This is an payment gateway for the Cybersource HOP Offsite payment solution. This is a break away from the Cybersource module as there is no correlating functionality other than they both come from Cybersource. Currently basic functionality is included to perform either test or production credit card processing for sales or auth transactions.

Sandbox URL: http://drupal.org/sandbox/megensel/1613584
Git repository: git clone --recursive --branch 7.x-1.x git.drupal.org:sandbox/megensel/1613584.git commerce_cybersource_hop
Drupal Version: 7

CommentFileSizeAuthor
#1 drupalcs-result.txt8.25 KBklausi

Comments

klausi’s picture

StatusFileSize
new8.25 KB

Welcome!

you have not listed any reviews of other project applications in your issue summary as strongly recommended in the application documentation.

Review of the 7.x-1.x branch:

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.

greggles’s picture

Status: Needs review » Needs work

On line 115 you could watchdog an error if the file's not found.

 126   array_walk($_POST, 'check_plain');

What's the purpose of the blanket check_plain? The standard is to filter on output http://drupal.org/node/263002 - Doing a check_plain isn't magic and may even unintentionally break things. For example, the content on line 145 is getting check_plained by the use of t(@) and has already been check_plained so it might get double encoded. Ditto on line 155.

Not sure if it's a micro-optimization, but the array in commerce_cybersource_hop_reason_code could be stored in a static if there's a chance it gets called multiple times.

On line 128 I suggest watchdogging the signature failure and perhaps even adding flood control. As it is this callback could potentially be used to brute-force the site's key.

Everett Zufelt’s picture

Taking a look at the project I see that:

You will need to download the HOP.php from the cybersource business center.
Under "Tools & Settings" and "Hosted Order Page" click on "Security". Then under
the "Generate Security Script" heading sleect "php" then click "Submit". The
file that is downloaded will need to be placed inside of the includes folder
in this module. Then you will need to open it up and add the following line
underneath "<?php": "namespace HOP;" then save the file.

It is generally not good practice toa configuration file like this to be added to the contributed module folder. Is it possible to place this file in sites/*/libraries/?

megensel’s picture

I have pushed a new commit addressing the check_plains, the watchdogs and the flood control. As for the reason_code function it only gets called once per transaction which only happens when the user comes back from the redirect. Please let me know if this addresses your concerns.

Thanks!

Everett Zufelt’s picture

Status: Needs work » Needs review

@megensel

Were you able to move the hop.php out of the module dir?

megensel’s picture

@Everett

I finished the edit and just need to run a couple of test transactions to make sure it all still works. I added in a function that searches through an array of directories then caches and returns either the found path or FALSE. I'll try to have it tested tomorrow morning and push it then.

megensel’s picture

@Everett

The updates are tested and pushed for the move of the HOP.php file.

greggles’s picture

Status: Needs review » Needs work

#7 looks like a good improvement. To be super-paranoid you could watchdog and fail out if the require_once ever fails.

There are some code review issues that should ideally be fixed and should hopefully be quick - http://ventral.org/pareview/httpgitdrupalorgsandboxmegensel1613584git-7x-1x

megensel’s picture

I have some more changes tested and pushed. Couldn't really get rid of all of the warnings/errors but got it down to a reasonable few. (http://ventral.org/pareview/httpgitdrupalorgsandboxmegensel1613584git-7x-1x)

Working on creating the failure when the file is not found right now. Trying to figure out how exactly I want to do it though... Any suggestions would be welcome.

timfernihough’s picture

Hi megensel,

I am working with @Everett and @Greggles on the same project. We are trying to determine what POST-back URL to use inside the Cybersource Business Centre in order to ensure that it posts back to Drupal Commerce properly. Are you able to confirm? Is it something like domain.com/cart/checkout/complete? We have only the ability to specify a URL without tokens and for that reason I'm unsure how we can post back. The default implementation of the hosted order page just shows a link to click that takes you to your success page and of course that means that a POST isn't actually happening. The $_POST variable ends up being empty (as it should be) and therefore the desired outcome doesn't actually occur.

Thanks in advance for your thoughts.

Everett Zufelt’s picture

Initially you can use http://api.drupal.org/api/drupal/modules!system!system.api.php/function/... to forece the presence of the file, but that doesn't cover the use-case of it being removed / moved post-install.

megensel’s picture

@timfernihough

I have been using the root site address. i.e http://www.site.com. The actual post back URL will be sent in the initial POST from the module and is created programmatically. The problem is that if you don't set it in the cybersource settings it will not be used from the POST. So basically it becomes a place holder for the url sent in by POST. Hope this helps.

timfernihough’s picture

@megansel,

Thanks for your response. I've found you're correct in that the actual post-back URL is sent in the initial POST from the module and is created programmatically, but I've found that I actually don't have to specify any URL in the Cyberseource Business Centre after all. It seems to be posting to that programmatically created POST back URL no matter what (which is good) but we've run into the access problem that @greggles is discussing with you on IRC.

megensel’s picture

Any more input to polish this code up?

klausi’s picture

You need to set the status to "needs review" if you want to get a review.

megensel’s picture

Status: Needs work » Needs review
timfernihough’s picture

We had to write a menu hook in order to expose a path that Cybersource could use to post back data. We would like to contribute back some code but we are just awaiting IP clearance from our client. You'll certainly hear back from us soon. =)

megensel’s picture

@ timfernihough - You shouldn't have to do that. I ran into the same issue where it seemed to not take the post pack url I was sending it and it turned out that the settings on the cybersource side needed to be set with a placeholder url. I have also had the same problem with the client we built this module for and putting the place holder url in worked for them.

finlaycm’s picture

Subscribe

megensel’s picture

Still waiting on review finalization. If there are more changes to be make please let me know or could we please promote this? It has been almost 3 months now.

klausi’s picture

We are currently quite busy with all the project applications and I can only review projects with a review bonus. Please help me reviewing and I'll take a look at your project right away :-)

patrickd’s picture

I'm sorry for the delay!
There are about 100 other applications waiting for review and only a hand full of active reviewers.
We do really need more hands in the application queue and highly recommend to get a review bonus so we can come back to your application sooner.

// oops, too late ;D

megensel’s picture

Priority: Normal » Critical
recrit’s picture

Only a few minor issues after reviewing:

  • Fix misspelling in flood event name - should be 'failed_transaction_signature'
  • Add a check for product reference when building line item params in commerce_cybersource_hop_order_form(). This will ensure that you are exporting product line items.

Suggestions:

  • Change setting for 'cybersource_hop_send_line_items' to have options of [0, 1] to make boolean checks easier
  • Create a common utility function to resolve first and last names from an address field array. Then it could use to clean up commerce_cybersource_hop_order_form() for setting billing and shipping address
megensel’s picture

Status: Needs review » Needs work

I'll get on those and update when done, thanks!

megensel’s picture

Priority: Critical » Normal
megensel’s picture

Status: Needs work » Needs review

@recrit: Changes have been implemented on commit a4d8657

recrit’s picture

Status: Needs review » Reviewed & tested by the community

looks good

druderman’s picture

At what point will this move under drupal.org/project?
This module worked fine for me.

druderman’s picture

Category: task » feature

Cybersource added a new return field to the HOP in early September.
There is now a new "orderPage_environment" field returned back to tell whether the transaction came from a production or testing merchant gateway.
Without this someone presumably can spoof a payment by capturing the data going to the HOP and sending it through the test HOP which if enabled and configured the same way would tell the store to push through the transaction.

Here are the details from:
http://apps.cybersource.com/library/documentation/dev_guides/HOP_UG/html...

orderPage_environment

Indicator of which environment the transaction was processed on. Contact CyberSource Support to disable this field.
This field contains one of these values and prevents fraudulent users from obtaining approval for purchases that would otherwise be rejected:

PRODUCTION—The transaction was submitted to the production environment.

TEST—The transaction was submitted to the test environment.

damien tournoud’s picture

Status: Reviewed & tested by the community » Fixed

I gave @megensel the "Git vetted user" role and asked him to help review two or three other pending applications.

klausi’s picture

Thanks for your contribution, megensel!

Damien updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

Forgot to add the url for the clone.