I am consuming an internal service which returns a paypal url, it looks like this:
https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=xxxxxxx
Currently, I am redirecting the page to this url in order to complete the payment workflow, it is working right. Business requirement does not want full redirection.
I've tried to execute it in an iframe but PayPal makes full page redirection due to security implications.
I would like to keep my ui simple, I would like to avoid other implementations which puts logic in the ui EG. client side express checkout. Because I would like to maintain the current logic in the internal service.
Eventually, I could use only the token and change the original ui approach, eg. creating the classic PayPal button. Any option to use an iframe?
I would like to keep my ui simple, I would like to avoid other implementations which puts logic in the ui EG. client side express checkout. Because I would like to maintain the current logic in the internal service.
Using PayPal's checkout.js is the only way you're able to do a same-page checkout. You can use your existing token from the paypal url you're generating, with checkout.js -- you don't need to change much to get it to work.
See this demo: https://developer.paypal.com/demo/checkout/#/pattern/server
You just need to return the token in the payment() function, in place of the id.
Related
I have two web application sharing one firebase (auth, db etc), it all works well, but i when users want to do a reset password, the email i can see in the Password reset template allows me to change it but i don't want to be hard specific on the url, given the password request might come from either application, is there a way to let firebase know which link to use or possibly set it from the code ?
It is not possible to change it to a fully customized URL(like mywebapp1.com), the reason for that is that it won't be possible to check if the modified URL is a valid one.
You have 2 options:
You can get a custom domain like authApp.com and follow these steps on the documentation so you can have a more personalized experience for both apps.
You can create dedicated emails based on the app (the URL will stay the same) using action links , this will show a nice layer of customization to your emails based on the specific web app being used.
Need help to understand standard flow for handling additional-information-required scenario.
Context: We have a number of product implementations, all integrated with a central single sign-on server. A registered customer can opt to start using new products on-demand. But some of the products require the customer to carry out some one-off setup steps before they use the product - these steps are only needed the very first time of using the product.
Consider a customer is on the page https://product-abc.ourdomain.com. And now clicks on a link within that product something like 'do something (note, this will redirect you to product-xyz)'. At this point the customer is redirected to https://product-xyz.ourdomain.com. Here we want to detect whether the customer is using the product for the first time and if yes, redirect the user to a setup page wherein we can prompt them to supply the product-specific additional information. On the other hand, if the customer is already configured for the product, they will just navigate into the product page and continue using it.
I wanted to know if there is something similar to the 401 Unauthorized flow to handle this. With authentication flow,
A client tries accessing a protected resource.
The server checks the caller has requisite authentication and if not, returns 401 Unauthorized status code with additional details in the WWW-Authenticate header.
The client carries out authentication - say by integrating with the central single sign-on server - and then reattempts the original request, this time succeeding.
I'm wondering if there is a similar flow like,
A client tries accessing a protected resource.
The server checks whether the client is OK to use it. In our case, if its the first time a customer is accessing the product, this check will determine additional setup is required. For example, the client has to supply us with their correspondence address so that we can set up a data tenancy for the specific customer. Here I would like to return a HTTP status code, say, 4xx Setup Required with additional information in a header, say, WWW-SetupInfo.
Once the initial-setup flow is completed, the customer will be redirected to the main product and carry on using it.
The nearest status code that seems to match my usecase is 402 Payment Required, but product-xyz doesn't need any specific subscription or payment. We just need some product-specific additional information to do the initial configuration.
I can handle it by doing custom implementation using 3xx redirect but I was wondering if there is a better way of handling it.
Thanks for any pointers.
Unless you are using basic-authentication, you don't want to use a 401 Unauthorized" status code with a WWW-Authenticate` header. This built in mechanism in browsers has very limited functionality:
Always prompts for user name and password, with no mechanism to customize the process either with look and feel, or custom workflows. You say you want to use single-sign-on. 401 Unauthorized is not compatible with that.
Has no log-out mechanism
Has no session timeout mechanism
As a result, almost all websites use logins based on forms and cookies. If somebody isn't logged in, you should use a 302 Temporary redirect to the login page.
Similarly, if somebody doesn't have their initial setup completed to use a particular page, you would not use a special HTTP status. You would either present them with the a 200 OK page with the form asking for the data you need, or use a 302 Temporary redirect to take them to that form on another URL.
I am trying to integrate a product offered by a 3rd party into my web site. This 3rd party does not have the resources to make code changes for a single sign-on type of setup so I am looking for a way to provide a similar user experience through some possible shortcuts. One that I am considering is to use an HTML POST to post the login credentials directly to the form on the login page which would hopefully bypass the page all together and direct the user directly to the home page fully authenticated. Does anyone know if this is possible, and if so how would I go about it?
i don't think it's possible. i believe that most well made authentication will have some sort of nonce in its form, which is essentially to ensure that unless you use their form to submit, the submission will be rejected.
and even if currently they don't have nonce, in the future they might have
On some websites, when you want to login, you need to enter a captcha as well. If I want to provide support for an user to enter a captcha into my application ( which will then log into the website ), how would I do this?
My problem is that the link to the captcha image is like this: example.com/captcha , and it serves a different image each time it's accesed.
My approach is like this:
request page
download image
show image to user
user inputs login information
application logs in
The thing is, if you download the image in order to show it to the user, you're actually receiving a different image than the one generated when the page was loaded, right? How can I get to the image that was generated when the page was loaded, so that when I show it to the user, it's the correct one?
The question is language agnostic.
I think your problem is about sessions, the session your app downloading the image and the session your app submiting the login form may not be the same session, then your captcha will never be correct, you should maitain the session between requests, normally is some cookie set by the website.
By design, most captcha will always give you a different image. No way to work around that fact.
The first thing to do, is to open up fiddler. That way you can see what the browser is doing so that it can autenticate & remain autenticated.
It usually comes down to a cookie being sent. So what you need to do is to hold the cookie on your client app, and have all the requests sent with that cookie. Different platforms provide features to do so, but I'm sure a quick search will show you how.
Remember to pay attention to all being exchanged in fiddler, you need to make sure your apps triggers the same. Besides cookies, pay attention to any hidden field a js might set on the form.
It sounds like you're trying to invent a captcha solution yourself. Have you considered using reCAPTCHA? It's free.
Can you be a bit more specific about your situation? From what you've said, I'm assuming the following:
You have a "client GUI app" that logs in to a third-party site. Is this a web-app, or a desktop/standalone application? In what language is it written?
Your app contacts the third party site and downloads the Captcha image. This image is then shown to the user.
The user enters the captcha phrase and submits it to your app. Your app then submits this phrase to the site for validation. This is where sessions come in. Assuming the remote site uses cookie-based session tracking, you will need to send the same cookie to the third-party server with this submission as you do when the image was downloaded (in the step above). This allows the server to match your submission to the correct image it sent. Precisely how you do this depends on what language you've written your app in and the precise structure of it all. Without more information, a more specific solution is impossible.
The image that's generated is also the image served to the user. Your 'main' html page doesn't/shouldn't generate the image, it only embeds it using the image tag.
You could pass a token of some kind with the captcha image, perhaps appended to the filename such as captcha-0ad719bef61bc6a0.jpg and the appended data could link into a temporary table in a database server side that has the correct answer. This would allow you to check things were ok without passing both the image and answer across to your application.
I'm not sure if I entirely understand this question, but wouldn't you simply store the captcha locally after requesting it from the server, and then embed the local image from the client application, while storing any necessary session captcha data that will allow the captcha to be validated on post, assuming the user input is correct?
If the problem is that the captcha changes everytime you request it, just request it only once.
Can you offer any more clarification if this wouldn't apply to you?
It depends from capcha to another captcha. Maybe you need to use sessions or cookies or some captcha image filename. Show the page with that captcha.
I have a scenario where i need to have a user checkout through PayPal and then once we receive the payment then we create a membership record in our membership site. The PayPal requires a "return" field when you submit the form button that will take the user back to our page once the order has been successfully processed. On that page is where we actually track the sale and fire a chunk of javascript to track the sale.
So my question is this, how can i make sure that the return page comes from PayPal and is not spoofed by a user in the system. I know there is a way to use the notify_url to have PayPal post back to our system, but in this case i have to run a chunk of javascript. Is there an easy way to do this, or would i have to write some looping/timeout function that checks to see if the notify post has come through?
Im using .net to do the posting to paypal
You need to have PayPal call a script on your site in order to prevent spoofing. Anything that goes through the client/browser is open to the user for modification, so only things that come directly to your server from PayPal are secure.