[PW-3178] New 3DS1 same site cookie policy fix (#852)

* Revert the previous fix * Same site cookie changes * Fix sonal cloud recommendation * Add close element html * rename to adyen_transparent_payment_redirect.xml * Rename the layout, correct the redirect url to transparent url * Update comments * filter the 3ds1 post paramaters * filter the 3ds1 post paramaters using php library * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Remove empty line * Add session checker * Use the Url instead of UrlInterface * Remove unused fields, align code * Add UrlInterface instead Url class * Update Plugin/TransparentSessionChecker.php Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Update Plugin/TransparentSessionChecker.php Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>

[PW-3178] New 3DS1 same site cookie policy fix (#852)
* Revert the previous fix * Same site cookie changes * Fix sonal cloud recommendation * Add close element html * rename to adyen_transparent_payment_redirect.xml * Rename the layout, correct the redirect url to transparent url * Update comments * filter the 3ds1 post paramaters * filter the 3ds1 post paramaters using php library * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Remove empty line * Add session checker * Use the Url instead of UrlInterface * Remove unused fields, align code * Add UrlInterface instead Url class * Update Plugin/TransparentSessionChecker.php Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> * Update Plugin/TransparentSessionChecker.php Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com> Co-authored-by: Attila Kiss <42297201+cyattilakiss@users.noreply.github.com>
bc352c19 · Alexandros Moraitis · GitHub · 6fadad65 · bc352c19 · bc352c19
Commit bc352c19 authored Oct 22, 2020 by Alexandros Moraitis Committed by GitHub Oct 22, 2020
12 changed files
--- a/Block/Redirect/Redirect.php
+++ b/Block/Redirect/Redirect.php
@@ -474,11 +474,7 @@ class Redirect extends \Magento\Payment\Block\Form
     */
    public function getTermUrl()
    {
-        if ($termUrl = $this->getPayment()->getAdditionalInformation('termUrl')) {
+        return $this->getUrl('adyen/transparent/redirect', ['_secure' => $this->_getRequest()->isSecure()]);
-            return $termUrl;
-        }
-        throw new AdyenException("No termUrl is provided.");
    }
    /**

--- a/Block/Transparent/Redirect.php
+++ b/Block/Transparent/Redirect.php
+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+namespace Adyen\Payment\Block\Transparent;
+use Adyen\Service\Validator\DataArrayValidator;
+use Magento\Framework\View\Element\Template;
+class Redirect extends Template
+{
+    /**
+     * @var \Magento\Framework\UrlInterface
+     */
+    private $url;
+    /**
+     * @var \Adyen\Payment\Logger\AdyenLogger
+     */
+    protected $adyenLogger;
+    /**
+     * Redirect constructor.
+     * @param Template\Context $context
+     * @param \Magento\Framework\UrlInterface $url
+     * @param array $data
+     */
+    public function __construct(
+        Template\Context $context,
+        \Magento\Framework\UrlInterface $url,
+        \Adyen\Payment\Logger\AdyenLogger $adyenLogger,
+        array $data = []
+    ) {
+        $this->url = $url;
+        $this->adyenLogger = $adyenLogger;
+        parent::__construct($context, $data);
+    }
+    /**
+     * Returns url for redirect.
+     * @return string|null
+     */
+    public function getRedirectUrl()
+    {
+        return $this->url->getUrl("adyen/process/redirect"); //TODO this will be replaced by getOrigin() for PWA integrations
+    }
+    /**
+     * Returns params to be redirected.
+     * @return array
+     */
+    public function getPostParams()
+    {
+        $postParams = (array)$this->_request->getPostValue();
+        $allowedPostParams = array('MD', 'PaRes');
+        $postParams = DataArrayValidator::getArrayOnlyWithApprovedKeys($postParams, $allowedPostParams);
+        $this->adyenLogger->addAdyenDebug(
+            'Adyen 3DS1 PostParams forwarded to process redirect endpoint'
+        );
+        return $postParams;
+    }
+}
--- a/Controller/Process/Redirect.php
+++ b/Controller/Process/Redirect.php
@@ -155,16 +155,10 @@ class Redirect extends \Magento\Framework\App\Action\Action
        if ($active && $success != true) {
            $this->_adyenLogger->addAdyenResult("3D secure is active");
-            // check if the GET request contains the required 3DS params
+            // check if  it is already processed
-            if ($this->getRequest()->getParam('PaRes') && $this->getRequest()->getParam('MD')) {
+            if ($this->getRequest()->isPost()) {
                $this->_adyenLogger->addAdyenResult("Process 3D secure payment");
-                $requestMD = $this->getRequest()->getParam('MD');
+                $requestPaRes = $this->getRequest()->getPost('PaRes');
-                $requestPaRes = $this->getRequest()->getParam('PaRes');
-                //Reset the payment's additional info to the new MD and PaRes
-                $order->getPayment()->setAdditionalInformation('md', $requestMD);
-                $order->getPayment()->setAdditionalInformation('paRequest', $requestPaRes);
                $order->getPayment()->setAdditionalInformation('paResponse', $requestPaRes);
                try {
@@ -219,7 +213,6 @@ class Redirect extends \Magento\Framework\App\Action\Action
                            $this->_adyenLogger->error((string)$e->getMessage());
                        }
                    }
                    $this->_orderRepository->save($order);
                    $this->_redirect('checkout/onepage/success', ['_query' => ['utm_nooverride' => '1']]);

--- a/Controller/Transparent/Redirect.php
+++ b/Controller/Transparent/Redirect.php
+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+namespace Adyen\Payment\Controller\Transparent;
+use Magento\Framework\App\Action\Action;
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\View\Result\LayoutFactory;
+use Magento\Framework\App\Action\Context;
+class Redirect extends Action implements CsrfAwareActionInterface, HttpPostActionInterface
+{
+    /**
+     * @var \Adyen\Payment\Logger\AdyenLogger
+     */
+    protected $adyenLogger;
+    /**
+     * @var LayoutFactory
+     */
+    private $resultLayoutFactory;
+    /**
+     * Redirect constructor.
+     * @param \Adyen\Payment\Logger\AdyenLogger $_adyenLogger
+     * @param LayoutFactory $resultLayoutFactory
+     */
+    public function __construct(
+        Context $context,
+        \Adyen\Payment\Logger\AdyenLogger $adyenLogger,
+        LayoutFactory $resultLayoutFactory)
+    {
+        $this->adyenLogger = $adyenLogger;
+        $this->resultLayoutFactory = $resultLayoutFactory;
+        parent::__construct($context);
+    }
+    /**
+     * @inheritdoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+    /**
+     * @inheritdoc
+     */
+    public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
+    {
+        return null;
+    }
+    /**
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    public function execute()
+    {
+        $gatewayResponse = $this->getRequest()->getPostValue();
+        $this->adyenLogger->addAdyenDebug(
+            'Adyen 3DS1 redirect response'
+        );
+        $resultLayout = $this->resultLayoutFactory->create();
+        $resultLayout->getLayout()->getUpdate()->load(['adyen_transparent_redirect']);
+        return $resultLayout;
+    }
+}
--- a/Gateway/Validator/CheckoutResponseValidator.php
+++ b/Gateway/Validator/CheckoutResponseValidator.php
@@ -151,12 +151,10 @@ class CheckoutResponseValidator extends AbstractValidator
                    // If the redirect data is there then the payment is a card payment with 3d secure
                    if (
                        isset($response['redirect']['data']['PaReq']) &&
-                        isset($response['redirect']['data']['MD']) &&
+                        isset($response['redirect']['data']['MD'])
-                        isset($response['redirect']['data']['TermUrl'])
                    ) {
                        $paReq = null;
                        $md = null;
-                        $termUrl = null;
                        $payment->setAdditionalInformation('3dActive', true);
@@ -168,16 +166,11 @@ class CheckoutResponseValidator extends AbstractValidator
                            $md = $response['redirect']['data']['MD'];
                        }
-                        if (!empty($response['redirect']['data']['TermUrl'])) {
+                        if ($paReq && $md && $redirectUrl && $paymentData && $redirectMethod) {
-                            $termUrl = $response['redirect']['data']['TermUrl'];
-                        }
-                        if ($paReq && $md && $termUrl && $redirectUrl && $paymentData && $redirectMethod) {
                            $payment->setAdditionalInformation('redirectUrl', $redirectUrl);
                            $payment->setAdditionalInformation('redirectMethod', $redirectMethod);
                            $payment->setAdditionalInformation('paRequest', $paReq);
                            $payment->setAdditionalInformation('md', $md);
-                            $payment->setAdditionalInformation('termUrl', $termUrl);
                            $payment->setAdditionalInformation('paymentData', $paymentData);
                        } else {
                            $isValid = false;

--- a/Helper/Requests.php
+++ b/Helper/Requests.php
@@ -360,6 +360,7 @@ class Requests extends AbstractHelper
    /**
     * @param array $request
     * @return array
+     * @deprecated
     */
    public function buildRedirectData($storeId, $request = [])
    {

--- a/Plugin/TransparentSessionChecker.php
+++ b/Plugin/TransparentSessionChecker.php
+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+namespace Adyen\Payment\Plugin;
+use Magento\Framework\App\Request\Http;
+use Magento\Framework\Session\SessionStartChecker;
+class TransparentSessionChecker
+{
+    const TRANSPARENT_REDIRECT_PATH = 'adyen/transparent/redirect';
+    /**
+     * @var Http
+     */
+    private $request;
+    /**
+     * @param Http $request
+     */
+    public function __construct(
+        Http $request
+    ) {
+        $this->request = $request;
+    }
+    /**
+     * Prevents session starting while instantiating Adyen transparent redirect controller.
+     *
+     * @param SessionStartChecker $subject
+     * @param bool $result
+     * @return bool
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function afterCheck(SessionStartChecker $subject, bool $result): bool
+    {
+        if ($result === false) {
+            return false;
+        }
+        return strpos((string)$this->request->getPathInfo(), self::TRANSPARENT_REDIRECT_PATH) === false;
+    }
+}
--- a/etc/di.xml
+++ b/etc/di.xml
@@ -560,7 +560,6 @@
                <item name="transaction" xsi:type="string">Adyen\Payment\Gateway\Request\CcAuthorizationDataBuilder</item>
                <item name="vault" xsi:type="string">Adyen\Payment\Gateway\Request\VaultDataBuilder</item>
                <item name="threeds2" xsi:type="string">Adyen\Payment\Gateway\Request\ThreeDS2DataBuilder</item>
-                <item name="redirect" xsi:type="string">Adyen\Payment\Gateway\Request\RedirectDataBuilder</item>
            </argument>
        </arguments>
    </virtualType>
@@ -1036,7 +1035,9 @@
        <plugin name="GuestAdyenPaymentInformationResetOrderId" type="Adyen\Payment\Plugin\GuestPaymentInformationResetOrderId"
                sortOrder="10"/>
    </type>
+    <type name="Magento\Framework\Session\SessionStartChecker">
+        <plugin name="AdyenTransparentSessionChecker" type="Adyen\Payment\Plugin\TransparentSessionChecker" sortOrder="10"/>
+    </type>
    <!--Notifications overview-->
    <type name="Magento\Framework\View\Element\UiComponent\DataProvider\CollectionFactory">
        <arguments>

--- a/view/frontend/layout/adyen_process_redirect.xml
+++ b/view/frontend/layout/adyen_process_redirect.xml
@@ -24,6 +24,7 @@
 -->
 <layout xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/layout_generic.xsd">
    <container name="root">
-        <block class="Adyen\Payment\Block\Redirect\Redirect" name="adyen-redirect-form" template="redirect/redirect.phtml" cacheable="false"/>
+        <block class="Adyen\Payment\Block\Redirect\Redirect" name="adyen-redirect-form"
+               template="redirect/redirect.phtml" cacheable="false"/>
    </container>
 </layout>
--- a/view/frontend/layout/adyen_transparent_redirect.xml
+++ b/view/frontend/layout/adyen_transparent_redirect.xml
+<?xml version="1.0"?>
+<!--
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+-->
+<layout xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/layout_generic.xsd">
+    <container name="root" label="Root">
+        <block class="Adyen\Payment\Block\Transparent\Redirect" name="adyen_transparent_redirect"
+               template="transparent/redirect.phtml" cacheable="false">
+        </block>
+    </container>
+</layout>
--- a/view/frontend/templates/redirect/redirect.phtml
+++ b/view/frontend/templates/redirect/redirect.phtml
@@ -20,7 +20,7 @@
 *
 * Author: Adyen <magento@adyen.com>
 */
+/** @var Adyen\Payment\Block\Redirect\Redirect $block */
 ?>
 <?php

--- a/view/frontend/templates/transparent/redirect.phtml
+++ b/view/frontend/templates/transparent/redirect.phtml
+<?php
+/**
+ *                       ######
+ *                       ######
+ * ############    ####( ######  #####. ######  ############   ############
+ * #############  #####( ######  #####. ######  #############  #############
+ *        ######  #####( ######  #####. ######  #####  ######  #####  ######
+ * ###### ######  #####( ######  #####. ######  #####  #####   #####  ######
+ * ###### ######  #####( ######  #####. ######  #####          #####  ######
+ * #############  #############  #############  #############  #####  ######
+ *  ############   ############  #############   ############  #####  ######
+ *                                      ######
+ *                               #############
+ *                               ############
+ *
+ * Adyen Payment module (https://www.adyen.com/)
+ *
+ * Copyright (c) 2020 Adyen BV (https://www.adyen.com/)
+ * See LICENSE.txt for license details.
+ *
+ * Author: Adyen <magento@adyen.com>
+ */
+/** @var Adyen\Payment\Block\Transparent\Redirect $block */
+$params = $block->getPostParams();
+$redirectUrl = $block->getRedirectUrl();
+?>
+<!DOCTYPE html>
+<html lang="en" xml:lang="en">
+<head><title></title></head>
+<body onload="document.forms['proxy_form'].submit()">
+<form id="proxy_form" action="<?= $block->escapeUrl($redirectUrl) ?>"
+      method="POST" >
+    <?php foreach ($params as $name => $value):?>
+        <input value="<?= $block->escapeHtmlAttr($value) ?>" name="<?= $block->escapeHtmlAttr($name) ?>" type="hidden"/>
+    <?php endforeach?>
+</body>
+</html>