I have been trying to validate that when the silent post comes into my application it is validated that it is indeed from Paypal. I have tried both in the following link.
PayPal Payments Advanced -- Validate Parameters Sent to Confirm and Cancel Pages
Neither seems to work. When i try to pass a token it just does not send. If I do it manually it works but it seems the regular params sent with Paypal "override it".
I tried using NVP/SOAP and Rest API and neither of them work either.
I JUST need a simple way that will WORK to know that the silent post I am receiving is Paypal and a valid transaction 100%. A secure token would seem to work great but no cigar so far.
Application is in Ruby on Rails.
If this is still not working for you, you might want to check on the URL from which you receive the silent post
URL: notify.paypal.com (Payflow Silent Post)
IP address: 173.0.81.65
Here is a pro module documentation from broadleafcommerce.com
http://www.broadleafcommerce.com/docs/paypal-payflowpro/current/paypal-payflow-pro-environment-setup
Found something similar here
How do you verify that the notification to the Silent Post URL is indeed from PayPal Payflow and not a hacker?
Related
Last week, seemingly out of nowhere, we started getting an error when we try to use the VPP api to assign licenses or anything else.
{“errorNumber”:9601,“status”:-1,“errorMessage”:“Login required”}
Does anyone know what this error means? The documentation mentions it, but doesn't explain why you would get it. Our customers upload their tokens to us that they download from apple's VPP portal and that enables VPP management for them. Recently, new and existing VPP accounts are failing with the error mentioned above. Thank you for your time.
Update:
We call an endpoint apple provides to know what url's to use for the various api requests we can do. Supposedly they can change without notice so you are supposed to rely on the url's they give you back from this un-authenticated call:
https://vpp.itunes.apple.com/WebObjects/MZFinance.woa/wa/VPPServiceConfigSrv
The url's it's returning do not match what are in the documentation. If you send your parameters as querystring params to the url's that come back from that call, everything works. If you send the params as json like the documentation says you should and use those url's, you get the "Login required" error. If you send your params as json in the post body to the url's in the documentation, everything works. Querystring also works. Something has changed on their end and the support guy I talked to couldn't see it and wasn't willing to dig deeper. I'm working on talking to someone else. Here's the documentation for VPP for reference:
https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf
I'm working with the PayPal API and am trying to create an account as shown here.
The request is made to https://svcs.sandbox.paypal.com/AdaptiveAccounts/CreateAccount.
I'm able to send a valid request and get a response indicating success back but the redirect URL that's also returned as part of the response payload (which according to their docs is supposed to take the user to a PayPal sign up/registration page) is directing them to the following:
I've been unable to find anything on Stackoverflow or Google regarding this. Has anyone encountered this before? I'm assuming that even though it's a sandbox environment it should allow me to simulate the workflow somehow. I've tried with both the default sandbox credentials as well as for my own environment.
Looks like the issue was due to the IP address header in the request. The default configuration is:
-H "X-PAYPAL-DEVICE-IPADDRESS: 192.0.2.0"
While testing on localhost, I changed it to:
-H "X-PAYPAL-DEVICE-IPADDRESS: 127.0.0.1"
Also had to ensure that the email address didn't already have an account registered to it - in which case it would lead to a login page instead of the registration page (which is a little poorly designed in my opinion since you can't really test without making new accounts each time).
Has anyone had success using Stripe connect with an iOS app. I have a few questions:
I'm following the guidelines here: https://stripe.com/docs/connect/getting-started
Registering an Application: easy, no problem here
Then a little further down:
Send your users to Stripe: again, easy no problem here, I just have a button that opens up the link in a UIWebView. I assume having the client_id in the URL is fine? A lot of my uncertainty is what IDs/keys I should hard-code into the app
Then a little further down:
After the user connects or creates a Stripe account, we'll redirect them back to the redirect_uri you set in yourapplication settings with a code parameter or an error.
What I'm doing here is using the UIWebview's webView:shouldStartLoadWithReqest:navigationType delegate method to check for the string "code=" in the URL. If it finds that, then I'm able to grab the "code" parameter. So in reality, the redirect_uri is completely unnecessary for me. Is this the right way to handle this? Should I be doing this within my app or on my server?
After receiving the code, we are supposed to make a POST call to receive an access_token. Again, should this be done within the app or on the Server? It requires the use of a secret_key, so I'm guessing server? And how do I send credit card information along with this token if the token needs to be sent to the server? I know how to obtain the card number, exp date, and CVV. But in terms of passing it to the server (with or without the token) is something I'm not sure of.
Then when it comes to actually writing PHP, Ruby, or Python code on the server, I'm at a total loss.
Any help would be greatly appreciated.
You should setup a small web app to create stripe charges and storing you customers Authorization Code. Configure two routes in your web app for redirect_uri and webhook_uri and add the url in your Stripe Apps settings. The charges should be created from a server side app because it requires the secret_key / authorization_code which should not be stored in an iPad app. Otherwise they may lead to a security leak. I'm trying to describe the concept below:
Provide the stripe connect button in your app and set the link to open in Safari (not in an web view). You should add a state parameter to the url with an id which is unique to your users.
On tapping the button your user will be redirected to Stripe where s/he will be asked to authorize your application. Upon authorization stripe will hit your redirect_uri with a authorization_code and the state you previously provided. Do a post call according to Stripe Documentation with the authorization_code to get an access_token. Store the access_token mapped with the state in a database.
Define a custom url scheme in your app. Invoke the custom url from your web app. The user supposed to open the url in mobile safari. So invoking the custom url will reopen your application. You can pass an additional parameter to indicate failure / success. In your app update the view based on this parameter.
Now you are all set to create a charge on your server on behalf of the iPad user. Use stripe iOS sdk to generate a card_token from the card information. It'll require your stripe publishable_key. Then define an api in your web app which takes 3 parameters: card_token, user_id and amount. Call this api from your iPad app whenever you want to create a charge. You can also encrypt this information with a key if you're worried about security using any standard encryption method. You can easily decrypt the info in your web app as you know the key.
When this api is called from the iPad app you'll receive the user_id (which you saved as state previously), card_token and amount. Retrieve the access_token mapped to the user_id (or state). You can then made a charge on behalf of the user using the access_token, card_token and amount.
You can use ruby / php / python / node in the server as Stripe provides sdk for them. I assume other languages can be used as well as there is a REST interface.
Please note that this is just a concept. It should work like it but I haven't implemented it yet. I'll update this answer with sample code when I'm done.
You can use UIWebView. You will still need to use redirect urls and monitor the redirect using the delegate "webView:shouldStartLoadWithRequest:navigationType:"
I'm developing a grails app using http://grails.org/plugin/paypal plugin.
I've followed all instructions, configured my app to work with a dyndns (no-ip).
I can access my app from outside my network.
All the payment is correct, if I click on the "back to test's store" link it returns to my site.
The problem is that no IPN are sent to my IPN handler.
In the IPN history I can see all transactions in error state, but no http response code is shown.
It retries 8 times each message.
Notification URL is correct.
What else can I try?
I answer myself,
looks like paypal does not send IPN posts to URL with ports other than 80 or 443
Take a look at the troubleshooting steps I posted here. These may help.
I'm trying to implement Soundcloud connect and having a weird issue.
First thing I do is send my users to
https://soundcloud.com/connect?client_id=MY_CLIENT_ID&redirect_uri=http://myredirecturl.example.com&state=RANDOM_STRING&display=page&response_type=code&scope=email
When users connect they get redirected to
http://myredirecturl.example.com?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.&state=RANDOM_STRING
The same happens if I use scope=*.
However, if I use scope=non-expiring it lets me go through, but I need the users email and that type of scope doesn't have enough grants.
I thought it had something to do with my app being in development mode, but Osman at Soundcloud said it doesn't.
Thanks.
The 'email' scope is not available to all integrations. It's used for a few custom integrations that have provided us with accepted terms of service / privacy policies. There is no way to get a user's email address using the SoundCloud API.
You should however be able to use the '*' scope to get an expiring access token. I'll check with our app team to see why this is giving you an error. I'll edit my answer once I have more information there.
For your purposes, I would stay with the 'non-expiring' scope and simply prompt a user for their email address (providing them with a way to agree to your terms of use / privacy information).
Using scope=* sometimes doesn't work because the url is not properly encoded. If you are getting this error while using the * wildcard, try properly encoding the url, using a function like urlencode() (for PHP).