I have implemented Moneybookers to our site.
The request is fine, the payment goes to our Moneybookers account, the money is debited from the user's account.
The response URL is https://example.com/finance/responsemoneybookers
The problem:
-After payment, the user click Confirm, and the user is being redirected to https://example.com/finance/responsemoneybookers
Moneybookers should POST the transaction data so we can validate it, but instead of POST, it just make a standard GET request with no data. What could be the problem ?
Add
<input id="status_url" name="status_url" type="hidden" value="https://example.com/finance/responsemoneybookers" />
to your form
Related
I have been at this for sometime now and wanted to see if anyone had and idea of what I could be doing wrong. What I am trying to do is add a song to a playlist using the provided Spotify Web APIs. According to the documentation on this https://developer.spotify.com/documentation/web-api/reference/playlists/add-tracks-to-playlist/ I need to establish the scope of the user.
"adding tracks to the current user’s private playlist (including collaborative playlists) requires the playlist-modify-private scope" I have created the playlist as collaborative and I am using the login credentials of my personal account to reach this playlist I created. all this is under the same login.
What I am finding is that my scope is not getting added to my token on my call for my token causes a 403 error when I try to add the song.
Here is what that call looks like
https://accounts.spotify.com/authorize/?client_id=mynumber&response_type=code&scope=playlist-modify-private&redirect_uri=http:%2F%2Flocalhost:55141/Home/GetToken/
here are the docs on using authorization to get the correct token.
https://accounts.spotify.com/authorize/?client_id=894400c20b884591a05a8f2432cca4f0&response_type=code&scope=playlist-modify-private&redirect_uri=http:%2F%2Flocalhost:55141/Home/GetToken/
further more if I go into the dev support here
https://developer.spotify.com/documentation/web-api/reference/playlists/add-tracks-to-playlist/
and click the green try button and then request a new token it works.
Bottom line some how my request is not taking my scope request. Any Ideas?
Thanks
To get the token with a specific scope you need to go to the authorize endpoint and get the code. The code is what you want to get to be able http post to the endpoint https://accounts.spotify.com/api/token and get a token with your desired scopes. You can simply get the code by pasting a url like this in your browser...
https://accounts.spotify.com/authorize?client_id=<client_id>&response_type=code&scope=streaming%20user-read-email%20user-read-private&redirect_uri=<redirect_uri>
Only add %20 in between scopes if you have multiple ones
You will then be sent to spotify's website and they'll verify you want to do this. Once you verify it your browser will redirect you to what you set the redirect_uri to be in the url above. At the end of the url that you are sent to, you should be able to see the parameter name code with the code value assigned to it. You then get that code and put it in your http post body params to the https://accounts.spotify.com/api/token endpoint. Make sure you accurately follow the query params requirements in your post method.
An example of the post in python using the requests library:
authorization = requests.post(
"https://accounts.spotify.com/api/token",
auth=(client_id, client_secret),
data={
"grant_type": "authorization_code",
"code": <code>,
"redirect_uri": <redirect_uri>
},
)
authorization_JSON = authorization.json()
return authorization_JSON["access_token"]
In the end you should get a json that shows the scopes you set a long with a refresh the token later on to make more requests.
I know this answer is quite late but I was experiencing the same issue as well which is how I came across this question. I hope this helps anyone that sees this at a later date.
Source: https://developer.spotify.com/documentation/general/guides/authorization-guide/#client-credentials-flow
I am facing roadblock on a owasp zap form based authentication. I setup zap property as per guidance. When i run active scan then "when to attempt login it give FORBIDDEN error. CSRF token not available.
Owasp ZAP not performing authentication during active scan using "Form-Based-Authentication" ON python project.
[
My target url is:
http://example.com:84/admin/login/?next=/admin/
Post data ;
csrfmiddlewaretoken=IjYwHHavnCYgcWYMy2oL3L9Z0ldUH95s&username={%username%}&password={%password%}&next=%2Fadmin%2F
here is the html response i got:
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>
<div id="info">
<h2>Help</h2>
<p>Reason given for failure:</p>
<pre>
CSRF token missing or incorrect.
</pre>
<p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
<a
href="https://docs.djangoproject.com/en/1.8/ref/csrf/">Django's
CSRF mechanism</a> has not been used correctly. For POST forms, you need to
ensure:</p>
<ul>
<li>Your browser is accepting cookies.</li>
<li>The view function passes a <code>request</code> to the template's <code>render</code>
method.</li>
<li>In the template, there is a <code>{% csrf_token
%}</code> template tag inside each POST form that
targets an internal URL.</li>
<li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
<code>csrf_protect</code> on any views that use the <code>csrf_token</code>
template tag, as well as those that accept the POST data.</li>
</ul>
<p>You're seeing the help section of this page because you have <code>DEBUG =
True</code> in your Django settings file. Change that to <code>False</code>,
and only the initial error message will be displayed. </p>
<p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
</div>
Unfortunatley ZAP doesnt currently support the automatic regeneration of CSRF tokens when authenticating.
A way around this is to record a Zest authentication script - make sure that you start by requesting the page token that generates that token.
Recording Zest scripts is covered in this FAQ (which is otherwise unrelated): https://github.com/zaproxy/zaproxy/wiki/FAQreportFN
Feel free to hassle us about supporting ACSR toeksn when authenticating on https://groups.google.com/group/zaproxy-users :)
In jade I have two hyper links that both jump to same page, for example:
a(href='/signup')#create-account Create Student Account
a(href='/signup')#create-admin Create Teacher Account
If I want a variable send to '/signup' url and do some processing using that variable, what should I do?
Any help will be appreciated.
It depends on whether you will make your app to be RESTful or not.
Saying you would like to be Restful.
To create an admin you should make a POST to the url /admin.
Respectively to create an account you should post to the url /account.
This is if admin and account are different resources. If it is the same recourse you should post to the original recourse and with the posted data, make the decision what to save where.
jade form:
div.loginbox
form(name="login", action="/signup", method="post")
input(type="checkbox" name="admin")
input(type="text", name="user")
input(type="password", name="pass")
input(type="submit", value="login")
Checkout from Stripe has a great way to add a credit card for a transaction, by simply invoking StripeCheckout.open().
Is it possible to use .open() to edit a card? (passing in the card token)
Also, where can I download a non-minified version of checkout.js to see the .open() method signature?
There is no way to edit a card that way. What you can do though is use Stripe Checkout to ask your customer for a new card without asking him to pay anything. The idea is to avoid setting the amount or data-amount parameter.
<form action="/charge" method="POST">
<script
src="https://checkout.stripe.com/checkout.js" class="stripe-button"
data-key="pk_test_XXX"
data-name="Demo Site"
data-description="Update Card Details"
data-panel-label="Update Card Details"
data-label="Update Card Details">
</script>
</form>
You would get a new card token for that new card and you could then use the Update Customer API to save the new card on the customer.
As for your second question, there is unfortunately no unminified version of Checkout.js accessible at the moment.
Try http://unminify.com/ to see an unminified version of checkout.
I saw this done for the first time today. If you have an app where users log in, you should be able to do it with a custom Checkout integration (the above is the simple integration) found here https://stripe.com/docs/checkout#integration-custom
On the server side you would retrieve the customer via Stripe's API. From the linked custom example, you can pass the retrieved ID through to Checkout via session data so it knows which customer to update here:
$('#customButton').on('click', function(e) {
// Open Checkout with further options
handler.open({
name: 'Your Company Name',
email: customer_email,
id: customer_id,
zipCode: false,
});
I have not yet tested this, if I get a chance I'll report back.
I have a page:
<input type="hidden" name="user.id" value="123" />
<input type="text" name="user.name" value="John" />
and an action:
public static void save(User user) {
user.save();
}
Play loads the user entity from database by the user.id parameter, binds HTTP parameters to the object and the action saves it.
That is ok for trusted user like admin but not trusted user can change HTTP parameters to:
?user.id=456&user.name=John
and thus edit a different entity.
I check whether user has changed the user.id by putting user.id also to the session and then I validate its equality. This works fine since session is signed and can't be modified but how can I check easily many entities on the page – e.g. when doing a bulk update? Or just do it application wide by default?
I don't want to put 20 ids to the session and then check each id if it is equal to HTTP parameter.
One solution came to my mind. I would put a signed id as a token to each entity and check it during binding. How would you implement this?
From what I understand what you want is authentication and authorization.
Authentication tells you who the user is and you can pHk answer to do that or use the secure module
If you want to manage authorization (what the user can do, in your case what object the user can update) I would recommend looking at the security-permissions module.
It is based on the secure module but the drools based rules give you all the flexibility you need.
I'll try to clarify my solution proposed at the end of my question which would solve it generally.
Each entity will have another field – a token – which is the entity id signed by the secure key. This token does not have to be stored in database but can be computed on the fly. When a edit page is rendered it includes the signed id in e.g. __at field:
<input type="hidden" name="user.id" value="123" />
<input type="hidden" name="user.__at" value="9e01f3c8...4ccba38b9" />
<input type="hidden" name="user.address.id" value="124" />
<input type="hidden" name="user.address.__at" value="83df099...4a276fc8" />
When these entities are being bound in controller it sings again the received id and compares it to the __at field. If these signed values are not same then it indicates the user has changed the id.
I am not an encryption expert and didn't look how Play session is signed but I guess it is similar. Do you think this mechanism could work?
You can use checkAuthenticity method in a controller to check the authenticity of the form submitted.
In your server code you also have to check that the user as the rights to update theses entities. This can be done by adding a join to the user table in your jpa queries so you select not only on the object id but also on the user connected
You'll have to make sure that save can only be called by authenticated users. One way Play! allows you to do this is by using the #Before annotation. An example from the play documentation:
#Before(unless={"login", "authenticate"})
static void checkAuthenticated() {
if(!session.contains("user")) {
login();
}
}
The user session attribute would then be put in the session only when the user has authenticated. Only authenticated users will be allowed to send HTTP requests to your save() route. Note in particular the unless and only annotation parameters.
The code above comes from the OpenID example in the Play! documentation. I have used this once and so far this seems to work perfectly.