I'm trying to use sellix.io API to create a payment in PHP, everything works fine in local until I upload the code to the webhost, there I get
{"status":400,"data":null,"message":null,"log":null,"error":"Transaction flagged as potential fraud (xxxxxxxxxxx).","env":"production"}
It says my request is flagged as a potential fraud. Asking around I got told that "sending a payment request from a server which can be considered a VPN or a RDP with no useragent nor fingerprint of that device may be flagged"
How can I send the request with a proper useragent? or fingerprint?
this is the code I've been using:
<?php
$mail = $_GET["mail"];
$url = "https://dev.sellix.io/v1/payments";
$data = json_encode(array(
"title" => "MyProduct",
"product_id" => "xxxxxxxxxxx",
"gateway" => "PAYPAL",
"value" => 20,
"currency" => "EUR",
"quantity" => 1,
"email" => $mail,
"white_label" => false,
"return_url" => "https://dev.sellix.io/v1/return" //not sure what this is supposed to do...
));
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
// "Content-type: application/x-www-form-urlencoded\r\n" .
'Authorization: Bearer ' . 'xxxxxxxxxxxxxxxx(API KEY)xxxxxxxxxxxxxxxx'
));
echo $response = curl_exec($curl);
curl_close($curl);
$finalUrl = strval(json_decode($response)->data->url);
header("Location: $finalUrl"); //redirects the current page to the payment page.
?>
This is a guess based on the lack of information related to your question on their help page and API documentation. I have listed some tips in the order I would try to debug this:
1: Sending user agent header
Try adding the user-agent header of your client. this will be available in $_SERVER['HTTP_USER_AGENT']
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
"User-agent: ".$_SERVER['HTTP_USER_AGENT']."\r\n" .
'Authorization: Bearer ' . 'xxxxxxxxxxxxxxxx(API KEY)xxxxxxxxxxxxxxxx'
));`
Caveat: If you are doing some custom ajax you may not get the header. You can also provide a static value, but essentially avoiding fraud is in your best interest.
2: Adding a fingerprint header/cookie
Fingerprinting is (apparently) sending information to identify the browser. according to this OWASP article it could be stored in a cookie called __Secure-Fgp which you would have to add to the request.
This SO answer goes some way to show one method of calculating the firngerprint client side.
Disclaimer: I have not tried this myself. and I would query their support if there is a header this would fit into.
3: Debugging with another product
According to their help page you can set the "max_risk_level" to 100 on a POST /products call, in order to turn off their fraud engine DO NOT DO THIS IN PRODUCTION fraud prevention mechanics are there to prevent you from being cheated as well. But it may help you to find out what is going wrong and getting a proof of concept up and running.
Related
I've just ran into a situation where i want to POST some data to a remote URL. Apart from POSTing the data, with some header information, i also want the user to be redirected to that POST url.
Let me explain the scenario here, I'm integrating a third-party Payment Gateway in my web app. I'm Using Laravel. After a chain of API calls, the app is submitting payment details to the API. The API result does have a third-party url (of the respective bank) to which, i need to take the user to complete the authentication process. I have a couple of data and a header info to take along with it. I have tried Laravel Guzzle, but like cURL when we submit the POST data, we'll actually get the response back in our side. But not getting redirected.
If i have to go with a standard html form, how can i post the header information there. Using jQuery ajax could possibly pose the same issue too, that i can't redirect the user.
I have done some re-search and tried something,
With guzzle, i'm actually able to show the HTML content back to the user using the getBody method, but the HTML is not getting parsed the right way, the images are broken (because of the relative path they using in there web pages) and the links and buttons are not taking me to the desired locations.
$response = $client->request('POST', $transactionResponse['redirectForm']['actionUrl'], [
'headers' => $transactionResponse['redirectForm']['headers'],
'form_params' => $transactionResponse['redirectForm']['content']
]);
echo $response->getBody();
I have tried cURL as well with the CURLOPT_FOLLOWLOCATION directive, but it too returns the response, not redirecting the user.
$post = [
'username' => 'user1',
'password' => 'passuser1',
'gender' => 1,
];
$ch = curl_init('http://localhost/laravel/arax_v1/paytm/callback');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'location: http://localhost/laravel/arax_v1/paytm/callback'
));
// execute!
$response = curl_exec($ch);
// close the connection, release resources used
curl_close($ch);
Could anyone have any better idea to work this out ?
I'm sitting here working on making a post request in a rest api in php using curl. For this purpose I have the api key and an auth key, which I am currently including as post values in the request. But I keep getting HTML back in my response instead of JSON data (which its supposed to be) giving me a 401 unauthorized error.
I've noticed often you need to make custom headers to authorize yourself in these cases (I'm guessing I need to use my auth key for that, in the header somehow).
This is my code:
$post = [
'apikey' => $apiKey,
'authkey' => $authKey,
'name' => $reknr,
'description' => $opgave,
'clientId' => $clientId,
'orderTypeId' => $typeId,
'contactAddressId' => $addressId,
'theirref' => $ref,
'reqno' => $reknr
];
// Set api link
$ch = curl_init('https://app.minuba.dk/api/1/Order');
// Set return value to true
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Configure header
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
'Authorization: Basic '.$authKey,
'Content-Type: application/json')
);
// Add post fields
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
// execute!
$response = curl_exec($ch);
// close the connection, release resources used
curl_close($ch);
The API docs doesn't say anything about how you authorize yourself when making post request, during get requests its fairly easy you just include the apikey and authkey as normal parameters and it works fine.
My question is, how do I know how to configure my header so the API authorizes me? The docs say nothing about it or offers any explanation as to how except mentioning you need both the apikey and authkey to gain access.
I admit my understand of the http headers are limited, but how do I know how to configure it for this particular api?
UPDATE:
Found out the header response gives me this line:
WWW-Authenticate: Basic realm="Minuba REST API"
This tells me that the method I'm using to authenticate should be correct right? So why am I still getting a 401?
I'm trying to build a spotify web player using the spotify web API.
I registered my Application on spotify and whitelist the callback URL.
Then the authorization process works fine. I receive the token for make others requests.
But when I try to make a simple currently-playing request,
https://developer.spotify.com/web-api/get-the-users-currently-playing-track/
I receive
Array ( [error] => Array ( [status] => 401 [message] => Permissions missing ) )
the PHP code is:
session_start();
$req = $_SESSION['token_type'] . " " . $_SESSION['token'];
$headers_after_token = array(
"Accept: */*",
"Authorization: " . $req);
$url="https://api.spotify.com/v1/me/player/currently-playing";
echo "<br>REQ-currently-playing: ".$req."<br>";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers_after_token);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = json_decode(curl_exec($ch), true);
curl_close($ch);
echo "<br><br>";
print_r($response);
the $_SESSION['token_type'] contains "Bearer" as mentioned in the API endpoint-reference
https://developer.spotify.com/web-api/endpoint-reference/
the $_SESSION['token'] contains the token retrieved after the authentication process.
Both are well formed thanks to the echo "<br>REQ-currently-playing: ".$req."<br>"; I can see that the 2 variables are set.
I'm using XAMPP v3.2.2 for deploy php pages.
To be able to fetch the current playing, you need to add the scope user-read-currently-playing and/or user-read-playback-state when you authorize a user.
With this kind of authorization, a user needs to agree what your app can do on their behalf. Some things are included by default, but some things (just like this) needs extra permissions from the user.
If you see in the documentation that it says that a function needs "this and that" scope, you need to add it to the authorization.
We are trying to post from PHP to a Facebook, we are using HybridAuth but the question is not related to it.
What works:
-posting to user profile, works fine,including when using picture and link
-posting to page works including image(but not with link)
What does not work
-posting to page when we set a link(the url is not the issue since it works posting it to user profile )
The error is a generic error, that is not helping at all,thank you Facebook developers for giving us the trouble of guessing what is wrong
{"error":{"message":"An unknown error has occurred.","type":"OAuthException","code":1}}
I also made a simple script using curl to test this without involving the HybridAuth code and I get same error
<?
$access_token = "xxxxxx";
$page_id="352300454896456";
$msg = "test message ".time();
$title = "test title";
$uri = "http://www.example.com";
$desc = "test description";
//$pic = "http://ploscariu.com/simion/programming/kudani/kudani.png";
$attachment = array(
'access_token' => $access_token,
'message' => $msg,
'name' => $title,
'link' => $uri,
'description' => $desc//,
//'picture'=>$pic,
//'actions' => json_encode(array('name' => $action_name,'link' => $action_link))
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://graph.facebook.com/'.$page_id.'/feed');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $attachment);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); //to suppress the curl output
$result = curl_exec($ch);
print_r($result);
curl_close($ch);
?>
My question is, what is special about this "link" parameter and page posting? do we need some undocumented permission ? or is just some graph API bug I am wondering if we need sme different token for posting links ,but usually permission issue get back a good error message
in the image is the debug tool results on the access_token I get from the HybridAuth call, I tested using a short access token I get using JS API and posting with that works, but short access token are not a solution
Is the information in the image, about the token that it never expires true? How can I get such a token using the http API and curl(no SDKs)
I found the issue, it was the access_token, I know it makes no sense that it worked without the link parameter but with the link parameter did not worked, but this is the truth. So you need to make sure you get the page access_token, you get that from me/accounts or with your SDK.
The conclusion is that the Facebook developers are doing a bad job, wrong error messages, and allowing to post with wrong token.
I have to implement the oAuth2 bearer access token method for a twitter feed. I followed correctly the details on the twitter developper website but i keep getting "Unable to verify your credentials twitter"...
If i copy my credentials over to my dev server (5.3.10 machine) i can actually login, get the token, retrieve the tweets, but on another client's server (5.2.17 machine) i can't get it to work with the exact same code.
Anything strikes you in the code below about the PHP differences? I believe it must have to be something to do with the file_get_content https stream wrapper options, but i can't find anything in the doc about it. (Openssl support is installed on the client server)
$twitter_bearer_access_token = get_option('twitter_bearer_access_token', null);
if($twitter_bearer_access_token == null)
{
//Request a bearer access token
$encodedAccessToken = base64_encode(TWITTER_CONSUMER_KEY.':'.TWITTER_CONSUMER_SECRET);
//Setup the stream context options and create the stream to POST to twitter
$options = array(
'http' => array(
'method' => 'POST',
'header' => 'Authorization: Basic '.$encodedAccessToken,
'content' => 'grant_type=client_credentials',
),
);
$context = stream_context_create($options);
$result = json_decode(#file_get_contents('https://api.twitter.com/oauth2/token', false, $context));
if(isset($result->token_type) && $result->token_type == 'bearer')
{
$twitter_bearer_access_token = $result->access_token;
update_option('twitter_bearer_access_token', $twitter_bearer_access_token);
}
else
{
$twitter_bearer_access_token = false;
}
}
Edit #1
I confirm in advance that all variables are the same on both servers, i've outputted and compared them. Only the file_get_contents return a different result.
Also, I tried copying the bearer access token gotten on the 5.3 server to the 5.2 server and the values still match but i keep getting errors about invalid authentication...
Edit #2
More info, it doesn't seem to have anything to do with the headers i send, i added practically all headers except the ones that don't pertain to me such as proxy header. It doesn't have anything to do with PHP being 5.2 or 5.3, tested on our staging server host and switch to 5.2 and still works...
Seems that using cURL works fine. Considering we want to limit our dependencies, we'll just have to resort to having two versions of the code (or eventually use a swapable component to retrieve the distant data)
//Init curl
$request = curl_init();
curl_setopt($request, CURLOPT_SSLVERSION, 3);
curl_setopt($request, CURLOPT_URL, 'https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name='.TWITTER_ACCOUNT.'&count=100');
curl_setopt($request, CURLOPT_HTTPHEADER, array('Authorization: Bearer '.$twitter_bearer_access_token));
curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
$result = json_decode($content = curl_exec($request));
curl_close($request);
Thats it folks
PS: There still isn't any reason for this to fail, this is just a fallback!