I have developed a mobile application which required to integrate with paypal, my back end server is RESTfull java server. So in order to integrate with paypal, i obtain "deviceReferenceTokenWithAppId" from client end calls a servlet at back end server along with other details (cartId..etc), When the request comes to servlet i do some back end operations and calls paypal to get the specific "SetExpressCheckout" token required for mobile payment.
StringBuilder postData = new StringBuilder();
postData.append(USER).append("=").append(Constants.PAYPAL_MERCHANT_USER);
postData.append("&").append(PASSWORD).append("=").append(Constants.PAYPAL_MERCHANT_PASSWORD);
postData.append("&").append(SIGNATURE).append("=").append(Constants.PAYPAL_MERCHANT_SIGNATURE);
postData.append("&").append(METHOD).append("=").append("SetExpressCheckout");
postData.append("&").append(VERSION).append("=").append("88");
postData.append("&").append(AMOUNT).append("=").append(amount.toString());
postData.append("&").append(CANCEL_URL).append("=").append(Constants.PAYPAL_MERCHANT_CANCEL_URL);
postData.append("&").append(RETURN_URL).append("=").append(Constants.PAYPAL_MERCHANT_RETURN_URL);
byte[] postDataArr = postData.toString().getBytes(UTF-8);
// Hit the the URL.
URL url = new URL("https://api-3t.sandbox.paypal.com/nvp");
HttpsURLConnection.setDefaultHostnameVerifier(new CustomizedHostnameVerifier());
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setUseCaches(false);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");
conn.setRequestProperty("Content-Length", Integer.toString(postDataArr.length));
DataOutputStream output = new DataOutputStream( conn.getOutputStream());
output.write( postDataArr );
output.flush();
output.close ();
rc = conn.getResponseCode();
My problem is if i call the paypal nvp, i dont get a valid token as the response, instead i get following error,
Key - TIMESTAMP - value : 2012-06-11T18:16:02Z
Key - CORRELATIONID - value : 207108cab758a
Key - ACK - value : Failure
Key - VERSION - value : 88
Key - BUILD - value : 2975009
Key - L_ERRORCODE0 - value : 10002
Key - L_SHORTMESSAGE0 - value : Security error
Key - L_LONGMESSAGE0 - value : Security header is not valid
Key - L_SEVERITYCODE0 - value : Error
Can somebody tell me why do i get this error? have i missed anything here?
If i can successfully get the TOKEN, next i have to redirect my servlet response to following Url to get mobile checkout view to mobile application.
https://www.sandbox.paypal.com/webscr?cmd=_express-checkout-mobile&drt="+<deviceReferenceTokenWithAppId>+"&token="+<TOKEN from payal nvp>
Appreciate if someone can guide me to a correct path if i have done a mistake here..
It means your API credentials are incorrect for the endpoint you're accessing.
Try replacing "PASSWORD" by "PWD"; authentication is done with a 'USER', 'PWD' and 'SIGNATURE' with PayPal.
Related
import os
from twilio.rest import Client
account_sid = 'my_account_sid'
auth_token = 'my_auth_token'
client = Client(account_sid, auth_token)
def send_sms(user_code , phone_number):
message = client.messages.create(
body= f'Hi your verification code is {user_code}',
from_ = '+14158557747',
to = f'{phone_number}')
# phone_number goes in with international format something like this +9779845000001
I get following error log while running server..
Request Method: GET
Request URL: http://127.0.0.1:8000/verify/
Django Version: 3.1.6
Exception Type: TwilioRestException
Exception Value:
[31m[49mHTTP Error[0m [37m[49mYour request was:[0m
[36m[49mPOST /Accounts/AC3c6c0502535317b9bb95efd43c6296d1/Messages.json[0m
[37m[49mTwilio returned the following information:[0m
[34m[49mUnable to create record: Authenticate[0m
[37m[49mMore information may be available here:[0m
[34m[49mhttps://www.twilio.com/docs/errors/20003[0m
Any Help would be appreciable.
Just see and type the Account Sid from Twilio console. While copy and paste this account sid will change. You can copy and paste token.
Make sure that 'to' number is verified if it is a trail account.
I want to integrate SalesForce with Facebook Messenger. For this I've retrieved access token, app id , app secret. When I hit a HTTP request in developer console to send a message then there is an error.
In the given code it is not accepting messages as parameter throwing error but working without messages.
ref: https://developers.facebook.com/docs/messenger-platform/send-messages/?translation#sending_text
Httprequest req = new httpRequest();
req.setEndPoint('https://graph.facebook.com/v5.0/1798927698340/messages?access_token={PUT-ACCESS-TOKEN-HERE}');
String body = '{'+
'"recipient": {'+
'"id": "100042977199143"'+
'},'+
'"message": {'+
'"text": "hello, world!"' +
'}' +
'}';
req.setMethod('POST');
req.setHeader('Content-Type','application/json');
Http h = new Http();
HttpResponse res = h.send(req);
system.debug(res.getBody());
error message :
16:55:58:127 USER_DEBUG [16]|DEBUG|{"error":{"message":"Unsupported
post request. Object with ID 'me' does not exist, cannot be loaded due
to missing permissions, or does not support this operation. Please
read the Graph API documentation at
https://developers.facebook.com/docs/graph-api","type":"GraphMethodException","code":100,"error_subcode":33,"fbtrace_id":"AcqDT5M6mGXSOCr4mOd3kDf"}}
actual response : success = true
This problem arises sometimes when we use invalid access token or user access token instead of page access token.
I'm trying to download the file by it's unique id (GUID) and in 99% it's working fine, but there some cases where I'm getting http not found - 404. But I know that file is exists and I know it's unique id, from the metadata I got from the document library.
How file can't be found if I have it's metadata in hands ?
I'm doing the next (Java):
//itemID is taken from the library listing (using web service) as uniqueid (guid)
String requestUrl = site + "/_api/web/GetFileById('" + itemID.substring(1, itemID.lastIndexOf('}')) + "')/$value"; //Remove {} from the unique id
HttpGet request = new HttpGet(requestUrl);
// setting auth credentials to the request.
RequestConfig requestConfig = RequestConfig.custom().setConnectTimeout(60000).build();
request.setConfig(requestConfig);
request.addHeader("accept", "application/json; odata=verbose");
HttpResponse result = httpClient.execute(request);
int iRet = result.getStatusLine().getStatusCode(); //Here iRet = 404, sometimes.
Thanks
From previous experience I would look for a lock by concurrent connections. I see you have a 60 s timeout (setConnectTimeout(60000)) in your code. For instance, have you tried if having a single query returns a valid result, and after (say 120s) you try twice within the 60s timeout, it returns the 404?
How to add a parameters to the Google OAuth 2.0 redirect_uri?
Just like this:
redirect_uri=http://www.example.com/redirect.html?a=b
The b of a=b is random.
Anyone can help ?
You cannot add anything to the redirect uri, redirect uri is constant as set
in the app settings of Oauth.
eg :http://www.example.com/redirect.html
To pass several parameters to your redirect uri, have them stored in state
parameter before calling Oauth url, the url after authorization will send the same parameters to your redirect uri as
state=THE_STATE_PARAMETERS
So for your case,do this:
/1. create a json string of your parameters ->
{ "a" : "b" , "c" : 1 }
/2. do a base64UrlEncode , to make it URL safe ->
stateString = base64UrlEncode('{ "a" : "b" , "c" : 1 }');
This is a PHP example of base64UrlEncoding & decoding (http://en.wikipedia.org/wiki/Base64#URL_applications) :
function base64UrlEncode($inputStr)
{
return strtr(base64_encode($inputStr), '+/=', '-_,');
}
function base64UrlDecode($inputStr)
{
return base64_decode(strtr($inputStr, '-_,', '+/='));
}
So now state would be something like: stateString -> asawerwerwfgsg,
Pass this state in OAuth authorization URL:
https://accounts.google.com/o/oauth2/auth?
client_id=21302922996.apps.googleusercontent.com&
redirect_uri=https://www.example.com/back&
scope=https://www.google.com/m8/feeds/&
response_type=token&
state=asdafwswdwefwsdg,
For server side flow it will come along with token :
http://www.example.com/redirect.html?token=sdfwerwqerqwer&state=asdafwswdwefwsdg,
For client side flow it will come in the hash along with access token:
http://www.example.com/redirect.html#access_token=portyefghsdfgdfgsdgd&state=asdafwswdwefwsdg,
Retrieve the state, base64UrlDecode it, json_decode it, and you have your data.
See more about google OAuth 2 here:
http://code.google.com/apis/accounts/docs/OAuth2.html
Since the accepted answer does expose the actual data and misuses the state parameter instead of sticking to a nonce to protect against CSRF, I'll try to show a proper method. Rather than passing (read exposing) data it should be kept local. Hydrate it before the request and re-hydrate it after a validated request. "Validated" here means that the state-nonce of request and response match.
You need some kind of temporary client side storage. E.g. for SPA or general websites keep it in state or use the browser's localStorage, a session (or a signed cookie). For mobile apps they should use memory or any other local storage.
Before sending the request generate a nonce (see below) that will be used as state parameter for the request. Store the nonce together with the custom state (e.g. a json) in local storage.
For example, the nonce could be ih4f984hf and the custom state {"role": "customer"}. Then you could store data for re-hydration for that request like this:
"ih4f984hf": {
"role": "customer"
}
Then use only the nonce as value for the state parameter of the request. (If you absolutely want to combine the nonce and data into the state value be sure to encrypt it and be aware that the length of the value is limited!)
When receiving a response you get the value of the state parameter back. Look it up and if it matches the value in the local storage you may process the data using the stored state. If the nonces do not match the request is potentially from an attacker and should not be processed.
Generating the nonce
Remember that the nature of a nonce is that it is used once only and must be unpredictable! Unpredictable here means ideally random, but practically pseudo-random is ok if the entropry is high enough - in web apps you might want to check Web API Crypto which is supported pretty well.
For further readings this might be helpful:
http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html
https://datatracker.ietf.org/doc/html/draft-bradley-oauth-jwt-encoded-state-00
https://auth0.com/docs/protocols/state-parameters#set-and-compare-state-parameter-values
If you are in .NET you could save the parameters in the Session
HttpContext.Current.Session[{varname}]
and redirect to the authorization page without parameters
Response.Redirect(your_uri_approved_with_no_querystring_parameters);
In Javascript (Node), you could set the state property to an object of key value pairs.
const oAuth2Client = await new google.auth.OAuth2(
clientId: <clientId>,
clientSecret: <clientSecret>,
redirectUrl: <redirectUrl>,
);
return await oAuth2Client.generateAuthUrl({
access_type: "offline",
scope: <scopes>,
state: JSON.stringify({ a: "y", b: "z" }),
});
On google authorization complete, it returns of the state, code etc from ulr,
const params = JSON.parse(state); // { a: "y", b: "z" }
You can redirect parameter with url as below,
When you get response from google than you can pass parameter with url,
See below php code for same,
if (isset($_GET['code'])) {
$client->authenticate();
$_SESSION['token'] = $client->getAccessToken();
$redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL) . '?r=page/view');
}
In above example r=page/view is parameter on which i want the response with parameter
I am trying IPN callback, using servlet. The code I am using is provided by paypal for verifying the ipn data. But every time i getting a INVALID response.
Here is the code:
Enumeration en = req.getParameterNames();
String str = "cmd=_notify-validate";
while (en.hasMoreElements()) {
String paramName = (String) en.nextElement();
String paramValue = req.getParameter(paramName);
//str = str + "&" + paramName + "=" + URLEncoder.encode(paramValue,"UTF-8"); // for UTF-8 i set the encode format in my account as UTF-8
//str = str + "&" + paramName + "=" + URLEncoder.encode(paramValue,"ISO-8859-1");// for ISO-8859-1 i set the encode format in my account as ISO-8859-1
str = str + "&" + paramName + "=" + URLEncoder.encode(paramValue); //default as provided by paypal
}
URL u = new URL("http://www.sandbox.paypal.com/cgi-bin/webscr");
URLConnection uc = u.openConnection();
uc.setDoOutput(true);
uc.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
PrintWriter pw = new PrintWriter(uc.getOutputStream());
pw.println(str);
pw.close();
BufferedReader in = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String res = in.readLine();
in.close();
if (res.equals("VERIFIED") || !res.equals("VERIFIED")) {
//Update database...
} else if (res.equals("INVALID")) {
//INVALID
}
I have checked all three possibilities provided by paypal in case paypal return INVALID as follow:
1) Missing Parameters - As I am send all the parameters no issue of missing parameters
2) Invalid URL. - I am using sandbox so URL is : http://www.sandbox.paypal.com/cgi-bin/webscr
3) Character encoding. - Tried with character encoding same as paypal account setting parameter encoding.
the request I am sending back to paypal using following parameters:
cmd=_notify-validate&last_name=User&test_ipn=1&address_name=Test+User&txn_type=web_accept&receiver_email=sellr1_1252495907_biz%40gmail.com&residence_country=US&address_city=San+Jose&payment_gross=&payment_date=01%3A55%3A04+Sep+26%2C+2009+PDT&address_zip=95131&payment_status=Completed&address_street=1+Main+St&first_name=Test&payer_email=buyer1_1252495751_per%40gmail.com&protection_eligibility=Eligible&payer_id=BXBKS22JQCUWL&verify_sign=AOMkeg7ofCL7FJfioyWA19uCxD4XAgZirsjiGh8cUy1fd2YAqBwOkkst&payment_type=instant&business=sellr1_1252495907_biz%40gmail.com&address_country_code=US&mc_fee=0.64&address_status=confirmed&transaction_subject=True+Up&quantity=1¬ify_version=2.8&mc_currency=EUR&custom=&address_state=CA&payment_fee=&handling_amount=0.00&payer_status=verified&shipping=0.00&item_name=True+Up&tax=0.00&username=hannonj&charset=windows-1252&item_number=567&mc_gross=10.00&txn_id=7F456350BS7942738&receiver_id=MASSU6BSR9SC2&address_country=United+States
Please , can any one direct me to proper direction? I am not getting what is wrong the code or the URL or anything else. I tried all the possibilities. Please help me.
An “INVALID” message is due to the following reasons:
Check that your are posting your response to the correct URL, which is https://www.sandbox.paypal.com/cgi-bin/webscr or https://www.paypal.com/cgi-bin/webscr, depending on whether you are testing in the Sandbox or you are live, respectively.
Verify that your response to the test IPN message contains exactly the same variables and values as the test message and that they are in the same order as in the test message. Finally, verify that the original variables are preceded by a cmd=_notify-validate variable.
Ensure that you are encoding your response string and are using the same character encoding as used by the test IPN message. (for example, I can see that he is using letters with umlaut and other symbols like “/”, etc).
With regard to the last point, the merchant can try to change the encoding language in use in his PayPal account, following the steps below:
Login on you PayPal account
Click on Profile
Click on “My Selling Preferences” tab
Click on “PayPal Button Language Encoding” (at the end of the page)
Click on "Other Options"
Select from the drop down menu: UTF-8
Choose the same charset also for the second option, which is related to IPN
Click “Save”
If the issue persists, we recommend to review the script in use, PayPal has some IPN code samples available at: https://github.com/paypal/ipn-code-samples
For additional information I include the link: https://developer.paypal.com/webapps/developer/docs/classic/ipn/integration-guide/IPNTesting/#id091GFE00WY4
I'm pretty sure the URL to send to is just "www.sandbox.paypal.com", see chapter 4 of Sandbox User Guide, and well, this is what I put for my own code (incidentally, for live, it is also just "www.paypal.com", for their sample code)
Thank you guys for your reply.
ohhh I solved it at last.
Actually in notify URL I also added a username parameter. Paypal want the parameter values for IPN same as it return to the servlet.(You can get it as req.getParameterNames()). As I have username parameter extra, which is not known to paypal. Paypal was returning INVALID.
Remember paypal's sandbox has completely different credentials. You must have development account and be logged into development panel to use sandbox.
If you're testing Paypal IPN over SSL, you will have to use ssl://www.sandbox.paypal.com on the port 443
I ran into multiple problems layered on top of each other before I could get Paypal IPN working - it kept returning INVALID but was not specific about which part I was getting wrong, unfortunately.
Things I got wrong:
Sandbox - if you use the Sandbox you need to use the entire Sandbox environment. It requires creating a new, separate account on the Paypal Sandbox website. The Sandbox API credentials it sets up under your regular account are not enough. You then use that separate Paypal account to file fake transactions on the Paypal Sandbox website, and watch them come across IPN on the Sandbox endpoint. The need for this second account is not obvious or clear at all in setting up API access. Also, switching between Sandbox and Live requires more than switching the URL, you need to switch the credentials. So a simple compile flag alternating a string isn't going to cut it.
Live - if you use the Live environment a number of things will get in your way. For us, it took a long time for Paypal to open up "Business" access to us. It wouldn't provide us anything over the API until that was enabled. When we initially applied we were flatly denied with no explanation or timeline to resolve it. A month later ish of taking payments (with no API to keep us up to date with those payments) it seemed to just magically start working.
Code example - the code example provided by Paypal is outdated, and has some clear issues. Here's an example that uses modern TPL/async:
// Send the verification back to Paypal in the format Paypal requested
var verif = (HttpWebRequest)WebRequest.Create(ipnVerifyUrl);
verif.Method = "POST";
verif.ContentType = "application/x-www-form-urlencoded";
var param = req.BinaryRead(req.TotalBytes);
var sRequest = Encoding.ASCII.GetString(param);
sRequest = "cmd=_notify-validate&" + sRequest;
verif.ContentLength = sRequest.Length;
using (var streamOut = new StreamWriter(verif.GetRequestStream(), Encoding.ASCII))
{
await streamOut.WriteAsync(sRequest);
}
// Send it
using (var re = await verif.GetResponseAsync())
{
var s = await HttpWebRequestAsync.GetFullResponseStringAsync((HttpWebResponse)re);
// Log the response (s)
}
Besides this code actually working (This is exactly what we have in Production, with some of our logging library calls stripped out), this code won't freeze a thread while waiting on network.
The awaits allow the thread to step away while the network does its thing, both in writing the verification request to Paypal, and in receiving the response back, both of which could be a long time.