#143 PayPal Security

I don't know what the Rails community would be without you, Ryan. Ughf, what a scary thought..

Amen to that. Thanks Ryan. Following you since the start.

Awesome mate... can't wait for the Merchant stuff and hopefully how to manage recurring payments?? please! maybe even automatic invoicing? awww gone to far!

It looks difficult,
anyway thanks,
and waiting for Merchant railscast!

I agree with guys above. I wouldn't have started programming in rails if it wasn't for your video casts and your help in forums.

This is really great Ryan. I am also waiting for Merchant railscasts as well.

Thanks you very much!

Thanks for this very helpful Railscast.

Anyone availing of a paypal subscription instead of a cart should make sure to have a hidden form 'cmd' field with value of '_s-xclick', and an encrypted 'cmd' field with value '_xclick-subscriptions'.

Othewise you'll face the dreaded "We cannot process this transaction because there is a problem with the PayPal email address supplied by the seller."

See this thread for help: http://www.pdncommunity.com/pdn/board/message?board.id=ewp&thread.id=1033

Steve Q

Ryan,

Thanks for the great series! It has really helped me to understand Paypal processing much better.

Following your screen cast this morning, I run into a Paypal error that reads "There was a problem with the decryption of your secure order. Please contact your merchant."

The form looks right and I followed your command line entries to the letter. Is there an OpenSSL dependency that's not included in Rails or a certain version requirement? Also, do you know of a way to further debug errors in Paypal?

Thanks again for your great screencasts!

Bryce

Dear Ryan, thanks a lot for your work it is really amazing.

I am still trying to digest all the information on this number.

The first question I have, maybe it is a very stupid question, is how I should management all this secret information on a project that suppose to be open-source?

The repository will be very uncompleted with all these file-keys, secrets, and private information.

The deployment will be not as simple as an a normal project.

Maybe it will be just as the database.yml .. I don't know maybe I just thinking on loud.

Thanks again for your job :)

f.

@Edgar
thanks to Ryan, soon they will know Rails better then we are
<B-)

If the PaymentNotification.create method shall be secure you rely on a ssl/https-connection, right? Or is there another secure way where I don't have the https-overhead for my webserver? Or did I missed something?

Ryan, thanks for this one. This is very useful, not only for Rails developers, because the Paypal transaction processes are walked through in detail!

has anyone else had problems with the Paypal Sandbox IPN? It never seems to work (reliably) for me. It seems like I get a ping from it about 20% of the time.

@Logansbro,

I haven't used Paypal, but I did create an app using Authorize.net a little bit ago to do reoccurring billing and I wouldn't be too surprised to find out the sandbox wasn't perfectly reliable since it is just for testing. Obviously when you are dealing with money you have to be careful, and that made me really nervous. I turned my app live and tested it over a period of time with my own credit cards (and reduced amounts) to make absolutely sure. It worked perfectly and the way I expected. The only thing I hate is the fact these places all seem to nickel and dime you to death, rather than telling you what the fees (all of them I mean) will really be up front. They aren't all that large, but every time I turned around there seemed to be another one.

Is it okay that paypal send back data using plain text? Shouldn't the return URL be https://mysite.com/payment_notification ?

Great screencast! Many thanks. I'm still at loss regarding the SSL/HTTPS IPN callback from Paypal. Can't figure out how to get it right. After all /payment_notification is plain unencrypted HTTP.. Help? Anybody? THx!

Nice!
But i have a big question, when paypal returns to the return_url (return to the store) comes with a big url with a lot of variables, how could i make that invisible???

i fix the issue with the return_url, to put the method on the side of paypal, just in the return_url add the field rm with value 2 and this will convert the form of return to the store xxxxx to method POST. if you put value 1 will be GET.

Hey - quick question about the SSL cert

I noticed that in this tutorial, the SSL cert is only valid for 365 days.

What happens after the 365? Does PayPal send a reminder or do transactions fail silently?

What's the longest period a certificate can be valid for?

Thanks

Awesome. I tried to figure this out several months back and hit a brick wall. Thanks!

Ryan, regarding app_config - plz have a look at http://github.com/eugenebolshakov/app_config/tree/master - very useful plugin :)

Ryan, as always, an extremely helpful railscast. A couple of small points.

The paypal public key is different for the sandbox than it is for the production site. So you need to download them separately and name them differently (if you are going to store both in the same folder). I then needed to add another entry to the app_config.yml file called paypal_cert_name and use it when loading the pem files.

Speaking of app_config. I found it helpful to add an "all" section at the top of the file, and modify the load_app_config.rb file to merge the "all" with the environment specific settings. (i.e APP_CONFIG = YAML.load(raw_config)["all"].symbolize_keys.merge(YAML.load(raw_config)[RAILS_ENV].symbolize_keys))
This allows me to have some settings which span all environments, and can be overwritten in any of them if needed.

Once again, thank you for your great contribution to improving life for rails developers.

Hello Ryan,

First, thanks for all the webcasts.

I am trying to implement paypal and I followed your previous webscast and it is working well.
Note that I did not do a link to paypal in the form but I integrated a
redirect_to(@order.paypal(r_url,not_url))
in my controller.
I was wondering if I needed to encrypt as the url was built in my controller?

Thanks

DES3 algorithm is not supported under jruby_openssl (v. 0.6) so I cannot use PayPal transactions...

Do you know if I can use a different cipher algorithm under jruby ?

Before considering PayPal, consider this:

http://blog.apparentsoft.com/business/124/is-paypal-good-for-your-microisv-business-a-short-paypal-horror-story/

I've just been having a play with PayPal and your RailsCasts are as usual extremely good and a massive help. Thankyou.

I would like to ask if it is feasable to use ActiveResource to communicate with sites like this? The new api's in PayPal X certainly seem quite happy to return nicely formatted XML.

If it is then it would be great to see a Railscast on this particularly as all the documentation deals with communicating with other Rails sites.

Hello,

First, thanks for posting this video it has helped me much.

However, I am stuck at the point where I can´t seem to get the APP_CONFIG[:paypal_secret] to get returned to the application and can´t figure out why.

I downloaded the source code and tested the app... but the problem remains.. I cant validate the transaction with the secret.

Hope you can help me.

Thanks.

Do you have any recommendations for how to mock the OpenSSL methods so that paypal_encrypted can be tested? They produce different output with repeated invocations with identical input.

On a whim I tried mocking Kernel.rand, Kernal#rand, and Time.now, but that didn't help. I suppose I could dive head first into the OpenSSL code but wanted to first check if you had any pointers on how todo this.

Thanks for the fantastic and helpful episode, as usual.

John

Dear Ryan,

many thanks for this very, very helpful episode(s).
There is only one problem left, I am struggling with:
While working in the sandbox, I seem to have the same problem as "ariel" in post 19 and 20.
When I hit the "return to the shop" button, I get the whole data from paypal in the browsers comman_line.
I have tried to set the variable rm yet to "1" (then it should be a get instead of a post request according to the paypal api). But I still see all the data in the browser being submitted.
Either, this is a Sandbox problem, or I am passing the variable rm in the wrong "place":
Should I pass this variable in the cart.rb (paypal_encrypted method) along with all the other parameters to paypal?
Or must this value ne passed as a parameter directly with the return_url in the checkout_form (similar to thme secret parameter)?
Or is there another mistake?
And: Should the values of the variable rm be passed as an integer or a "string"?
By the way: the return parameter is set, so this cannot be the problem...
Many thanks!

I have a security question which isn't rails specific but very relevant to this episode..

Why do I have to encrypt the data if I send it to a paypal secure https ? isn't the https take care of encrypting the data before sending the form?

Ryan I couldn't get to where I am today without your excellent work!
Thanks!

If anybody else has the "There was a problem with the decryption of your secure order" issue on PayPal, this fixed it for me:

https://www.x.com/message/161715#161715

From that post:
******************************
The 'cmd' parameter must be "_s-xclick" in the non-encrypted form, but it must also be included in the encrypted blob, as "_xclick" (or, presumably, any of the other values except "_s-xclick".)
Paypal appears to decrypt the form when it's told to handle the s-xclick, and then forwards the unencrypted details to a separate controller, which needs to know the cmd as well.

Hey Ryan,

First off, thanks so much for Railscasts- I don't know where I'd be without these!

Quick question- what is your take on the security of calling the PayPal url builder that you put in the cart model from a controller and just calling that action from the view to create the url, as opposed to sending the url directly to PayPal via hidden fields in a form?

I am trying to do the former, and it is working fine, and to the best of my knowledge, can't be viewed through a browser the way a hard-coded url can. I am still going to try and use encrypted data, but wanted to get your opinion on this method...

Thanks so much for all your hard work!

-Dan Rich

Any chance of getting this series updated for the Rails 3.x series of frameworks?

I'm having some difficulty translating the routes file in particular. Has anyone used this recently? How did you modify the current_cart line?

I'm trying to build a very simple store for a friend. He is selling one product - and it is a customizable product (different shapes, sizes, and art styles) - but really just one product. So - it didn't make sense for me to use one of the larger e-commerce packages.

It is also nice to know how to roll your own. :) I hope this is updated.

Ken

There's a small typo in asciicast,

<% form_tag .... %> should have = in it.
ie
<%= form_tag ... %>

Else the button doesn't appear.

Guys very important, the encyrpted payment settings were moved inside the paypal, This caused lots of confugion on our side.
So here it is

1.Register as Merchant
2.My Profile -> My selling tools -> Encrypted payment settings (at the very bottom).

I am using Rails 3.2 and I am getting the following error from Paypal's sandbox site:

We were unable to decrypt the certificate id.

I have tried re-generating certificates just in case. I have played around with the data in my shopping cart etc. I am not really sure how to debug this issue :(

Any help or insight would be greatly appreciated!

Three years later, and most of the information is still top notch. Thank you, Ryan.

I just finished a paypal integration for my website based on Ryan's guidelines.
This is to help out anybody who will be doing the same three years later after the initial screencast.
Two important comments were made here. Jim quoted the following:
* The 'cmd' parameter must be "_s-xclick" in the non-encrypted form, but it must also be included in the encrypted blob, as "_xclick"
Another point is that to let IPN pass through, you will need in the controller:
skip_before_filter :verify_authenticity_token, :only => [:create]
Finally, I chose to do a postback verification for IPN rather than the shared secret technique adopted by Ryan.
If you need help with this, just email me: danielsz @ sdf dot org.

Thanks Ryan! But in paypal IPN docs, it says you must have to return the exact messages (properly encoded) in response within 30 seconds. Otherwise, it will send it again (with the assumption that previous message was not delivered to the listener). I'm confused!

Thank you for you railscasts. I was trying to implement Paypal Payments Standard. There was some issues about that and i hope this would help someone like me.

In model i had to change the cmd: to '_xclick', while in view it still '_s-xlick'. I deleted the section with values.merge!, because it didn't work and i just added amount: and item_name: right to values hash like that:

values = { business: xxx@yy.com',
cmd: '_xclick',
amount: total_price,
item_name: "here is your description",
upload: 1,
:return => return_url,
invoice: id,
notify_url: notify_url,
:currency_code => 'USD',
cert_id: "xxxxxxxxxxxxx"
}

Note that you have to do something with invoice, because there will not be 2 transactions with the same invoice. Hope it helps!

As I've just started with rails, I want to share what worked for me. I'm using ruby 2.0 and rails 4.1, it's 2014 and amazingly, this tutorial is still valid!! with the EXCEPTION of:

1. <%= form_tag ... %> Tutorial code omitted the '='

2. In the /config/initializers/load_config.rb:
   APP_CONFIG = YAML.load_file("#{Rails.root}/config/config.yml")[Rails.env]

3. Use APP_CONFIG['paypal_secret']. Not APP_CONFIG[:paypal_secret]

Also, we're not able to test the paypal return parameters unless we put in on a server as paypal can't send back to localhost:3000

Hope this helps!

Hello,
in 2015, There are some new issues in your encrypted paypal button.

Since december 2014, Paypal security is using TLS and no longer SSL due to its recent vulnerabilities.

So what will be the new ruby Syntax and/or configuration for encrypting paypal form button in your function "encrypt_for_paypal(values)" ?

One doubt. My application before going to paypal first shows a form that takes some information from the user. Once this information is saved in the database, then I redirect to paypal site. So my controller uses this code

#code that  saves the cart in db
redirect_to @morder.paypal_url(store_url,hook_path,@cart.id)

So now i added encryption just as you said and would like to send the values, but I am getting an error.

#Same code as yours
values = encrypt_for_paypal(values)
    "https://www.sandbox.paypal.com/cgi-bin/webscr?" + values.to_query#Error displayed here says "wrong number of arguments"
  end

PAYPAL_CERT_PEM = File.read("#{Rails.root}/certs/paypal_cert.pem")
APP_CERT_PEM = File.read("#{Rails.root}/certs/app_cert.pem")
APP_KEY_PEM = File.read("#{Rails.root}/certs/app_key.pem")


  def encrypt_for_paypal(values)
    signed = OpenSSL::PKCS7::sign(OpenSSL::X509::Certificate.new(APP_CERT_PEM), OpenSSL::PKey::RSA.new(APP_KEY_PEM, ''), values.map { |k, v| "#{k}=#{v}" }.join("\n"), [], OpenSSL::PKCS7::BINARY)
    OpenSSL::PKCS7::encrypt([OpenSSL::X509::Certificate.new(PAYPAL_CERT_PEM)], signed.to_der, OpenSSL::Cipher::Cipher::new("DES3"), OpenSSL::PKCS7::BINARY).to_s.gsub("\n", "")
  end

The error is wrong number of arguments (0 for 1)

Thank you Ryan! After years this worked like a charm.

@VISHAL DEEPAK

A couple things I would suggest for you:

• For redirecting to Paypal, my application's user flow is similar to yours; however, I would suggest using a form to send a POST request to the Paypal url instead of GET as required by Paypal. You can use jquery to dynamically inject the form and submit and then remove it like so:

$('<form action="<%= encrypted_paypal_url %>" method="post" target="_blank"></form>').appendTo('body').submit().remove();

• You have an error because you're trying to parse a string to query (see my solution below)
• For your url you only returned encrypted values and not the additional fields indicating to Paypal that this is encrypted. Following my approach above, you can return the url like so (append this to the end of paypal_url):

encrypted = {
      :cmd => "_s-xclick",
      :encrypted => encrypt_for_paypal(values)
    }
    "https://www.sandbox.paypal.com/cgi-bin/webscr?" + encrypted.to_query

Thank you Ryan! After years this worked like a charm.

@VISHAL DEEPAK

A couple things I would suggest for you:

• For redirecting to Paypal, my application's user flow is similar to yours; however, I would suggest using a form to send a POST request to the Paypal url instead of get as required by Paypal. You can use jquery to dynamically inject the form and submit and then remove it like so:

$('<form action="<%= encrypted_paypal_url %>" method="post" target="_blank"></form>').appendTo('body').submit().remove();

• You have an error because you're trying to parse a string to query (see my solution below)
• For your url you only returned encrypted values and not the additional fields indicating to Paypal that this is encrypted. Following my approach above, you can return the url like so (append this to the end of paypal_url):

encrypted = {
      :cmd => "_s-xclick",
      :encrypted => encrypt_for_paypal(values)
    }
    "https://www.sandbox.paypal.com/cgi-bin/webscr?" + encrypted.to_query