From 2160b5c7538c26043c7cf85328c438bb6dbff8f0 Mon Sep 17 00:00:00 2001 From: Jason Judge Date: Wed, 19 Dec 2018 17:44:06 +0000 Subject: [PATCH 1/2] SOme clarification comments. --- composer.json | 4 ++++ src/Message/Form/CompleteAuthorizeRequest.php | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index 1f95e3d..40ebdeb 100644 --- a/composer.json +++ b/composer.json @@ -19,6 +19,10 @@ "name": "Adrian Macneil", "email": "adrian@adrianmacneil.com" }, + { + "name": "Jason Judge", + "email": "jason.judge@academe.co.uk" + }, { "name": "Omnipay Contributors", "homepage": "https://github.com/thephpleague/omnipay-sagepay/contributors" diff --git a/src/Message/Form/CompleteAuthorizeRequest.php b/src/Message/Form/CompleteAuthorizeRequest.php index 39e177a..6251e48 100644 --- a/src/Message/Form/CompleteAuthorizeRequest.php +++ b/src/Message/Form/CompleteAuthorizeRequest.php @@ -33,7 +33,7 @@ public function getTxType() public function getData() { // The application has the option of passing the query parameter - // in, perhaps using its own middleware, or allowing Omnipay t0 + // in, perhaps using its own middleware, or allowing Omnipay to // provide it. $crypt = $this->getCrypt() ?: $this->httpRequest->query->get('crypt'); @@ -45,7 +45,7 @@ public function getData() } // Remove the leading '@' and decrypt the remainder into a query string. - // And E_WARNING error will be issued if the crypt parameter data is not + // An InvalidResponseException is thrown if the crypt parameter data is not // a hexadecimal string. $hexString = substr($crypt, 1); @@ -64,6 +64,9 @@ public function getData() parse_str($queryString, $data); + // The result will be ASCII data only, being a very restricted set of + // IDs and flags, so can be treated as UTF-8 without any conversion. + return($data); } From 24210c204464ec1e0d5f75aae915863c48e01678 Mon Sep 17 00:00:00 2001 From: Jason Judge Date: Wed, 27 Mar 2019 19:21:02 +0000 Subject: [PATCH 2/2] Issue #130 Expand documentation to make `completeAuthorize` a little clearer. --- .travis.yml | 1 + README.md | 26 +++++++++++++++++++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index c351604..a446e59 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,6 +5,7 @@ php: - 7.0 - 7.1 - 7.2 + - 7.3 before_script: - composer install -n --dev --prefer-source diff --git a/README.md b/README.md index eaea2d2..6116573 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,9 @@ Table of Contents * [Server Notification Handler](#server-notification-handler) * [Sage Pay Form Methods](#sage-pay-form-methods) * [Form Authorize](#form-authorize) + * [Form completeAuthorise](#form-completeauthorise) * [Form Purchase](#form-purchase) - * [Sage Pay Shared Methods (Direct and Server)](#sage-pay-shared-methods-for-both-direct-and-server) + * [Sage Pay Shared Methods (Direct and Server)](#sage-pay-shared-methods-direct-and-server) * [Repeat Authorize/Purchase](#repeat-authorizepurchase) * [Capture](#capture) * [Delete Card](#delete-card) @@ -681,7 +682,10 @@ At the gateway, the user will authenticate or authorise their credit card, perform any 3D Secure actions that may be requested, then will return to the merchant site. -To get the result details, the transaction is "completed" on return: +### Form completeAuthorise + +To get the result details, the transaction is "completed" on the +user's return. This wil be at your `returnUrl` endpoint: ```php // The result will be read and decrypted from the return URL (or failure URL) @@ -696,7 +700,7 @@ $result->getTransactionReference(); If you already have the encrypted response string, then it can be passed in. However, you would normally leave it for the driver to read it for you from -the current server request: +the current server request, so the following would not normally be necessary: $crypt = $_GET['crypt']; // or supplied by your framework $result = $gateway->completeAuthorize(['crypt' => $crypt])->send(); @@ -704,6 +708,22 @@ the current server request: This is handy for testing or if the current page query parameters are not available in a particular architecture. +It is important to make sure this result is what was expected by your +merchant site. +Your transaction ID will be returned in the result and can be inspected: + + $result->getTransactionId() + +You *must* make sure this transaction ID matches the one you sent +the user off with in the first place (store it in your session). +If they do no match, then you cannot trust the result, as the user +could be running two checkout flows at the same time, possibly +for wildly different amounts. + +In a future release, the `completeAuthorize()` method will expect the +`transactionId` to be supplied and it must match before it will +return a success status. + Like `Server` and `Direct`, you can use either the `DEFERRED` or the `AUTHENTICATE` method to reserve the amount.