Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
We've had a simple payment integration with PayPal for 5 years that has run without issue until today. In the IPN URL (notify_url) we pass 3 values in the querystring e.g.
https://www.example.com/callback/ipn?pspId=A&secCode=MnBP%2fxOwbQhXLd%2arD5xd6g%3d%3d&isPur=false
From today PayPal strip the last 2 values and call with just the first querystring value, e.g.
https://www.example.com/callback/ipn?pspId=A
We use the secCode value as a signature that we verify on the callback to prevent any modification of the form. Why would PayPal suddenly start stripping out values from the querystring? I suspect they should be in the POST but I'm just not sure why the sudden change?
OK we have now realised that some of PayPal's servers are terminating at the first ampersand. This explains why we get the first query string value but not others.
It seems this behaviour is not just limited to notify_url value but as is suggested by Mike in the comments, this is happening with the CUSTOM field too. If you're pushing through a series of name value pairs with an ampersand separator you need to either switch to some other separator or URL Encode the whole value.
We're just now testing to see if URL Encoding the whole callback URL will still result in an actual callback being made.
EDIT:
Yes URL encoding the whole notify_url value resolved the issue and preserved the query string.
EDIT 2:
It seems URL encoding the whole value no longer works, so I'm assuming PayPal have reverted back to the original behaviour before we encountered these problems. Hopefully this will be consistent across all their inbound servers and will remain fixed now.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I've registered a GitHub account to test their email verification process. So:
They've sent me an email with a link, containing my username and 40-chars code, like:
https://github.com/users/USERNAME/emails/120066679/confirm_verification/47889d71648523e5d99db5b969f59809c2715fb6
I have not followed the link
4 days later, the've sent me another (a reminder), that I have to verify my email, containing link with another different 40-chars code
So, what was the purpose of changing 40-chars code? As I remember, other services, used to expire verification code anyway. If there is already a username in verification link, is there really a need to do that? In case of brute force, I can just count failed attempts related to specific user and block it, right?
P.S. Also interesting, what is the purpose of emails/120066679 in link? (which is similar for both letters)
There are several reasons why quick expiration of verification codes is the best practice.
If protection with a verification code is deemed appropriate, it's safest to make it not only complex enough but also valid for minimum amount of time. If you only make the code work for the time needed (usually really short), you diminish the risk of someone abusing it. (For example, someone could programmatically 'guess' the codes - the more time for this exercise, the higher chance for success.)
Also, it's not efficient to store data of this kind. It's used once, it doesn't contain any actual information and as soon as it's used, it's ready to be "thrown away". It's not a good practice to store anything that doesn't add value when stored.
In addition, it's fairly rare that users don't use the codes immediately/soon. For the small percentage of cases where the code expires by the time the user tries to use it, it's more efficient to generate new ones.
Well, the purpose of an email validation link is to make sure that you actually own the email. Most validation links simply contain some secret that they send out your way, only in the possession of which may you verify the email address.
The reason they changed the code is because it probably expires. In that case you could not activate the account, so they sent you another in case you'd like to continue.
What if they don't send out a secret like this then?
In that case there is nothing that prevents an attacker from "verifying" emails that they actually have no control over. They could just visit the url with the username plugged in and activate the account.
Normal users would not do this, but spammers might.
For the case of brute force:
If the secret is sufficiently random, and the keyspace is large enough, trying to guess it is a fool's errand.
We can assume this is a random 40 hex char number, which gives us:
16**40 == 1461501637330902918203684832716283019655932542976
possible values for it. It is safe to say that no one will guess this number in the near future.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
What's the RESTFul pattern for enabling and disabling a system user.
Example:
a DELETE request to /users/123
and PATCH/UPDATE request to /users/123
Or should I use /user/enable/123 using PUT and /user/disable/123 using DELETE?
First of all: DELETE always removes a resource. So it cannot be used to change a value. Read more about the different Http methods and how they are supposed to used here: https://www.rfc-editor.org/rfc/rfc7231
You can solve this in three different ways. Whatever fits you best.
Update user object
Another approach would be by updating the User resource.
In this case you could send a PUT /users/123 with a body that contains the full updated user object.
Partial update of user object
If you define that you are allowed to do partial updates (partial means you only need to send the changed values which will be merged in to the existing user object) you can send a PATCH /users/123 containing a json with {enabled:true}. This is usually a bit trickier to handle on the backend.
Directly set enabled property (not recommended)
enabled is a property of a User. There for you can address this property directly in your URL.
You can use PUT /users/123/enabled with a body that contains true or false. To this approach, also see #Roman Vottner comment below
What's the RESTFul pattern for enabling and disabling a system user.
How would you do it with pages on a web site?
It might be that you would load a page that describes the system user, and from there navigate to a form with affordances for changing the users state; you would set the values on the form you want, and submit the form to the URL provided. The server would process the request, and either give you a status page, or redirect you back to an updated copy of the user, or whatever.
Notice: throughout the entire process, the client is following links provided by the server; no guessing URI, no guessing which http methods to use; the client follows the instructions embedded in the hypermedia
Repeat that same process in a machine readable way, and you've got a REST api.
REST, keep in mind, is about manipulating "resources" by passing messages around; the changes made to your domain model are side effects of the resource manipulation. In other words, the resources are part of your integration domain. See Jim Webber - REST: DDD in the Large
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I have been trying to integrate Sage Pay using their form integration but cannot get passed the infamous 5080 error. I have been through 10 days of back and forth with Sage support and thay have conceded that they can no longer help and are convinced it is an encryption issue. I have also trawled through the answers here and I cannot seem to get the solution. I have done many integrations using other systems before but the lack of feedback from the system is very frustrating makes debugging almost impossible
Things I can confirm:
- PHP Version 7.0.15, as part of Wordpress install
- passing unique VendorTxCode
- passing all required fields with live success & failure URLS
- passing VPSProtocal, TxType, VendorName and Crypt (confirmed by viewing network tool in Chrome aftre request fails)
- tried both test and live portal using the relevant keys and correct gateways
- had numerous showposts viewed by support and verified as correct format
- confirmed the encryption - supplied an unencrypted string to support, their escalation team encrypted the string and sent back encrypted string - used a string compare app to compare strings and they are identical
- I cannot seem to see Invalid transactions in portal as I dont have a transations tab to view and support said thay cannot even see the request attempst hitting the server.
They keep telling me its an encryption issue Any suggestions as how to best debug this or any unapparent solutions that helped others woudl be of great help - im not sure what is best to post here for you to see but I can as required
Many thanks
Log into My Sage Pay with your admin credentials, create a user and give that user permission to see transactions (etc - just click the lot!). Log in as that user and you will be able to see transactions. Look under Invalid, and you should see the reason.
Check you are using the correct encryption password. They are different for live / test
Failing that, post your unencrypted crypt string here - I will look at it and tell you where you are going wrong.
https://test.sagepay.com/gateway/service/vspform-register.vsp?VPSProtocol=3.00&TxType=PAYMENT&Vendor=sagepaylabs2&Crypt=#ba357b87773ffd296f15443bf65b10324d654c2177ee642055d1d112638ff4a22f1cf3656637dafcc437783ed2f091ddea0b6c6d703b2dfefc7196f85baaf6b6fdea618046b03d8b3ee3fa1594b31957e462d5fe58586ae997425f2f449f3cec21c1d82f9c025d2be1335159a552f000480909f0dba755260a5512a5d20e4b5e98b4e165c0dcaf2ecf7ec503a651ea7d8bb6cb35e9ac1f962f5876306060d188973d93a378750d72046ac2a3b34ef43d43cde9446c157b41ca9299f15ac6498996c4b5f471dd7e69df58c58a46fc567819462aaba78e51f712216bf7e1d5ae2712151144968e842c69ad3807eff0f44b1425ce5f06aa503d2469282720f5b39ec7612b3bf178341737adc8c0401247ecf12b3b5f37a5e9da23ec3a1b2db324cb4c1f4287c2c67ea1f7277b08355693f29162381b2dba77045291434f161d04d5bb07c70025eaa3f682d3701a81e8eb7d06b2485dc70df576adef9791fabb599a66f8c1fbfb84c820ff726eb64a1c721f09aa764e1cca12d05ce7ff8c9f89154c27b4aa57112a30062cbfd69bd2ae6dad591d006fce915aabd2ad9432ff75184de30a44fc50c52ced889982eeedaa1c52dcd2e86114fb8b1b914eb32cfd2e2d06f49a74f6e734cca20008d1b8f328281a
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
In Meteor, what is the most efficient way to check the database to see if something exists while the user is typing?
For example, I'm trying to check if the username exists in database while the user is typing his/her desired name to register an account.
I could create a keydown event to check every time when there's a key stroke, or I could use setInterval, but I feel like that's an overkill.
Is there a built in method in Meteor to do something like this?
I did't see anything like that, so you'll have to built it yourself.
Security
Showing which usernames are taken while typing makes it very easy to retrieve a list of existing users. This could be okay if the user list is available to public anyway (for example in a forum), but in most applications you should avoid that.
Waiting until user stops typing
Users probably type faster than the service is able to check the database. Therefore checking on every key stroke would cause a lot of unnecessary service calls. You should at least implement a delay or wait until the field looses focus.
Forseeing next character
You should try to minimize service calls. For example if someone types "Mic", besides checking the exact name, you could add that "Mick" and "Mic1" are already taken too. Further optimization would be to predict more than one character based on common names, but that probably will never be needed.
Reusing Autocomplete Code
You could reuse some code of a autocomplete component, for example when to trigger a service call. But most of the code you can't reuse, because the user interface is very different.
You might find this smart package useful.
https://github.com/mizzao/meteor-autocomplete
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I was asked to recall a message I sent out to remove some personal info from it and replace it with a generic made up person as an example.
Does message recall really work?
It's my opinion because you get told a message has been recalled it just causes you to want to find out what was in the original message. All you do is find someone who had already read it.
Can exchange server be adjusted to not tell users when a message is recalled or replaced?
What about bcc, recall doesn't seem to work on these and global emails tend to be the ones you really need to recall.
EDIT Also people with smartphones which is common now don't seem to get email retrieved from their phone either
In most cases, it's too late, it just let's me know there was an email you didn't want me to read.
Only works on unopened mail, for users of MS Exchange/Outlook.
read this blog post and comments for more information.
To add a bit of information, if the message is displayed in a preview pane, it is considered read making recalling impossible.
We did some testing just yeasterday and discovered that the recall feature is pretty lame. As mentioned above it is only recalled if it is unread (or unpreviewed). In the case where it has been read, the recall only makes the message MORE obvious. Not the desired effect by far.
Only works on unopened mail, local to the server you sent it on. (as far as I know, I suppose it could work on server farms/clusters too?)
If the recipient is offline and message is not delivered to his PST by the Exchange server, then RECALL works and you get the message accordingly.
Thanks & Regards,
Ajay
Yes it is true that the Recall This Message Outlook functionality very often does not work.
WinDeveloper just released a server-side solution for Excahnge 2007/2010. It works equally well for both emails addressed to local recipients and for emails sent to foreign recipients. For more details:
WinDeveloper vs Native Exchange Message Recalling
http://www.windeveloper.com/recall/recall_features.htm
Message Recalling Works! Here is how
http://www.windeveloper.com/recall/recall_howitworks.htm