Add support for Drop-in UI for PCI SAQ A Compliance

Thanks for the heads up. By the way, there is also a lot of work going on with Commerce Stripe that looks very promising (iframe solution). See #2433257: Add Stripe Checkout (iFrame) support.

Happy to help review this as well.

Patch seems fine. Thanks !

I am not able to test it anymore, so if someone want to test it, I'll merge it when it is RTBC.

I really apologize for not providing a review at this time (between having a sick baby and some work deadlines, I've been slammed). That said, if this goes through and does offer card on file support, it'll be added to the PCI white paper as a recommend SAQ A gateway. Tracking here => https://github.com/rickmanelius/drupalpcicompliance/issues/39

Hi,

@andyg5000 thanks for adding card on file support, the UX is cool. It works very well when logged in as an admin but when I attempt a recurring payment as a normal authenticated user I see the error below:

Notice: Undefined index: firstName in commerce_braintree_dropin_create_cardonfile() (line 213 of /srv/bindings/43bc2c74e5bc414081797d3a93824a60/code/sites/all/modules/commerce_braintree/modules/commerce_braintree_dropin/commerce_braintree_dropin.module). Backtrace:
commerce_braintree_dropin_create_cardonfile(Object, Array, Object) commerce_braintree_dropin.module:168
commerce_braintree_dropin_submit_form_submit(Array, Array, Array, Object, Array) commerce_payment.checkout_pane.inc:261
commerce_payment_pane_checkout_form_submit(Array, Array, Array, Object) commerce_checkout.pages.inc:320
commerce_checkout_form_validate(Array, Array) form.inc:1513
form_execute_handlers('validate', Array, Array) form.inc:1453
_form_validate(Array, Array, 'commerce_checkout_form_review') form.inc:1183
drupal_validate_form('commerce_checkout_form_review', Array, Array) form.inc:889
drupal_process_form('commerce_checkout_form_review', Array, Array) form.inc:385
drupal_build_form('commerce_checkout_form_review', Array) form.inc:130
drupal_get_form('commerce_checkout_form_review', Object, Array) commerce_checkout.pages.inc:56
commerce_checkout_router(Object, Array)
call_user_func_array('commerce_checkout_router', Array) menu.inc:517
menu_execute_active_handler() index.php:21

Notice: Undefined index: lastName in commerce_braintree_dropin_create_cardonfile() (line 213 of /srv/bindings/43bc2c74e5bc414081797d3a93824a60/code/sites/all/modules/commerce_braintree/modules/commerce_braintree_dropin/commerce_braintree_dropin.module). Backtrace:
commerce_braintree_dropin_create_cardonfile(Object, Array, Object) commerce_braintree_dropin.module:168
commerce_braintree_dropin_submit_form_submit(Array, Array, Array, Object, Array) commerce_payment.checkout_pane.inc:261
commerce_payment_pane_checkout_form_submit(Array, Array, Array, Object) commerce_checkout.pages.inc:320
commerce_checkout_form_validate(Array, Array) form.inc:1513
form_execute_handlers('validate', Array, Array) form.inc:1453
_form_validate(Array, Array, 'commerce_checkout_form_review') form.inc:1183
drupal_validate_form('commerce_checkout_form_review', Array, Array) form.inc:889
drupal_process_form('commerce_checkout_form_review', Array, Array) form.inc:385
drupal_build_form('commerce_checkout_form_review', Array) form.inc:130
drupal_get_form('commerce_checkout_form_review', Object, Array) commerce_checkout.pages.inc:56
commerce_checkout_router(Object, Array)
call_user_func_array('commerce_checkout_router', Array) menu.inc:517
menu_execute_active_handler() index.php:21
Should the form collect the user's name?

Best wishes

Hi @andyg5000,

thanks for getting back to me- much appreciated!

Are particular permissions required for authenticated users to use the braintree card on file feature? At the moment when i checkout as an admin for a recurring product (Commerce Recurring Framework), the card is successfully charged when the recurring order time lapses. When i checkout the same recurring product as an authenticated user, the card is declined when the recurring order time passes.

The card is always successfully charged for an admin but there's always a 'hard decline' for an authenticated user. When I check the orders I noticed that the recurring order for the admin shows a 'Commerce Card on File Test Payment' but the recurring order for the authenticated user doesn't have a payment attached. Any ideas?

Thanks again for the module!

Best wishes

Evey

Just attaching a screenshot. Any help at all is appreciated.

Hi Andy,

I've committed all your patches and I can confirm that a token is being saved in the commerce_cardonfile table for users. The transaction for the initial amount is showing on both the site and on braintree. The recurring order charge however is still a 'hard decline' on the site and doesn't appear at all on braintree. There's nothing in the site error logs either. There's just no payment raised against the recurring order.

May i know if you had to fiddle with any rules or card on file to get it working on your site?

Thanks again for your help.

Evey

Hi @andyg5000,

just wondering if this is this the BT Chargeback patch you used to get it all working https://www.drupal.org/node/2162917?

Hope you're well

Hi,

in case anyone stumbles upon my issue, these additional patches resolved it.

Not triggering paid in full: https://www.drupal.org/node/2359267#comment-9439361
Bug in code that checks Braintree hashed value: https://www.drupal.org/node/1886950#comment-7664993

Thank you for creating the Drop-in UI Andy!

Best wishes

Evey

after putting details about full name, address, etc,.. the next page is error? anybody?

You probably got your API keys wrong. Check the log for an error message. It looked like this when I got it:

Braintree_Exception_Authentication: in Braintree_Util::throwStatusCodeException() (line 53 of /sites/all/modules/commerce_braintree/braintree_php/lib/Braintree/Util.php).

Shouldn't we display a message instead of a WSOD?

it only displays WSOD after the submission... instead in the page where i can see the Dropin

- my API works fine if i use "Braintree Transparent Redirect" but in "Braintree Drop-in UI" there goes the error

how about this error?

Braintree_Exception_SSLCertificate: in Braintree_Http::_doUrlRequest() (line 94 of D:\xampp\htdocs\sites\all\modules\commerce_braintree\braintree_php\lib\Braintree\Http.php).

update -
the Dropin UI shows in Chrome but not in Mozilla, anybody?

I've been playing around with this for some time an looks good so far. Can we get this and the patches this depends on committed? Is there something missing?

I re-rolled the the patch in #1900494: Multi currency support against 7.x-2.x and also added support for the Drop-in UI. I'll post a patch once it gets committed.

There is one small coding standard issue (double space):

+++ b/modules/commerce_braintree_dropin/commerce_braintree_dropin.module
@@ -0,0 +1,238 @@
+  $cardonfile->card_type =  $attributes['creditCard']['cardType'];

I looked over the patch and tested it quite a lot the past few days. Looks good so far. Just one thing came up: The processing of the transaction takes very long. But I guess this is a issue on Braintree's side. If not, lets create a follow-up for this.

If the coding standrad issues is fixed, this is RTBC.

On my point of views, this seems OK.

The really small coding standard issues should not be a blocker (I don't want to block anything for a double space ...), and we can still fix it later.

Still fixing this small coding standards issue. Please RTBC again and I'll commit it.

Hi Everyone. Unfortunately as @verper stated in #17, there is an issue with Firefox/Mozilla. Specifically, you cannot access http://js.braintreegateway.com/v2/braintree.js directly without getting a 403 error. Chrome makes allowances and redirects to the HTTPS version, but Firefox does not.

Attached in a small patch I used to get around this. However, there may be other implications as a result of this. That said it was necessary for me to do this to continue my testing (which I'm in the process of right now). I realize this patch needs to be merged into #22, but I wanted to surface this issue immediately before this issue gets closed/committed.

HTTP/HTTPS issue aside (see #23), I can verify this does work and is compatible with card on file. AWESOME! Once we resolve that this should be RBTC and committed.

It's worth noting that I haven't reviewed the codebase from a security perspective. It might be worth creating a ticket just for that prior to an official stable release (see #2483675: [meta] 7.x-2.0 stable release).

I couldn't reproduce the bug in Firefox. The redirect to HTTPS worked for me. But since the Braintree documentation instruct to include the JS file over HTTPS let's do it this way: https://developers.braintreepayments.com/javascript+php/start/hello-client

The attached patch merges the patch in #22 with #23.

Forgot the patch...

Given that the patch exactly matches the one change I introduced to also get this working (which was a verification from previous successful reviews in #20, #21, etc), I think we're safe to set this as RBTC :)

Thanks everyone!

.

.