Having issue with Security Token and Paypal...

Jaxel

Well-known member
I'm working on a donation module block for XenPorta... everything works fantastic so far... except one issue... After a user has send their donation in it gives them a summary "Your Donation is Complete" page, with an orange button for "Return to ----". When I click this button, it properly goes back to the return URL... but it gives a security error in the process...

Security error occurred. Please press back, refresh the page, and try again.
I've looked at XenForo's payment processor and I see nothing special that prevents this. This is what I have in my form...

Code:
<form action="{$option.payPalUrl}" method="post" class="upgradeForm">
    <input type="hidden" name="cmd" value="_donations" />
    <input type="hidden" name="return" value="{$requestPaths.fullBasePath}{xen:link portal/donation}" />
    <input type="hidden" name="cancel_return" value="{$requestPaths.fullBasePath}" />
    <input type="hidden" name="notify_url" value="{$xenOptions.boardUrl}/donation_callback.php" />
    <input type="hidden" name="custom" value="{$visitor.user_id},{$donation.id},token,{$visitor.csrf_token_page}" />
So how do I prevent this security error when returning from paypal?
 

Jake Bunce

XenForo moderator
Staff member
It's the return location (portal/donation) that is giving that error, right? Not the callback URL? Check your controller for that page. Are you requiring the token anywhere in your code? Are there any calls to _checkCsrfFromToken or _checkCsrf? Any references to _xfToken?
 

Jaxel

Well-known member
It's the return location (portal/donation) that is giving that error, right? Not the callback URL? Check your controller for that page. Are you requiring the token anywhere in your code? Are there any calls to _checkCsrfFromToken or _checkCsrf? Any references to _xfToken?
It doesn't have anything like that. The issue is that the return button from paypal is a POST button; and POST to XenForo requires a CSRF token. However, with the user upgrade system in XenForo, they bypass that requirement... how?
 

Jake Bunce

XenForo moderator
Staff member
It doesn't have anything like that. The issue is that the return button from paypal is a POST button; and POST to XenForo requires a CSRF token. However, with the user upgrade system in XenForo, they bypass that requirement... how?
I think I found it:

XenForo_ControllerPublic_Account::_checkCsrf

Code:
	/**
	 * Disable CSRF checking for the upgrade purchase callback method.
	 */
	protected function _checkCsrf($action)
	{
		if (strtolower($action) == 'upgradepurchase')
		{
			// may be coming from external payment gateway
			return;
		}

		parent::_checkCsrf($action);
	}
So you need to include your own _checkCsrf function in your controller.
 
Top