and wait for the response, if the response is 403 the HTTP Interceptor routes back to the Login page.
If you don't want to check every time, you can use local storage to save the start session date and check if that is expired.

TLS 1.2 Upgrade

Im using a custom form to send to Paypal and take payment. At present I am using the following URLS where the user is directed to, to make payment: https://www.sandbox.paypal.com/cgi-bin/webscr for sandbox and https://www.paypal.com/cgi-bin/webscr for live payments.
I have IPN enabled along with a thank you URL set.
I collect the order info from my ASP net site and when theyre ready i send the transaction to the relevant PP URL (sandbox or Live). The PayPal site is reached, users can make a payment and are returned back to my site.
If i visit https://tlstest.paypal.com/ in a browser from the server where my site is hosted i see PayPal_Connection_OK so this means to me the server is setup but i dont know if any further coding/configuration is required when the form leaves my site to go to paypal to take payments?
I then look in Fiddler and im seeing Tls 1.2 listed on the tunnel to Paypal record.
Do i need to make any further changes to ensure all is setup for TLS 1.2?

Handle HTTP cookies to simulate browser like behaviour

There is a site which accepts logins from the same user until browser is restarted. I try to simulate this in JMeter with HTTP Cookie Manager. I defined cookies, use those in all the logins, but seemly it doesn't use those. After successful login site enables only the same user to login until browser is closed, but I can login with other users too in same JMeter test execution. I use standard Cookie Policy.
You don't need to define cookies manually, JMeter's cookie manager manages cookies automatically
As per the documentation:
The Cookie Manager element has two functions:
First, it stores and sends cookies just like a web browser. If you have an HTTP Request and the response contains a cookie, the Cookie Manager automatically stores that cookie and will use it for all future requests to that particular web site. Each JMeter thread has its own "cookie storage area". So, if you are testing a web site that uses a cookie for storing session information, each JMeter thread will have its own session. Note that such cookies do not appear on the Cookie Manager display, but they can be seen using the View Results Tree Listener.
If you need to mimic "Logout" you can tick Clear Cookies each Iteration box and each Thread Group loop (iteration) will simulate "clean" login.
See HTTP Cookie Manager Advanced Usage - A Guide for more information on HTTP Cookie Manager use and troubleshooting.
It is possible that the web site is not using cookies at all for the purpose of tracking logins, and instead uses "browser session storage". (See https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) And it is possible that the cookies that you see are added by other parties / sources, for example google analytics etc.

Resources