Payment Module Dev: Generic Code For Storing Pending Payment Information

[Max]

It would be nice if there were generic methods in the base Gateway class for storing information about pending payments in the database, complete with garbage collection of old information about payments that never completed. (default ttl should be large, like 2 weeks, as some payment service providers support bank transfers done offline).

 

Looking at the current implementation of non-merchant gateways such as Paypal in Blesta it seems you are using the "custom" field to pass internal information like the invoices being paid to Paypal, and expect to receive that information back when Paypal does a payment notification back to the site.

That does work for Paypal as it allows 256 bytes of custom information to be passed along, but other gateways are less generous, and only pass along 32 bytes of custom data. This may not be sufficient in all cases, therefore the need to store more information in the database.

[Cody]

Gateways can create their own database tables, if they find it necessary, and execute queries on there. They may do so during execution of the install method on the gateway.

I don't know that a general solution is warranted here as almost all nonmerchant gateways return data regarding invoices that were submitted as included.

 

As far as pending transactions go, a transaction is only pending if the nonmerchant gateway notified Blesta of the transaction and the transaction has not yet been fully processed by the gateway. In all these cases the gateway submits a new request once the transaction has been processed and Blesta updates the status of the transaction. I don't think deleting those transactions in these cases is a good idea, as the payment must either have failed (error/decline/etc.) or  succeeded. In either cases Blesta should have been notified, and if it wasn't then it's important that manual action be taken from a staff member to identify what went wrong.

[Max]

I don't know that a general solution is warranted here as almost all nonmerchant gateways return data regarding invoices that were submitted as included.

 

 

 

Problem however is that some gateways do return custom data, but have a character limit.

Can be a problem if a larger number of invoices is being paid.

 

 

Another potential issue is that not all gateways offer protection against the user tampering with the custom data returned, when the user is redirected back to the site.

E.g. I recall that 2checkout does prevent tampering with the amount paid (md5 hash over amount + transaction id + shared secret), but does not include the custom data in the hash.

Does Blesta have built-in protection against replay attacks, e.g. does it check if the transaction id number returned by the gateway has been processed before?

Otherwise a user might be able to use a single $ 100 payment to pay multiple $ 100 invoices, by performing the redirect back to the site multiple times and changing the invoice number in the custom data field each time.

[Cody]

Problem however is that some gateways do return custom data, but have a character limit.

Can be a problem if a larger number of invoices is being paid.

Another potential issue is that not all gateways offer protection against the user tampering with the custom data returned, when the user is redirected back to the site.

E.g. I recall that 2checkout does prevent tampering with the amount paid (md5 hash over amount + transaction id + shared secret), but does not include the custom data in the hash.

Does Blesta have built-in protection against replay attacks, e.g. does it check if the transaction id number returned by the gateway has been processed before?

Otherwise a user might be able to use a single $ 100 payment to pay multiple $ 100 invoices, by performing the redirect back to the site multiple times and changing the invoice number in the custom data field each time.

 

Yes.