• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Having issue with Security Token and Paypal...

Jaxel

Well-known member
#1
I'm working on a donation module block for XenPorta... everything works fantastic so far... except one issue... After a user has send their donation in it gives them a summary "Your Donation is Complete" page, with an orange button for "Return to ----". When I click this button, it properly goes back to the return URL... but it gives a security error in the process...

Security error occurred. Please press back, refresh the page, and try again.
I've looked at XenForo's payment processor and I see nothing special that prevents this. This is what I have in my form...

Code:
<form action="{$option.payPalUrl}" method="post" class="upgradeForm">
    <input type="hidden" name="cmd" value="_donations" />
    <input type="hidden" name="return" value="{$requestPaths.fullBasePath}{xen:link portal/donation}" />
    <input type="hidden" name="cancel_return" value="{$requestPaths.fullBasePath}" />
    <input type="hidden" name="notify_url" value="{$xenOptions.boardUrl}/donation_callback.php" />
    <input type="hidden" name="custom" value="{$visitor.user_id},{$donation.id},token,{$visitor.csrf_token_page}" />
So how do I prevent this security error when returning from paypal?
 

Jake Bunce

XenForo moderator
Staff member
#2
It's the return location (portal/donation) that is giving that error, right? Not the callback URL? Check your controller for that page. Are you requiring the token anywhere in your code? Are there any calls to _checkCsrfFromToken or _checkCsrf? Any references to _xfToken?
 

Jaxel

Well-known member
#3
It's the return location (portal/donation) that is giving that error, right? Not the callback URL? Check your controller for that page. Are you requiring the token anywhere in your code? Are there any calls to _checkCsrfFromToken or _checkCsrf? Any references to _xfToken?
It doesn't have anything like that. The issue is that the return button from paypal is a POST button; and POST to XenForo requires a CSRF token. However, with the user upgrade system in XenForo, they bypass that requirement... how?
 

Jake Bunce

XenForo moderator
Staff member
#4
It doesn't have anything like that. The issue is that the return button from paypal is a POST button; and POST to XenForo requires a CSRF token. However, with the user upgrade system in XenForo, they bypass that requirement... how?
I think I found it:

XenForo_ControllerPublic_Account::_checkCsrf

Code:
	/**
	 * Disable CSRF checking for the upgrade purchase callback method.
	 */
	protected function _checkCsrf($action)
	{
		if (strtolower($action) == 'upgradepurchase')
		{
			// may be coming from external payment gateway
			return;
		}

		parent::_checkCsrf($action);
	}
So you need to include your own _checkCsrf function in your controller.