All talk but no code...

makes lulalala a bluff boy

Posts match “ activemerchant ” tag:

ActiveMerchant / offsite_payments gem needs to improve

| Comments

ActiveMerchant is a very useful library for connecting to payment gateways. However it is also quite dated, with many flaws, and lack of proper documentation in one part (offsite-payment). In my experience, I feel it can be improved in the following ways:

The name "integration" in confusing, and makes it diffcult to search online. The gem should be split into two, one for on-site payment (gateway/billing module), and one for off-site payment (integration/Billing::Integration module). This is because the two are very different ways of paying. It can be confusing when you search for solutions but it turns out to be not what you want. Seems Shopify is alreadying doing that, splitting the offsite-payment module into its own gem. Good move!

The semantic of common fields in form helper need to be defined. Otherwise implementors will choose different names for the same concept, greatly reducing the interchangeability between gateways. Some consistency issues should also be fixed. For example in Paypal we pass our order id as the "order" field, and Paypal notification will return that as item_id attribute. This mismatch is confusing.

The gross() currently does not specify a return type. Paypal returns a string. Base class says it should "the money amount we received in X.2 decimal". Though there is a amount() method for returning a money object, the gross() method should still specify the return type to avoid inconsistencies when switching gateways.

The base framework code should be separated from gateway implementations. Users usually just want two or three gateways out of the 50 implementations. Having a separate repository per gateway also makes it easier to document gateway specific changes and settings in separate readme files.

There should be a check() method in the notification. It acts as the central method to check if the notification is valid. Currently there are many which implemented the acknowledge() function. However not all providers provide an API to verify the notification. With the generalized check() method it can call acknowledge() if it is implemented.

Adding hooks for form helper would be helpful. Many gateways require post-processing such as adding a checksum field. A hook would allow the interface to automatically call these post-processing instead of the developer having to remember calling them in view.

歐付寶有 < 跟 & 就會認證失敗

| Comments

歐付寶有個機制檢查 POST 內容是否可信,先是把表單所有的資料串起來,然後以 url encode 以後,再用 MD5 跟一組共同秘密加密起來。要是你產生的值跟他伺服器產生的一樣,就算認證通過。

最近發現如果表單有值是 & 或是 < 的話,認證就會失敗。

因為之前也有發生括號符號我們有轉成 %28 但是他們那端沒有轉,導致認證失敗的錯誤。所以我自己也測試了兩種情況:把 & 轉成 %26 或是不轉。兩種情況都認證失敗。

所以就寫信問客服並附了以下的 form 當參考:

<input id="TradeDesc" name="TradeDesc" type="hidden" value="&lt;&amp;" />
<input id="CheckMacValue" name="CheckMacValue" type="hidden" value="4A573F3F559226072079E3758B3D8E1A" />

結果來回了幾封信確認後,客服給了我以下答覆:

<input id="TradeDesc" name="TradeDesc" type="hidden" value="&lt;&amp;" />
一般來說POST資料時不會post到html編碼
請勿使用html encode,
另外,TradeDesc 及 ItemName 請避免使用特殊符號等字元以及html tag 等符號
請您再試試
THX.

當下就有點怒的回信,因為 html 裡面把 & 都轉成 &amp; 是基本知識了,瀏覽器 POST 資料出去時應該會自動轉回 & ,金流端不會接收到 &amp; 這種 escape 字串。而沒有對 < 作 escape 的話,瀏覽器能不能運作都是問題呢。

API 文件並沒有標明不能特別限制特殊符號,經過測試其他特殊符號都可以使用。但是就只有 <& 不行。是說這兩個符號也沒有特殊到哪裡去,要是英文商店用個 & 字元也是很正常的吧。

所以就回了信,說明 &amp; 這 html encode 不會對你們公司 server 收到的資料有所影響,並附上我產生認證碼的每個步驟,希望對方工程師能發現是哪個步驟開始相異。

結果對方客服就給我一個跳針回應:

TradeDesc 及 ItemName 請避免使用特殊符號等字元
THX.

明明是可以解決的問題(只修改我方程式),但是卻直接用這種方式迴避。到底客服有沒有把我的提報轉給工程師呢,或者工程師因為什麼原因不想研究這個問題呢?我原本只是想改善開源的 active_merchant_allpay 串接介面,但是這樣的回應~還是不要熱臉貼冷屁股好了。