We Keep Coding

Customizing "PayPal" button for PayPal Marketplace (API)

I am developing my app with PayPal Marketplace API for the first time.
Among other steps, I need to customize a "PayPal checkout" button. I did this by following instructions on this page.
In function "payment" (see the original code segment below), I supposed to provide a call-back url for CREATE_URL:
// payment() is called when the button is clicked
payment: function() {
// Set up a url on your server to create the payment
var CREATE_URL = '/demo/checkout/api/paypal/order/create/';
// Make a call to your server to set up the payment
return paypal.request.post(CREATE_URL)
.then(function(res) {
return res.id;
});
}
By reading this, I am puzzled why the CREATE_URL value is not a fullpath url starting with "http" or "https"? I have the similar question for EXECUTE_URL in an ensuing segment of the html file.
What type of RequestBody should my REST controller expect?
What action should my app take at the url for "CREATE_URL"? My intuition is to call the Order API to create an order (among other things in my database). Is this correct?

I can address your questions one at a time:
By reading this, I am puzzled why the CREATE_URL value is not a fullpath url starting with "http" or "https"? I have the similar question for EXECUTE_URL in an ensuing segment of the html file.
You don't have to have a full path URL (known as absolute path) because the path that you provide for CREATE_URL is on your own server. So the code where you have your button is on a page like exampleButton.html and when you click the button, it takes you to a script, such as
var CREATE_URL = '/demo/checkout/api/paypal/order/create/';
which is an index page which will run the Create Order API method with the data that you pass. Here is another example implementing a payment button with checkout.js using a server side language.
What type of RequestBody should my REST controller expect?
Your request body will receive the payment data from the JavaScript data parameter, which should be JSON format. You then pass this to the server side when you receive the POST data.
An even simpler implementation is to use the client-side integration to create the order.
What action should my app take at the url for "CREATE_URL"? My intuition is to call the Order API to create an order (among other things in my database). Is this correct?
Your app should automatically run the create order method. This script works with JavaScript promises, so will wait for a response, like getting a successful authorization (or failure) from the customer before attempting to execute the payment.

Which URL made the request to my Google Apps Script?

How can I determine the source URL of a GET or POST request sent to a Google Apps Script web application?
I am making a (PayPal IPN) listener script and would like to be able to distinguish weather the request came from a the test environment (sandbox) or from the live environment.
The origin of the request to the listener determines the response from the script. The listener has to send a response back to PayPal and depending on which environment the request came from, the response needs to go back either to the sandbox server or to the live server.
I am hoping to distinguish between requests from sandbox.paypal.com or www.paypal.com, in my Google Apps Script.
To work around this requirement, I have set it manually for now:
if (PPRunMode == 'test') {//in testmode send response to sandbox site
PPUrlBase = "https://www.sandbox.paypal.com/cgi-bin/webscr";
}
else {//url for live website
PPUrlBase = "https://www.paypal.com/cgi-bin/webscr";
}
But was wondering if this can be determined automatically.

Unfortunately, no request-source information is provided to your Google Apps Script web application, so there is no direct way to determine where a request came from.
You do have the ability to provide parameters to your web app, though, so you could have the code in the sandboxed environment use that to indicate a test condition.
For example, this URL could be used by the sandboxed code for a GET request:
https://script.google.com/macros/s/---SCRIPT-ID---/exec?test=true
^^^^^^^^^^
In the doGet(e) function, you would handle the parameter like this:
function doGet(e) {
if (e.parameter.test) { //in testmode send response to sandbox site
PPUrlBase = "https://www.sandbox.paypal.com/cgi-bin/webscr";
}
else {//url for live website
PPUrlBase = "https://www.paypal.com/cgi-bin/webscr";
}
...
}
For a POST request, the solution is similar. See URL parameters in the Web Apps and Google Sites Gadgets guide for details.

If you publish your Google App Script you get two urls :
https://script.google.com/macros/s/AKfycbxsCNyssA0dzMMmsNip3DW66hiJ62ks_F1yYUn0SDu073S2dOw/exec
https://script.google.com/macros/s/AKfycbxzpvZ9e9_vzs3d6Q0ky_RHLoYDruCl-6Xm8D6YmI4/dev
You can notice the difference, not sure if that is what you are pointing to

pass data back to facebook app after authorisation

I am authotizing my app in the following way:
// authorize app!
$('#authApp').click(function(){
var oauth_url = 'https://www.facebook.com/dialog/oauth/';
oauth_url += '?client_id=#{app.id}';
oauth_url += '&redirect_uri=' + encodeURIComponent('https://www.facebook.com/pages/null/#{fbPageId()}/?sk=app_#{app.id}');
oauth_url += '&scope=user_likes,user_photos';
oauth_url += '&app_data=7B%27game%27%3A+%27key%27%7D';
oauth_url += '&state=sbSbsbSb';
As you can see I am setting the 'state' param as part of the query string.
Now when the user authorizes the app he is redirected to the redirect url.
However the data passed in the state parameter is not posted to my app nor is it part of my app's iframe query string. I was expecting to find it as part of the signed request, but no. This is the deserialized signed request posted back after authorisation
{ algorithm: 'HMAC-SHA256',
expires: 1348927200,
issued_at: 1348921162,
oauth_token: 'AAA...',
page: { id: '490...', liked: true, admin: false },
user: { country: 'ec', locale: 'en_US', age: { min: 21 } },
user_id: '1...' }
I do see that the state is included of the parent page's query string. I need to access that parameter from my app (running inside an iframe). I believe that I cannot just access the parent page's window location because of same origin policy restrictions.
I have read through the documentation and searched online. Persisting data across an app authotization needs to be done using the state parameter. However it is nowhere stated how to retrieve that state param once redirected back to your app.
This is from the facebook doc's regarding the state param:
A unique string used to maintain application state between the request
and callback. When Facebook redirects the user back to your
redirect_uri, this parameter's value will be included in the response.
You should use this to protect against Cross-Site Request Forgery.
Am I supposed to get the state data back from the parent's page query string?
Or am I doing something wrong?
* EDIT *
I am storing the user to user request Id in the state parameter. For example A invites B to participate in the app via a facebook request. Once B authorises the app A needs to be rewarded. So I need to know that B came to the app following A's invitation. Therefore I store the requestId in the state param, so once B has authorised the app I can take appropriate action.
* EDIT 2 (SOLUTION) **
If your redirect_uri is pointing to the Page Tab URL then facebook will NOT send back the state parameter! It will only be sent back if you redirect to the Canvas URL !!!!!

The Facebook documentation you referenced is a bit confusing. The only thing you should be doing with the state parameter is making sure you are not a victim of CSRF. Facebook's server side authentication flow gives an example of this in PHP. In short, you should be storing the state value in the session and then verifying that the session value is the same as what Facebook passes back to you in the request. The key line in their PHP example is:
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
// Continue with application logic here because state matches.
// Otherwise, exit immediately because you're a victim of CSRF!
So back to your problem. From your redirect URL and the response you are getting, it's obvious your app is on a Facebook Page Tab. See the authentication flow for page tabs for how you should be doing this. Note they are not using the state parameter in step 2 and that the state parameter is never mentioned in page tab authentication flow. So even if you wanted to use the state parameter for something other than its intended use, you are out of luck.
Based on your edits, I suggest you check out the documentation on requests. Note that the user clicking on the request will be redirected to your canvas app, not the page tab. "The canvas URL will also contain an additional GET parameter request_ids, which is a comma delimited list delimited list of Request IDs that a user is trying to act upon." So there is no need for you to be trying to do this yourself.

Am I supposed to get the state data back from the parent's page query string?
No, not when authenticating within a canvas/page tab app. The only query string parameter that gets passed to your app in this scenario is the content of the app_data parameter.
But you don’t need the state parameter in this scenario – verifying the signed_request is absolutely sufficient, because it’s signed with your app secret, that only you and Facebook know. So that is enough protection against “manipulated” requests right there already.
See https://developers.facebook.com/docs/authentication/canvas/ resp. https://developers.facebook.com/docs/authentication/pagetab/ for more details. (And see how they do not mention the state parameter at all.)
Edit:
I am storing the user to user request Id in the state parameter. For example A invites B to participate in the app via a facebook request. Once B authorises the app A needs to be rewarded. So I need to know that B came to the app following A's invitation. Therefore I store the requestId in the state param, so once B has authorised the app I can take appropriate action.
That’s a misuse of the state parameter … it’s supposed to achieve something completely different (CSRF protection, as the docs say).
While this might work in your scenario – why are you not using the app_data parameter to transmit this piece of information? That’s the designated way of transferring info to canvas/page tab apps.

Credits callback script not called (error 1383046)

I have a problem getting facebook to call my credits callback script. I've setup a company and the callback url. I used the example script for it. But nonetheless I always get this error when I try to access the payment window using the JS sdk.
var obj = {
method: 'pay',
order_info: order_info,
purchase_type: 'item'
// dev_purchase_params: {'oscif': true}
};
FB.ui(obj, getCashCB);
Error:
There Was a Problem Processing Your Payment
Sorry, but we're having trouble processing your payment. You have not been charged for this transaction. Please try again.
error code from console: 1383046
meaning:
1383046 AppInvalidDecodedResponse The application return value was invalid after json_decoding the return value.
No matter if I'm in sandbox mode, set the callback url to something completely different.
The callback script is never called.
I've searched far and long for anybody else with this problem, but found nothing meaningful. There was something about the server accepting curl requests from facebook but I don't know what that means or how to test for it.

Solved! Whilst looking for the cause I noticed that this error can pop up from a lot of things. But this case is rather specific:
Because the facebook app is still in development, we hid it behind a .htaccess file. So when you visit the site, you login, and the app loads etc. BUT this doesn't work for the credits callback file. Since the request then comes from facebook, it would have to login with user:pass. I tried putting that in the callback URL, but that doesn't seem to work.
So I only need to put the callback file somewhere where you can reach it without .htaccess and Tadaaa it works!

Basically this happens when Facebook doesn't understand the response it gets from calling your payment callback URL. Thew most likely reasons are:
The callback URL is wrong
Facebook gets an error response because the server or some app-level firewall won't let it access the URL (Jon's problem)
Facebook gets an error response because the callback script runs into an exception.
The callback script's response is malformed.

facebook oauth authentication doesn't return "code" parameter

I'm trying to use facebook's oauth.
Basically facebook has to return me a "code" parameter.
But i get nothing, it just return my callback url (to the exact same url).
i'm generating this url with my app.
http://www.facebook.com/dialog/oauth?client_id=76209388873&redirect_uri=http%3A%2F%2Ffb.lous%2Fmain%2Ffacebook_callback&scope=read_stream
I used other parameters and options, just when i set response_type=token
i get parameter list for javascript (with # character instead of ?, its for client side, i'm trying to write some api bot)
So right now i can't get any parameter with someway.

I tried to solve exactly the same thing for several hours. In my case it turned out to be a stupid redirect problem. Facebook correctly redirected back to http://www.mysite.com with the code parameter, then my webapp redirected to http://www.mysite.com/users/login (because the user wasn't logged in yet). On the second redirect I lost the code parameter.