I'm implementing a cart and currently using Zuora's Direct Post.
Basically it's a form submit to Zuora and upon success Zuora will redirect back to my site. They allow for 5 field_passthroughs which are just query string parameters in the url.
I have the flow working as such:
User enters in their Card Information
On Submit, information is submitted to Zuora
On Success, Zuora redirects back to my site, which lands on an intermediate processing page
Zuora sticks a few fields on the redirectURL such as paymentMethodId, which I use to place the order on the processing page.
I want to optimize it now so that instead of landing on the intermediate processing page, it'll just land back on the user's cart with the input fields still populated.
In order to achieve this without refetching fields like name/email from my backend, Is there a way I can pass it on the redirectUrl? Would it be safe to serialize my Vuex state into a string and encode it? Then when it lands back on my cart from the redirect, I decode and deserialize and repopulate the form?
You can pass some of that information back automatically.
Any of the fields in the HOP page configuration in Zuora where the "Returned in Response" checkbox are checked will return as querystring parameters. Email, phone, and address fields can be returned this way.
Unfortunately (Cardholder) Name is not one that can be checked. That would have to be passed back through one of the field_passthroughs. I would say yes about passing it that way as it would be using https and querystring values are already encrypted.
I am not an expert on security and some fields like CC numbers should never be passed ths way.
Related
I have read about the relayState parameter in SAML SSO, and how the SP can redirect the user back to the original incoming URL by making use of relayState, but to my knowledge HTTP redirect only works for GET requests.
I am wondering if the same can be done for POST, PUT and DELETE requests, considering these requests usually come with data in the request body as well. I thought of returning a self-submitting form for POST requests, but this won't work for any other HTTP verb, and the original request must be a form based request too, unless the framework supports treating all types of parameters (query string, form field, json element) similarly. I also thought of making the frontend reconstruct the original request and sending it back to SP with AJAX, but I'm not sure if AJAX can actually update the browser's current page address.
My compromise solution in the end was to only relay URLs that result in a whole new page rendering with a GET verb only, and for any other requests, use the referrer URL for relaying instead. This means for the latter, the user will have to perform the task manually again after landing on the page he last saw before the SSO flow.
Not sure what the common practice in the industry is.
Thank you!
you would to maintain / save the POST data on the SP end and re-use them after SAML flow succeed. SAML as such does not provide any mean to achieve this.
So, There are multiple ways a client can pass values to server. Request Body, Header and/or Cookies.
On the server side these values could be retrieved by ModelBinders, ValueProviders MediaFormatters, FromBody, FromUri, Dependency Inject a component that reads it from current http Context or Read from current HTTP context directly ( I know this is the worst one for unit testing. So, never do that).
The question is how to decide which to be used for what.
What I think is for all the user input use ModelBinder. For anything else, like authentication token in header dont use the model binder but a authentication attribute. Which reads from the header or cookie.
What about the case where you have somthing like a cartId and you are updating the Items in cart, Shipping address, Payment address etc. Now, using DDD Cart must be the root object and Items, shipping address and payment must be the child and each request must receive a cart and the dependent object. But, that would be a really heavy load. So, why not to pass around only cartId and why not to store that cartId in cookie and if we do that. How should we read the value of cartId, use a ModelBinder, Dependency Inject a component that reads it from current http Context or Read from current HTTP context directly ( I know this is the worst one for unit testing. So, never do that)
So, any id that is not an auth token or a session token and is required in the action method. But it is not being passed as an input in request body or query strings. What is the best approach to read parameters like that
What about the case where you have somthing like a cartId and you are
updating the Items in cart, Shipping address, Payment address etc.
Now, using DDD Cart must be the root object and Items, shipping
address and payment must be the child and each request must receive a
cart and the dependent object.
Don't confuse DDD with HTTP/REST. DDD is for your domain. HTTP/REST is for your web resources.
Why not something like this?
add product to the cart
POST /my/carts/1/products { body/model: productId=6&quantity=2 }
update quantity
PUT /my/carts/1/products/6 {body/model: quantity=4 }
...and I have to argue with your DDD design. Shipping and billing addresses are really parts of the Order aggregate, not the Cart aggregate. But I digress...
If you organize your HTTP resources to mimic your DDD aggregates, then you don't need to pass the whole cart in with each request. You can have different user actions call different resources/method combinations to interact with the aggregate. You don't even need to send the cartId in with the body of the request, because it is already in the URL:
[POST("my/carts/{cartId:int}/products")]
public HttpResponseMessage PostProduct(int cartId, CartProductPostModel model)
{
// ensure user owns the cart (based on cookie or authentication info)
// get the cart aggregate based on the cartId,
// add the product to the cart
// tell the client you succeeded by passing back an appropriate response
// 201 Created
// Location: http://www.site.com/my/carts/1/products/6
// note the response does not send back the whole cart, it only tells you
// the new resource was created and where you can access it
}
If you design your HTTP resource URL's RESTfully, then you don't need to pass around any id's in headers, cookies, session, etc, because all of the information you need is already in the request -- either in the URL itself, or in the request body.
Update
So, in our case cartId is not an integer it is a string that actually
has some "/"s (IIS/ASP.net MVC blows up). I know weird but thats how
it is and I can't change it. So, it can't be there as part of url. It
could be part of a query-string. But, to make it inter operate with
someother clients. We are kind of forced to put it on cookie.
Yes you can put it in the URL. You just have to encode it first. So a cart ID like cart/with/slashes ends up like this in the URL:
add product to the cart
POST /my/carts/cart%2fwith%2fslashes/products
update quantity
PUT /my/carts/cart%2fwith%2fslashes/products/6
This will work just fine with either MVC or WebAPI routing without blowing up.
[POST("my/carts/{cartId}/products")]
public HttpResponseMessage PostProduct(string cartId, CartProductPostModel model)
{
// cartId will be "cart/with/slashes", decoded
}
Hi guys I need some advice please.
Our payment gateway sends back some data when an order is succesfully posted that is included in the url string.
The only problem is users are refreshing the page and sending through a bunch of cfmail commands each time they refresh the thank you page!
Which is better for our security, to setup a redirect to our home page shortly after this page is loaded, to setup a way to stop the user loading the page more than once or to strip out the order info so the user can't click refresh?
Below is a sample url that the payment gateway generates upon a succesful transaction.
http://www.ourwebsitename.com/ConfirmationPage.cfm?cartinfo=^XXXX^1&orderinfo=Customer^Name^Billing Name^Billing^Line^1^Town^Postcode^websitename^Order^Amount^&responsesitesecurity=SECUREHASHCODE&thisorderid=OURORDERID
What are people thoughts on securing this page?
The way I've addressed this in the past is to do the following
On any page that the user is shown, try not to have any of the logic that actually does anything. Display logic only on display pages
At the end of the checkout process, send the email, and then use <cflocation> to redirect to the confirmation page
Add some check-bit to the session or whatever you use to keep track of the user to flag that the email has already been sent
If you REALLY don't want users resending the email twice, use a <cflock> and confirm that the flag mentioned in #3 hasn't been flagged inside the <cflock> (to make sure it hasn't been sent by the process that locked it)
This should help reduce / remove the impact of the user refreshing. When I've had this in the past it's been due to people placing logic on the output pages that should really have been on one of the pages that the user doesn't get shown (due to them silently redirecting)
I suggest that you add a confirmation_email_sent-column to your order table in the database, and then set this flag the first time you send the email. If the users refreshes the page, you will notice that this flag is already set, and can then skip sending the email. If there are other side effects than the e-mail-sending, then these should probably be mitigated in the same way.
In my application I allow users to connect their Facebook accounts via oauth for the purpose of posting via our interface. We support both page accounts and regular accounts that simply manage pages.
We also inspect the result of the opengraph API call to get a valid URL to their profile, or page. The primary endpoint we use is https://graph.facebook.com/me (with oauth credentials). For some page-only accounts, the returned object has a 'link' value that, when entered into a web browser, 404s.
The bad URLs I have seen fall into two distinct cases:
The URL can be of the form 'www.facebook.com/{page_id}' which 404s on some pages, but not others.
The URL can be of the form 'www.facebook.com/profile.php?id={user_id}' which more often than not 404s.
The only URL format I have seen that works for all accounts is www.facebook.com/profile.php?id={page_id}. In the first case, we detect that the 'link' field isn't of the proper form (using profile.php?id=...), and construct a URL with the proper structure, and it works.
My next heuristic I'm considering adding is to see if the URL is of the proper form....but uses the {user_id} as the id argument to profile.php, and just construct the URL using the {page_id}. Obviously, this is getting ridiculous.
So, is there a good way to know if an account will give back a link that is invalid? Is this a bug in the API? What is the most reliable way to, given a User on the open graph API, to get a working link to their profile/page?
Using 'www.facebook.com/{page_id}' or 'www.facebook.com/profile.php?id={user_id}' will always work - they are both the same. The only reason you'll see a 404 is if the Page has been unpublished / deleted or if the user has deactivated their account.
i've got a site, which has a login system.
here's my scenario:
user is not logged in
fills in a form to submit data
before the create action, i check if the user is logged in.
if the user is not logged in, they are prompted to sign up and log in..
upon sign up / login the form is submitted and the form data saved without prompting the user to save it again.
In order to do this, I need to use a redirect_to, specify the controller and action, however, this requires a POST, and I don't believe you can post variables on a redirect.
any ideas of a work around, which would keep the current user flow?
Some options you might want to try:
Perform the user registration using AJAX, so you never have to leave the page and won't need a redirect
Store the form data to a 'temporary' user account, then update the account to 'real' with the user registration info. You may want to occasionally clean out old 'temporary user' data that never completed the registration.
Convert the form data to serialized form and pass it along with the redirect as a url parameter (only works for a guaranteed small amount of data)
Store the form data in the session (last resort, only use if your traffic will remain relatively low, as you may end up running into scalability issues)