Overview

Login and Pay with Amazon provides buyers with a secure, trusted, and convenient way to log in and pay for their purchases on your site, by using their Amazon credentials.

This module implements "pay with amazon" php library through libraries module
https://github.com/amzn/login-and-pay-with-amazon-sdk-php

Features


Users can login with amazon, have checkout pane with amazon widgets, complete checkout process on site, their orders are created with drupal commerce and when IPN is received, transactions are added to order. It's a full payment and checkout system. There are no other modules that add this functionality, uses default amazon library without any changes to it. Implements all seen here https://payments.amazon.com/developer/documentation/lpwa/201909340

Impediments

There is one other module https://www.drupal.org/project/pay_with_amazon but it only ads a button for payment and works for India market (or something, I couldnt make it useful for anything in UK/US) and there is nothing much there to use. This module works for USA/EU amazon, have been used on bigger worldwide e-commerce live site for 6 months now.

Config and dependencies

All configuration is done with rules and on amazon seller central website

Dependencies
-commerce
-libraries
-rules
-jquery_update

Git Instructions

git clone --branch 7.x-1.x https://git.drupal.org/sandbox/MarkoBx/2662436.git commerce_pay_with_amazon
cd commerce_pay_with_amazon
CommentFileSizeAuthor
overview_image_4.jpg18.44 KBMarko B

Comments

Marko B created an issue. See original summary.

Marko B’s picture

Marko B commented
Issue summary: View changes
Marko B’s picture

Marko B commented
Issue summary: View changes
PA robot’s picture

PA robot commented
Issue summary: View changes

Fixed the git clone URL in the issue summary for non-maintainer users.

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

arulan_pari’s picture

arulan_pari commented

Hi Marko,

Automated Review
http://pareview.sh/pareview/httpsgitdrupalorgsandboxmarkobx2662436git

Manual Review

Individual user account
Yes: Follows the guidelines for individual user accounts.

No duplication
No: Causes module duplication and/or fragmentation.

Master Branch
Yes: Follows the guidelines for the master branch.

Licensing
Yes: Follows the licensing requirements.

3rd party assets/code
Yes: Follows the guidelines for 3rd party assets/code.

README.txt/README.md
No: Follows the guidelines for in-project documentation and/or the README Template.
Please refer to this link https://www.drupal.org/node/2181737 for README Template

Code long/complex enough for review
Yes: Follows the guidelines for project length and complexity.

Secure code
No: Meets the security requirements.

Coding style & Drupal API usage
Nothing.

Thanks,
Arulan Pari

Marko B’s picture

Marko B commented

Readme is added.

Marko B’s picture

Marko B commented

About security I don't believe this is the way to review modules. Not stating any details about what is wrong and how was this determined.
The same thing about duplication. I explained what is my module doing and there is nothing like that on drupal.org

Marko B’s picture

Marko B commented
Issue summary: View changes
visabhishek’s picture

visabhishek commented
Title: Commerce Pay With Amazon » [D7] Commerce Pay With Amazon

@Marko B : I think you forget to change the status. See the workflow https://www.drupal.org/node/532400

Please fix the issue reported on http://pareview.sh/pareview/httpsgitdrupalorgsandboxmarkobx2662436git

visabhishek’s picture

visabhishek commented
Status: Active » Needs work
Issue tags: +PAreview: security

Found menu callback with 'access callback' => TRUE. Give proper permission for menu callbacks in hook_menu().

  // Add a menu callback for Pay with Amazon's notification on operation processing.
  $items['commerce_pwa/getdetails'] = array(
    'page callback' => 'commerce_pwa_getdetails',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
    'file' => 'includes/commerce_pwa.getdetails.inc',
  );

  // Add a menu callback for Pay with Amazon's notification on operation processing.
  $items['commerce_pwa/ipn'] = array(
    'page callback' => 'commerce_pwa_ipn',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
    'file' => 'includes/commerce_pwa.ipn.inc',
  );

Regarding security you can check following posts :
https://www.drupal.org/node/28984
https://www.drupal.org/node/178896

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Needs work » Needs review
Issue tags: -PAreview: security

Open page callbacks are standard in payment modules. Could you describe how you are able to exploit a vulnerability there?

visabhishek’s picture

visabhishek commented

@klausi: I tried with several ways but I am not able to exploit.

I added in my learnings doc. I will take care in future.

Thanks.

Marko B’s picture

Marko B commented

Thanx for the reviews guys. Yeah this is standard way of making IPNs, they should be accessible by anonymous.

I added some commits and improvements, but I see so many formatting problems, hmm it will take some time to address them all.

smccabe’s picture

smccabe commented
Status: Needs review » Needs work

Went to review as part of my required bonus reviews, but it seems this is waiting on a number of formatting problems, setting to "needs work" to reflect that.

PA robot’s picture

PA robot commented
Status: Needs work » Closed (won't fix)

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.