[PW-3178] New 3DS1 same site cookie policy fix (#852)

* Revert the previous fix

* Same site cookie changes

* Fix sonal cloud recommendation

* Add close element html

* rename to adyen_transparent_payment_redirect.xml

* Rename the layout, correct the redirect url to transparent url

* Update comments

* filter the 3ds1 post paramaters

* filter the 3ds1 post paramaters using php library

* Apply suggestions from code review
Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>

* Apply suggestions from code review
Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>

* Apply suggestions from code review
Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>

* Apply suggestions from code review
Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>

* Remove empty line

* Add session checker

* Use the Url instead of UrlInterface

* Remove unused fields, align code

* Add UrlInterface instead Url class

* Update Plugin/TransparentSessionChecker.php
Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>

* Update Plugin/TransparentSessionChecker.php
Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>
Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>

Block/Redirect/Redirect.php

@@ -474,11 +474,7 @@ class Redirect extends \Magento\Payment\Block\Form
      */
     public function getTermUrl()
     {
-        if ($termUrl = $this->getPayment()->getAdditionalInformation('termUrl')) {
-            return $termUrl;
-        }
-
-        throw new AdyenException("No termUrl is provided.");
+        return $this->getUrl('adyen/transparent/redirect', ['_secure' => $this->_getRequest()->isSecure()]);
     }
 
     /**

Block/Transparent/Redirect.php

+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+
+namespace Adyen\Payment\Block\Transparent;
+
+use Adyen\Service\Validator\DataArrayValidator;
+use Magento\Framework\View\Element\Template;
+
+class Redirect extends Template
+{
+    /**
+     * @var \Magento\Framework\UrlInterface
+     */
+    private $url;
+    /**
+     * @var \Adyen\Payment\Logger\AdyenLogger
+     */
+    protected $adyenLogger;
+    /**
+     * Redirect constructor.
+     * @param Template\Context $context
+     * @param \Magento\Framework\UrlInterface $url
+     * @param array $data
+     */
+    public function __construct(
+        Template\Context $context,
+        \Magento\Framework\UrlInterface $url,
+        \Adyen\Payment\Logger\AdyenLogger $adyenLogger,
+        array $data = []
+    ) {
+        $this->url = $url;
+        $this->adyenLogger = $adyenLogger;
+        parent::__construct($context, $data);
+    }
+
+    /**
+     * Returns url for redirect.
+     * @return string|null
+     */
+    public function getRedirectUrl()
+    {
+        return $this->url->getUrl("adyen/process/redirect"); //TODO this will be replaced by getOrigin() for PWA integrations
+    }
+
+    /**
+     * Returns params to be redirected.
+     * @return array
+     */
+    public function getPostParams()
+    {
+        $postParams = (array)$this->_request->getPostValue();
+        $allowedPostParams = array('MD', 'PaRes');
+        $postParams = DataArrayValidator::getArrayOnlyWithApprovedKeys($postParams, $allowedPostParams);
+        $this->adyenLogger->addAdyenDebug(
+            'Adyen 3DS1 PostParams forwarded to process redirect endpoint'
+        );
+        return $postParams;
+    }
+}

Controller/Process/Redirect.php

@@ -155,16 +155,10 @@ class Redirect extends \Magento\Framework\App\Action\Action
         if ($active && $success != true) {
             $this->_adyenLogger->addAdyenResult("3D secure is active");
 
-            // check if the GET request contains the required 3DS params
-            if ($this->getRequest()->getParam('PaRes') && $this->getRequest()->getParam('MD')) {
+            // check if  it is already processed
+            if ($this->getRequest()->isPost()) {
                 $this->_adyenLogger->addAdyenResult("Process 3D secure payment");
-                $requestMD = $this->getRequest()->getParam('MD');
-                $requestPaRes = $this->getRequest()->getParam('PaRes');
-
-                //Reset the payment's additional info to the new MD and PaRes
-                $order->getPayment()->setAdditionalInformation('md', $requestMD);
-                $order->getPayment()->setAdditionalInformation('paRequest', $requestPaRes);
-
+                $requestPaRes = $this->getRequest()->getPost('PaRes');
                 $order->getPayment()->setAdditionalInformation('paResponse', $requestPaRes);
 
                 try {
@@ -219,7 +213,6 @@ class Redirect extends \Magento\Framework\App\Action\Action
                             $this->_adyenLogger->error((string)$e->getMessage());
                         }
                     }
-
                     $this->_orderRepository->save($order);
 
                     $this->_redirect('checkout/onepage/success', ['_query' => ['utm_nooverride' => '1']]);
@@ -232,7 +225,7 @@ class Redirect extends \Magento\Framework\App\Action\Action
                     */
                     $order->addStatusHistoryComment(
                         __(
-                            '3D-secure validation was unsuccessful. This order will be cancelled when the related 
+                            '3D-secure validation was unsuccessful. This order will be cancelled when the related
                                 notification has been processed.'
                         )
                     )->save();
@@ -251,12 +244,12 @@ class Redirect extends \Magento\Framework\App\Action\Action
                 $this->_adyenLogger->addAdyenResult("Customer was redirected to bank for 3D-secure validation.");
                 $order->addStatusHistoryComment(
                     __(
-                        'Customer was redirected to bank for 3D-secure validation. Once the shopper authenticated, 
-                        the order status will be updated accordingly. 
-                        <br />Make sure that your notifications are being processed! 
-                        <br />If the order is stuck on this status, the shopper abandoned the session. 
-                        The payment can be seen as unsuccessful. 
-                        <br />The order can be automatically cancelled based on the OFFER_CLOSED notification. 
+                        'Customer was redirected to bank for 3D-secure validation. Once the shopper authenticated,
+                        the order status will be updated accordingly.
+                        <br />Make sure that your notifications are being processed!
+                        <br />If the order is stuck on this status, the shopper abandoned the session.
+                        The payment can be seen as unsuccessful.
+                        <br />The order can be automatically cancelled based on the OFFER_CLOSED notification.
                         Please contact Adyen Support to enable this.'
                     )
                 )->save();

Controller/Transparent/Redirect.php

+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+
+namespace Adyen\Payment\Controller\Transparent;
+use Magento\Framework\App\Action\Action;
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\View\Result\LayoutFactory;
+use Magento\Framework\App\Action\Context;
+
+class Redirect extends Action implements CsrfAwareActionInterface, HttpPostActionInterface
+{
+    /**
+     * @var \Adyen\Payment\Logger\AdyenLogger
+     */
+    protected $adyenLogger;
+
+    /**
+     * @var LayoutFactory
+     */
+    private $resultLayoutFactory;
+
+    /**
+     * Redirect constructor.
+     * @param \Adyen\Payment\Logger\AdyenLogger $_adyenLogger
+     * @param LayoutFactory $resultLayoutFactory
+     */
+    public function __construct(
+        Context $context,
+        \Adyen\Payment\Logger\AdyenLogger $adyenLogger,
+        LayoutFactory $resultLayoutFactory)
+    {
+        $this->adyenLogger = $adyenLogger;
+        $this->resultLayoutFactory = $resultLayoutFactory;
+        parent::__construct($context);
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
+    {
+        return null;
+    }
+
+    /**
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    public function execute()
+    {
+        $gatewayResponse = $this->getRequest()->getPostValue();
+        $this->adyenLogger->addAdyenDebug(
+            'Adyen 3DS1 redirect response'
+        );
+
+        $resultLayout = $this->resultLayoutFactory->create();
+        $resultLayout->getLayout()->getUpdate()->load(['adyen_transparent_redirect']);
+
+        return $resultLayout;
+    }
+}

Gateway/Validator/CheckoutResponseValidator.php

@@ -151,12 +151,10 @@ class CheckoutResponseValidator extends AbstractValidator
                     // If the redirect data is there then the payment is a card payment with 3d secure
                     if (
                         isset($response['redirect']['data']['PaReq']) &&
-                        isset($response['redirect']['data']['MD']) &&
-                        isset($response['redirect']['data']['TermUrl'])
+                        isset($response['redirect']['data']['MD'])
                     ) {
                         $paReq = null;
                         $md = null;
-                        $termUrl = null;
 
                         $payment->setAdditionalInformation('3dActive', true);
 
@@ -168,16 +166,11 @@ class CheckoutResponseValidator extends AbstractValidator
                             $md = $response['redirect']['data']['MD'];
                         }
 
-                        if (!empty($response['redirect']['data']['TermUrl'])) {
-                            $termUrl = $response['redirect']['data']['TermUrl'];
-                        }
-
-                        if ($paReq && $md && $termUrl && $redirectUrl && $paymentData && $redirectMethod) {
+                        if ($paReq && $md && $redirectUrl && $paymentData && $redirectMethod) {
                             $payment->setAdditionalInformation('redirectUrl', $redirectUrl);
                             $payment->setAdditionalInformation('redirectMethod', $redirectMethod);
                             $payment->setAdditionalInformation('paRequest', $paReq);
                             $payment->setAdditionalInformation('md', $md);
-                            $payment->setAdditionalInformation('termUrl', $termUrl);
                             $payment->setAdditionalInformation('paymentData', $paymentData);
                         } else {
                             $isValid = false;

Helper/Requests.php

@@ -360,6 +360,7 @@ class Requests extends AbstractHelper
     /**
      * @param array $request
      * @return array
+     * @deprecated
      */
     public function buildRedirectData($storeId, $request = [])
     {

Plugin/TransparentSessionChecker.php

+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+
+namespace Adyen\Payment\Plugin;
+use Magento\Framework\App\Request\Http;
+use Magento\Framework\Session\SessionStartChecker;
+
+
+class TransparentSessionChecker
+{
+    const TRANSPARENT_REDIRECT_PATH = 'adyen/transparent/redirect';
+
+    /**
+     * @var Http
+     */
+    private $request;
+
+    /**
+     * @param Http $request
+     */
+    public function __construct(
+        Http $request
+    ) {
+        $this->request = $request;
+    }
+
+    /**
+     * Prevents session starting while instantiating Adyen transparent redirect controller.
+     *
+     * @param SessionStartChecker $subject
+     * @param bool $result
+     * @return bool
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function afterCheck(SessionStartChecker $subject, bool $result): bool
+    {
+        if ($result === false) {
+            return false;
+        }
+
+        return strpos((string)$this->request->getPathInfo(), self::TRANSPARENT_REDIRECT_PATH) === false;
+    }
+}

etc/di.xml

@@ -560,7 +560,6 @@
                 <item name="transaction" xsi:type="string">Adyen\Payment\Gateway\Request\CcAuthorizationDataBuilder</item>
                 <item name="vault" xsi:type="string">Adyen\Payment\Gateway\Request\VaultDataBuilder</item>
                 <item name="threeds2" xsi:type="string">Adyen\Payment\Gateway\Request\ThreeDS2DataBuilder</item>
-                <item name="redirect" xsi:type="string">Adyen\Payment\Gateway\Request\RedirectDataBuilder</item>
             </argument>
         </arguments>
     </virtualType>
@@ -1036,7 +1035,9 @@
         <plugin name="GuestAdyenPaymentInformationResetOrderId" type="Adyen\Payment\Plugin\GuestPaymentInformationResetOrderId"
                 sortOrder="10"/>
     </type>
-
+    <type name="Magento\Framework\Session\SessionStartChecker">
+        <plugin name="AdyenTransparentSessionChecker" type="Adyen\Payment\Plugin\TransparentSessionChecker" sortOrder="10"/>
+    </type>
     <!--Notifications overview-->
     <type name="Magento\Framework\View\Element\UiComponent\DataProvider\CollectionFactory">
         <arguments>

view/frontend/layout/adyen_process_redirect.xml

@@ -24,6 +24,7 @@
 -->
 <layout xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/layout_generic.xsd">
     <container name="root">
-        <block class="Adyen\Payment\Block\Redirect\Redirect" name="adyen-redirect-form" template="redirect/redirect.phtml" cacheable="false"/>
+        <block class="Adyen\Payment\Block\Redirect\Redirect" name="adyen-redirect-form"
+               template="redirect/redirect.phtml" cacheable="false"/>
     </container>
-</layout>
\ No newline at end of file
+</layout>

view/frontend/layout/adyen_transparent_redirect.xml

+<?xml version="1.0"?>
+<!--
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+-->
+<layout xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/layout_generic.xsd">
+    <container name="root" label="Root">
+        <block class="Adyen\Payment\Block\Transparent\Redirect" name="adyen_transparent_redirect"
+               template="transparent/redirect.phtml" cacheable="false">
+        </block>
+    </container>
+</layout>

view/frontend/templates/redirect/redirect.phtml

@@ -20,7 +20,7 @@
  *
  * Author: Adyen <magento@adyen.com>
  */
-
+/** @var Adyen\Payment\Block\Redirect\Redirect $block */
 ?>
 
 <?php
@@ -49,4 +49,4 @@ if ($block->getRedirectMethod() == "GET") { ?>
     </form>
     </body>
     <?php
-} ?>
\ No newline at end of file
+} ?>

view/frontend/templates/transparent/redirect.phtml

+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+
+/** @var Adyen\Payment\Block\Transparent\Redirect $block */
+$params = $block->getPostParams();
+$redirectUrl = $block->getRedirectUrl();
+?>
+<!DOCTYPE html>
+<html lang="en" xml:lang="en">
+<head><title></title></head>
+<body onload="document.forms['proxy_form'].submit()">
+<form id="proxy_form" action="<?= $block->escapeUrl($redirectUrl) ?>"
+      method="POST" >
+    <?php foreach ($params as $name => $value):?>
+        <input value="<?= $block->escapeHtmlAttr($value) ?>" name="<?= $block->escapeHtmlAttr($name) ?>" type="hidden"/>
+    <?php endforeach?>
+</body>
+</html>