Guideline on PCI compliance

[pokemon007]

I'm trying BroadleafCommerce Authorize.net payment module and have a few questions:
1. Two phase payment
It looks like BroadleafCommerce's AuthorizeNetPaymentModule only support AuthorizeAndDebit single phase payment. The debit method (capture/settle fund) was not implemented. Based on authorize.net documentation at http://www.authorize.net/support/DirectPost_guide.pdf, two phase payment is supported by Direct Post. Is this due to resource constraint or technical limitation? Will two-phase be supported in the future?

2. Authorize.net Quick Start
I followed Authorize.net Quick Start steps at http://docs.broadleafcommerce.org/curre ... Start.html, implemented minimum a custom CheckoutController copied from the docs page as follows:

Code: Select all

@Controller
public class AuthorizeNetCheckoutController extends BroadleafAuthorizeNetController {

    //This method will build the dynamic form necessary to POST directly to Authorize.net
    @RequestMapping(value = "/checkout")
    public String checkout(HttpServletRequest request, HttpServletResponse response, Model model,
                           @ModelAttribute("shippingInfoForm") ShippingInfoForm shippingForm,
                           @ModelAttribute("billingInfoForm") BillingInfoForm billingForm) {
        return super.checkout(request, response, model);
    }

    //This is the URL that Authorize.net will call after receiving a Direct Post from a payment
    //This should match ${authorizenet.relay.response.url} in your properties file.
    @RequestMapping(value = "/process", method = RequestMethod.POST, produces = "text/html")
    public @ResponseBody String processAuthorizeNetAuthorizeAndDebit(HttpServletRequest request,     
            HttpServletResponse response, Model model, @ModelAttribute("shippingInfoForm") ShippingInfoForm shippingForm,
            @ModelAttribute("billingInfoForm") BillingInfoForm billingForm)
                    throws NoSuchAlgorithmException, UnsupportedEncodingException, PricingException, InvalidKeyException {
        return super.processAuthorizeNetAuthorizeAndDebit(request, response, model);
    }
}


I've also commented out the demo site's CheckoutController's /checkout method to avoid the ambiguity, but keep the other methods so cart's methods still work.

Code: Select all

@Controller
//@RequestMapping("/checkout")
public class CheckoutController extends BroadleafCheckoutController {

    /*
    * The Checkout page for Heat Clinic will have the shipping information pre-populated
    * with an address if the fulfillment group has an address and fulfillment option
    * associated with it. It also assumes that there is only one payment info of type
    * credit card on the order. If so, then the billing address will be pre-populated.
    */
    @RequestMapping("")
   public String checkout(HttpServletRequest request, HttpServletResponse response, Model model,
          @ModelAttribute("shippingInfoForm") ShippingInfoForm shippingForm,
           @ModelAttribute("billingInfoForm") BillingInfoForm billingForm) {
       
        prepopulateShippingAndBillingForms(CartState.getCart(), shippingForm, billingForm);
        return super.checkout(request, response, model);
   }
   
    @RequestMapping(value="/singleship", method = RequestMethod.GET)
    public String convertToSingleship(HttpServletRequest request, HttpServletResponse response, Model model) throws PricingException {
        return super.convertToSingleship(request, response, model);
    }

    @RequestMapping(value="/singleship", method = RequestMethod.POST)
    public String saveSingleShip(HttpServletRequest request, HttpServletResponse response, Model model,
            @ModelAttribute("billingInfoForm") BillingInfoForm billingForm,
            @ModelAttribute("shippingInfoForm") ShippingInfoForm shippingForm,
            BindingResult result) throws PricingException, ServiceException {
        return super.saveSingleShip(request, response, model, shippingForm, result);
    }
...
...
...


A few problem:
1) The checkout form was disabled due to lack of shipping info.
As in demo code, it calls prepopulateShippingAndBillingForms that gives user opportunity to enter shipping info.

Code: Select all

       prepopulateShippingAndBillingForms(CartState.getCart(), shippingForm, billingForm);
        return super.checkout(request, response, model);


The new controller doesn't have such method that causes "no shipping info" and the entire form was disabled. How is this supposed to work? I thought we would let user enter shipping info later down the line.

2) The payment page has a variable, authorizenet_server_url, that the super class is supposed to retrieve it from the merged properties, but it's blank.
I've configured all the properties files in demo/site project including common, local, development, staging, production.
common.properties:

Code: Select all

authorizenet.merchant.transaction.version=3.1


local.properties looks:

Code: Select all

authorizenet.api.login.id=Test Account API Key
authorizenet.transaction.key=Test Account Transaction Key
authorizenet.merchant.md5.key=md5 hash I entered
authorizenet.relay.response.url=http://localhost:8080/commerce/authorizenet/process
authorizenet.confirm.url=http://localhost:8080/commerce/confirmation
authorizenet.error.url=http://localhost:8080/commerce/authorizenet/error
authorizenet.server.url=https://test.authorize.net/gateway/transact.dll
authorizenet.x_test_request=FALSE


I know this won't work as localhost won't be publicly accessible, but the part within demo site and Broadleaf should work. Somehow it doesn't pick up the configuration.

Do I miss something? Please help!

Thank you!

-Charlie

[elbertbautista]

Here are some responses to your questions:

1. Yes, the individual implementations for authorize and debit is on our backlog. This is not a technical limitation. I can't really give you a timeline on when this will be implemented, but once we start it, It should be fast. There have just been a lot of other things ahead on the backlog. Just something to note, The AuthorizeNetCheckoutService only provides convenience methods for the single transaction authorizeAndDebit payment transaction. You will need to write your own methods if you would like to call authorize and debit in separate transactions and configure your Checkout Workflow to call the appropriate payment action.

2. Yes apologies, the tutorial was meant to be more general and not really an integration guide for the HeatClinic. So, if you're following the tutorial specifically for HeatClinic there may be some things that dont work right away. The "minimum" amount of code statement is stated because the "checkout flow" can be different for many people.

a) So, if you are integrating with the checkout flow as outlined in the Heat Clinic: Instead of creating your own AuthorizeNetCheckoutController, change the existing CheckoutController to extend BroadleafAuthorizeNetController instead of BroadleafCheckoutController. Once you do that you can keep all the methods necessary to populate shipping etc for that page. All you would need to override/add is the checkout() method and the processAuthorizeNetAuthorizeAndDebit() methods as you pasted below.

b) If you have your main checkout page be rendered by the checkout() method stated above. This method populates all the necessary information that is needed to generate the direct post form, including the authorize net server url. It looks from your post, that you're including it correctly in your properties file. You may want to double check that you are injecting it properly in your application contexts and that they are being picked up in your application.

[pokemon007]

Thank you for your quick response. I've updated the code with some minor corrections, and got it mostly working. The payment is accepted by Authorize, confirmation email received, and Authorize.net calls back to /checkout/process with

Code: Select all

x_response_code: 1,
x_ship_to_address: ,
x_CVV2: 123, x_state: WA,
x_response_reason_text: (TESTMODE) This transaction has been approved.


However, when BroadleafAuthorizeNetController's processAuthorizeNetAuthorizeAndDebit processes authorizeNetPaymentService.createResult always creates a result that is NOT AuthorizeNet result:

Code: Select all

reason code: RC_0_0
reason name: UNKNOWN
reason text: Unknown.

Do you know what's wrong?

Thank you!

-Charlie

[elbertbautista]

The times we've run into

Code: Select all

 result.isAuthorizeNet() == false

occurs when there's a discrepancy in the md5 hash we specify in our properties file

Code: Select all

authorizenet.merchant.md5.key=?

and what was set in the authorize.net merchant console. Double check your keys. You may need to come up with a new key, its hard to tell from their console what was previously set, or if it was set at all.

[pokemon007]

Thank you for your response. I thought it might be some key mismatch, too, when first time it didn't accept the payment. Then I've created a new transaction key, and new hash. The payment was accepted by Authorize.net, but when it comes back to our end, it still says not AuthorizeNet result. What I don't understand is that Authorize.net approves the payment. Authorize.net must have done hash check as well when it processes the payment. There seems something else wrong.

Thanks.

-Charlie

[pokemon007]

This starts working now!

Thank you very much!

-Charlie