I am implementing Cartalyst Stripe to my laravel app.
https://cartalyst.com/manual/stripe/2.0#installation
This is my controller code at index method:
$stripe = new Stripe(env('STRIPE_API_KEY'));
$customer = $stripe->customers()->create([
'email' => Auth::user()->email,
'name' => Auth::user()->name
]);
$token = $stripe->tokens()->create([
'card' => [
'number' => '4242424242424242',
'exp_month' => 6,
'exp_year' => 2022,
'cvc' => 314,
],
]);
$card = $stripe->cards()->create($customer['id'], $token['id']);
$charge = $stripe->charges()->create([
'customer' => $customer['id'],
'currency' => Session::get('appcurrency'),
'amount' => Session::get('total_payment'),
'statement_descriptor' => 'Descriptor.com'
]);
I will use this bootstrap form to collect user info, so I ll pass all users input thru $request later (there will be month and year for expiration separated later, but its not important for now):
<form action="{{ \LaravelLocalization::localizeURL('/order-final') }}" method="post">
#csrf
#method('post')
<div class="section">
<div class="container mt-5">
<div class="row">
<div class="col-lg-3"></div>
<div class="col-lg-6"><label>Card number:</label><input type="text" class="form-control" name="card_number" placeholder="Card number" value=""></div>
</div>
<div class="row">
<div class="col-sm-3"></div>
<div class="col-sm-3 mt-5"><label>Expiration:</label><input type="text" class="form-control" name="expiration_date" placeholder="Expiration"></div>
<div class="col-sm-3 mt-5"><label>CVC:</label><input type="text" class="form-control" name="cvc" placeholder=" CVC"></div>
<div class="col-sm-2"></div>
</div>
<div class="row">
<div class="col-lg-5"></div>
<div class="col-lg-4 mt-5"><button type="submit" class="btn btn-primary" id="card-button">Pay</button></div>
<div class="col-lg-4"></div>
</div>
</form>
So, once I make this test charge, everything works very good, so implementation is successful.
I am just trying to figure out, how to handle card where is 3D Secure required, because I want to make 3D Secure required for all payments, especially from SCA countries.
I tried to do that with paymentintent and setup intent, but I have no idea.
I want to let customers fill out card details, then it should be redirected to stripe 3D secure page and then redirected back to some url.
At payment intent is parameter return_url, but I have no idea how to set it up.
Never did stripe before.
I can use stripe without 3D secure now, which is okay, but I want to use 3D Secure.
I tried to use Stripe's form with Stripe.js:
<div id="card-element">
But it always mess up my bootstrap 5 code, so that redirect will be fine.
I also thought about Stripe Billing portal option and redirect customers to the stripe billing portal directly.
Also, I want to use customer's card in stripe, which works as well, just having that 3D secure issue.
So I just somehow need to trigger Stripe SCA redirection for authentication.
Can you help me, please?
Thanks a lot
You may need to reach out to Cartalyst for more detailed support, but at a high level it appears to largely act as a thin wrapper around the underlying stripe-php package (github).
You need to read about migrating to Payment Intents from Charges in order to support SCA/3D Secure properly, or the Accept a Payment guide.
While you can use the return_url for manual 3DS redirect handling, this is not recommended. Using the Stripe.js client-side helper confirmCardPayment (guide step) is likely to lead to a better integration experience.
Related
I'm learning Laravel. The current stable version is, as far as I'm aware, 5.8. I'm following tutorials and really liking the framework, but it gets a bit troublesome when these tutorials get to the point where they introduce how forms are incorporated. All of those tutorials use LaravelCollective forms, which is no longer working as of 5.8 and it is an abandoned project so I'd prefer not to use it anyway.
But this leaves me confused as to what the best practices are for using forms with Laravel. I've had some goes at creating forms, but... most of it is just HTML with hardly any Laravel "in there", if that makes sense. The only Laravel bit here is the form action, where it points to the store function in the TodosController. See below, for a file called create.blade.php.
#extends('layouts.app')
#section('content')
<h1>Create Todo</h1>
<form action="{{action('TodosController#store')}}" method="post">
#csrf
<div class="form-group">
<label for="text">Text</label>
<input type="text" name="text" class="form-control" placeholder="Enter title"/>
</div>
<div class="form-group">
<label for="body">Body</label>
<textarea class="form-control" name="body" id="body" rows="10" placeholder="Enter details"></textarea>
</div>
<div class="form-group">
<label for="due">Due date</label>
<input type="text" name="due" class="form-control" placeholder="Enter due date"/>
</div>
<input type="submit" value="Submit" class="btn btn-primary">
</form>
#endsection
This works fine, but I just feel like I'm not utilising blade properly here at all. Any pointers would be greatly appreciated.
Actually, you're using more laravel there than just the form action. The #csrf stands for Cross-site request forgery and it's the laravel way to protect you against that, as said in the docs:
Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application.
Anytime you define a HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request. You may use the #csrf Blade directive to generate the token field:
When you have a PUT, PATCH OR DELETE form you should use the blade directive #method to inform wich action laravel should use:
HTML forms do not support PUT, PATCH or DELETE actions. So, when defining PUT, PATCH or DELETE routes that are called from an HTML form, you will need to add a hidden _method field to the form. The value sent with the _method field will be used as the HTTP request method:
You can achieve that, simply using:
<form action="/foo/bar" method="POST">
#method('PUT')
#csrf
</form>
Besides that, i think you're using laravel/blade just fine. Make sure you read the docs for more info.
Good luck!
What you have is a good point to start from, however another good place to take a look at is the boilerplate registration form (this is not from the official Laravel project page because the boilerplates are optionally introduced and are not in the official repo by default).
There are a few improvements you can do based on this:
<div class="form-group">
<label for="text">{{__('Text')}}</label>
<input type="text" name="text" class="form-control{{ $errors->has('text') ? ' is-invalid' : '' }}" value="{{ old('text') }}"placeholder="Enter title"/>
</div>
The extras:
__('Text') will automatically translate Text based on the selected locale and available language assets.
{{ $errors->has('text') ? ' is-invalid' : '' }} will "decorate" the field with the bootstrap-4 error style if serverside validation failed (and therefore passed the $errors variable to the view)
{{ old('text') }} will pre-fill the input with the value that was previously filled in case the form failed validation and the user was redirected back to the same page.
This will help improve the user experience, however keep in mind these are all server-side tools (because Laravel is a server-side framework) so it's probably a better user experience to also add client-side checks and validation.
Why does my google map doesn't display anything ? I've tried other techniques but still it wont show up ?
the api key was already applied .
var map = new google.maps.Map(document.getElementById('map-canvas'),{
center:{
lat:10.2969,
lng:123.8887
},
zoom:15
});
This is the html file
<div class="col-md-6">
<div class="form-group">
<label class="control-label">Address:</label>
<input type="text" name="address" id="searchmap" autocomplete="off">
</div>
<div class="form-group">
<label class="control-label">lat:</label>
<input type="text" name="lat" id="lat" autocomplete="off">
</div>
<div class="form-group">
<label class="control-label">lng:</label>
<input type="text" name="lng" id="lng" autocomplete="off">
</div>
<div class="form-group">
<div id="map-canvas">
</div>
</div>
</div>
Please make sure the google maps JS is included properly before you call it in javascript.
The google map is there but its not visible, please add hight and width:
<div id="map-canvas" style="width:300%;height:300px;"></div>
To specify the size of the div * element that includes the map, set the map height explicitly at all times:
#map { height: 100px; width: 50%; }
After further investigation, it was discovered that Google modified their business model on June 22, 2018. Since each API has its own unique billing, each API must be activated separately. The following APIs must be enabled in order for geocoding on Google Maps to function properly.
JavaScript API for maps
Directional Assistance
Service for Geocoding
Service for Distance Matrix
Access Service
Locations Library
Unfortunately, it doesn't appear like the Google Console API Manager is functioning properly. They won't appear when you search for an API other than the Maps JavaScript API.
You need to: to access them.
Access the project dashboard.
Then, select "Go to APIS overview."
Toggle "ENABLE APIS AND SERVICES" on.
You may now view the API options.
Do a Google Maps JavaScript API search (Under Google Maps APIs). Clicking on it will reveal an Enable button. To activate API, click.
Read more on-> Blog about google map errors
I have my API credentials:
Api username
Api password
and the app fingerprint
I need to get the PayPal PayKey.
this is my form:
<div class="container secretPaypal">
<div class="row">
<form action="https://www.sandbox.paypal.com/webapps/adaptivepayment/flow/pay" target="PPDGFrame"
class="standard">
<div class="form-group">
<label for="buy">Buy Now:</label>
<input type="image" id="submitBtn" value="Pay with PayPal"
src="https://www.paypalobjects.com/en_US/i/btn/btn_paynowCC_LG.gif">
</div> <input id="type" type="hidden" name="expType" value="light">
<input id="paykey" type="hidden" name="paykey" value="insert_pay_key">
</form> </div> </div>
in paypal Documentation :
Step 3: Insert a Pay Key into the HTML Form
For the payKey input value, replace insert_pay_key with a payKey value that you recently obtained using a Pay call, and save the HTML file.
Documentation is confusing me and I don't know the request URL or the request params in order to obtain the needed paykey.
Any help please
You would need to run your API to request the paykey from the Pay operation, this s part of your initial call. In the document, see steps 1-5 under "Make your first call" - Adaptive Payments - Developer Guide
I am a beginner PHP developer, i was implementing CRUD with Laravel 5.4 framework, and all works fine so far.
But i was then trying to make this code functional in website and mobile as well, so i get to know web services and it's protocols like Rest,Soap, i was successfully managed to work with them and build small size scripts for self learning and things get better.
When i try to apply what i have learned on my CRUD i stuck , there is no links to structure my code over just routes and a with api.php,web.php files , i don't know where to build my server or client scripts and how to link them in laravel even though i managed to implement this in native php , but things a little bit confusing for me in laravel i surfed the internet and found nothing useful for me actually ..
i will provide simple of my CRUD code on the (Create New User Function) .and wish if any one could help me or put me on track to start using this technique with different projects.
My Controller
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use App\user;
class AddController extends Controller
{
public function create(){ //create new user page
return view('add.create');
}
public function store(){ //store new user added by a clint
$this->validate(request(), [ //validation for request records
'name' => 'required',
'email' => 'required',
'password' => 'required|min:8',
'password_confirmation' => 'required|same:password'
]);
$user = User::create([ //create new user with the request records
'name' => request('name'),
'email' => request('email'),
'password' =>bcrypt(request('password'))
]);
session()->flash('message','Changes has been Applied'); //flash a succcess message
return redirect()->home(); // redirect to home after submitting the new user
}
}
My Route (not a resource route , just a native route )
// add new user routes
Route::get('add','AddController#create')->middleware('authenticated');
Route::post('add','AddController#store');
My Model
is the Built-In User.php model provided by laravel.
My View add.create.blade.php
<!-- this is the view of the add new user tab , extending master layout and it's components-->
#extends('layouts.master')
#section('content')
<div class="col-md-8">
<h3>Enter the Values of the new User</h3>
<form method="POST" action="add">
{{csrf_field()}}
<div class="form group">
<label for="name">*Name:</label>
<input type="name" class="form-control" id="name" name="name">
</div>
<div class="form group">
<label for="Email">*Email Address:</label>
<input type="email" class="form-control" id="email" name="email">
</div>
<div class="form group">
<label for="password">*Password:</label>
<input type="password" class="form-control" id="password" name="password">
</div>
<div class="form-group">
<label for="password confirmation">*Confirm Password:</label>
<input type="password" class="form-control" id="password_confirmation" name="password_confirmation" >
</div>
<br>
<div class="form-group">
<button type="submit" class="btn btn-primary">Add User</button>
</div>
#include('layouts.errors')
</form>
</div>
#endsection
that's what i have reached so far and i wish if any one tell me how to apply api to this code to make it function on mobile as well , i really appreciate any help in advance .
Right now you controller returns a view file - HTML template with some PHP variables. Your API doesn't need that HTML code, so first of all, you should get rid of it.
Your API route(in API case route is called 'endpoint') should return information in structured format - if you are using REST API, you should return data in JSON format(http://jsonapi.org/examples/ - example of JSON responses), if you are using SOAP - response should be in XML(for first time I would recommend you to use REST, as it's much simpler to build REST API).
A good practice would be to use Transformers while building your response(take a look https://medium.com/#haydar_ai/how-to-start-using-transformers-in-laravel-4ff0158b325f here for example).
You should also create your endpoints in api.php file - this file is specially for this needs. Don't forget that all routes in this file have a prefix of 'api'.
There is a great video-series in https://laracasts.com/series/incremental-api-development, in which simple REST api is build.
I have an application written using Laravel 5.1 framework. Recently, one of my clients ran an Acunetix security scan on the application and found HTML form with no apparent CSRF protection on my login page.
However, the login form DOES have CSRF protection. The name of the element with the CSRF token is "_token". The scan result says "Discovered by: Crawler".
So my questions are:
Why is acunetix showing this result?
Is "_token" not a recognized name for a CSRF token element? Should I add another hidden element into the form with the same value using a more recognizable name?
What does it mean "Discovered by: Crawler"? Does this mean the scan only checks the form HTML and nothing else?
Below is the snippet of the HTML form blade template:
#section('content')
<form id="loginForm" class="form-signin" role="form" method="POST" action="{{ url('/auth/login') }}">
<h2 class="form-signin-heading"><img src="/images/J10_Logo_330x194.jpg" alt="{{ trans('content.image_alt.j10_logo') }}"></h2>
<input type="hidden" name="_token" value="">
<label for="username" class="">{{ trans('auth.login.username') }}</label>
<input type="username" class="form-control" name="username" value="{{ old('username') }}">
<label for="inputPassword" class="">{{ trans('auth.login.password') }}</label>
<input type="password" class="form-control" name="password" autocomplete="off">
<div class="forgot-password"><input type="checkbox" name="remember"> {{ trans('auth.login.remember_me') }}</div>
<div class="forgot-password">{{ trans('auth.login.forgot_password') }}</div>
<button type="submit" class="btn btn-lg btn-primary btn-block">{{ trans('auth.login.login') }}</button>
#if (count($errors) > 0)
<p class="text-danger">
#foreach($errors->all() as $error)
{{ $error }}<br />
#endforeach
</p>
#endif
</form>
#endsection
You may notice that in the above snippet, the "_token" element value is blank. This is intentional since I am basically trying to "circumvent" acunetix's detection by only setting its value using javascript since everything I have tried so far does not seem to work.
The alert provided most probably indicates that this may be a false positive. CSRF alerts more often than not require human intervention to verify whether:
There actually is an anti-CSRF token
If the form (or rather, input) requires any anti-CSRF
If you are already making use of the anti-CSRF token, then you can go ahead and mark that alert as a false positive. That will omit it from any future scans on the affected item (e.g. userinfo.php, being considered an item).
Certain alerts such as the one you specified, are discovered by the crawler module. Since Acunetix Vulnerability Scanner adopts a black-box methodology, it has no prior knowledge of the application it is scanning.
Thus, it first starts by dynamicaly mapping out the application's site structure using the crawler module and at the same time discovering particular alerts (Medium or Low alerts generally). Once the crawl is complete, the actual scanner module starts which proceeds to run every security test (script) on all the items discovered by the crawler.
Regarding one of you comments - "I am assuming that the acunetix crawler does not run javascript and would not populate the _token element."
The crawler perse does not execute and analyze Javascript, however the DeepScan (read more here) technology does, which occurs during the crawling stage. Thus the scanner is still able to understand client-side heavy application such as SPAs making use of frameworks like AngularJS, ReactJS etc.