|
subspace
|
January 26, 2024 at 4:59 am
Hi, I am working on synching payments with our bank’s API. I have a server where I store all incoming payments with a variable symbol which represents TXN_ID. So far, I have been submiting payments through cUrl. I have used an URL which is the same as if you submit a form in „Apply payment“ modal.
The url looks like this:
https://www.subspacestudio.cz/wp-admin/admin.php?page=espresso_transactions&action=espresso_apply_payment&espresso_apply_payment_nonce=&txn_admin_payment%5BPAY_ID%5D=0&txn_admin_payment%5BTXN_ID%5D=$txnId&txn_admin_payment%5Btype%5D=1&txn_admin_payment%5Bdetails%5D=&txn_admin_delete_payment_form_url=https%3A%2F%2Fwww.subspacestudio.cz%2Fwp-admin%2Fadmin.php%3Fpage%3Despresso_transactions%26action%3Despresso_delete_payment&txn_admin_todays_date=2023-08-14+12%3A47+pm&txn_admin_payment%5Bdate%5D=2023-08-14+12%3A47+pm&txn_admin_payment%5Bamount%5D=$value&txn_admin_payment%5BPMD_ID%5D=$bankTypeID&txn_admin_payment%5Btxn_id_chq_nmbr%5D=&txn_admin_payment%5Bgateway_response%5D=&txn_admin_payment%5Bstatus%5D=PAP&txn_admin_payment%5Bpo_number%5D=&txn_admin_payment%5Baccounting%5D=13856-2412-1-9ec5&txn_admin_payment%5Bapply_to_all_registrations%5D=1&txn_reg_status_change%5Breg_status%5D=$regStatusChange&txn_payments%5Bsend_notifications%5D=1&txn_reg_status_change%5Bsend_notifications%5D=1
I am using authentication through cookie that I get prior the cUrl request and then I send it in header. This worked so far, but after updating EE plugins and WordPress to latest version, it requires Nonce. When I run the cUrl, I get back „Nonce fail“ error.
The reason I am doing it this way, is because it’s all in one request. What is crucial for me is:
$txnId, $regStatusChange, $value, $bankTypeID
Is there a way to perform this request without sending nonce? Or a way to send all of those properties though API?
Thank you.
My WordPress website info:
### wp-core ###
version: 6.4.2
### wp-active-theme ###
name: Custom theme – child (customthemechild)
version: 1
author: Luke
author_website: (undefined)
parent_theme: Twenty Sixteen (twentysixteen)
### wp-plugins-active (41) ###
Advanced Custom Fields PRO: version: 6.2.5, author: WP Engine, Automatické aktualizace zakázány
Advanced Database Cleaner: version: 3.1.4, author: Younes JFR., Automatické aktualizace zakázány
Advanced Editor Tools: version: 5.9.2, author: Automattic, Automatické aktualizace zakázány
BackWPup: version: 4.0.2, author: WP MEDIA SAS, Automatické aktualizace zakázány
Column Shortcodes: version: 1.0.1, author: Codepress, Automatické aktualizace zakázány
Contact Form 7: version: 5.8.6, author: Takayuki Miyoshi, Automatické aktualizace zakázány
Duplicator: version: 1.5.8, author: Duplicator, Automatické aktualizace zakázány
Enable Media Replace: version: 4.1.5, author: ShortPixel, Automatické aktualizace zakázány
Enhanced Media Library: version: 2.8.9, author: wpUXsolutions, Automatické aktualizace zakázány
Event Espresso: version: 5.0.15.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Admin Only Tickets: version: 0.1.0, author: Chase C. Miller, Automatické aktualizace zakázány
Event Espresso – Attendee Mover (EE4.9.13+): version: 1.0.7.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Calendar (EE 4.3+): version: 3.2.16.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Events Table View Template (EE 4.4.9+): version: 1.3.9.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Flexible Payment Method (EE 4.6+): version: 1.0.0.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Grid View Template (EE 4.4.9+): version: 1.2.4.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Payment Methods Pro (EE 4.9.32+): version: 1.0.2.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – People (EE 4.5+): version: 1.0.10.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Promotions (EE 4.9.10+): version: 1.0.16.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – Ticketing (EE 4+): version: 1.0.11.p, author: Event Espresso, Automatické aktualizace zakázány
Event Espresso – WordPress Users Integration (EE4.6+): version: 2.1.1.p, author: Event Espresso, Automatické aktualizace zakázány
Event esspresso customization: author: (undefined), version: (undefined), Automatické aktualizace zakázány
FooBox Image Lightbox: version: 2.7.27, author: FooPlugins, Automatické aktualizace zakázány
GA Google Analytics: version: 20231101, author: Jeff Starr, Automatické aktualizace zakázány
Google Language Translator: version: 6.0.20, author: Translate AI Multilingual Solutions, Automatické aktualizace zakázány
MailChimp User Sync: version: 1.7.7, author: ibericode, Automatické aktualizace zakázány
MC4WP: Mailchimp for WordPress: version: 4.9.11, author: ibericode, Automatické aktualizace zakázány
Members: version: 3.2.9, author: MemberPress, Automatické aktualizace zakázány
Photo Gallery: version: 1.8.20, author: Photo Gallery Team, Automatické aktualizace zakázány
Post SMTP: version: 2.8.11, author: Post SMTP, Automatické aktualizace zakázány
Query Monitor: version: 3.15.0, author: John Blackbourn, Automatické aktualizace zakázány
Random File Upload Names: version: 1.0.0, author: WPZA, Automatické aktualizace zakázány
Really Simple SSL: version: 7.2.1, author: Really Simple Plugins (latest version: 7.2.2), Automatické aktualizace zakázány
reCaptcha by BestWebSoft: version: 1.74, author: BestWebSoft, Automatické aktualizace zakázány
TablePress: version: 2.2.4, author: Tobias Bäthge, Automatické aktualizace zakázány
Under Construction: version: 3.97, author: WebFactory Ltd, Automatické aktualizace zakázány
Wordfence Security: version: 7.11.1, author: Wordfence, Automatické aktualizace zakázány
WP Crontrol: version: 1.16.1, author: John Blackbourn & crontributors, Automatické aktualizace zakázány
WP Fastest Cache: version: 1.2.3, author: Emre Vona, Automatické aktualizace zakázány
WP Login Form: version: 1.0.12, author: naa986, Automatické aktualizace zakázány
WP Migrate Lite: version: 2.6.9, author: WP Engine, Automatické aktualizace zakázány
### wp-server ###
server_architecture: Linux 5.4.0-122-generic x86_64
httpd_software: Apache
php_version: 8.0.27 64bit
php_sapi: fpm-fcgi
max_input_variables: 10000
time_limit: 90
memory_limit: 1024M
max_input_time: 30
upload_max_filesize: 512M
php_post_max_size: 512M
curl_version: 7.29.0 NSS/3.36
suhosin: false
imagick_availability: true
pretty_permalinks: true
htaccess_extra_rules: true
current: 2024-01-26T11:45:43+00:00
utc-time: Friday, 26-Jan-24 11:45:43 UTC
server-time: 2024-01-26T12:45:40+01:00
### wp-database ###
extension: mysqli
server_version: 10.3.32-MariaDB-log
client_version: mysqlnd 8.0.27
max_allowed_packet: 16777216
max_connections: 1000
|
|
Brent Christensen
|
February 1, 2024 at 4:48 pm
Hi subspace (Luke?),
I’m Event Espresso’s lead developer.
The nonce is essentially a one time use pass code that helps to verify that the incoming request is legitimate (nonce is short for “number used once“). This helps to prevent man in the middle attacks where someone intercepts a request and then tries to mess with your system by changing parameters around and resubmitting. Since they can’t reuse the previous nonce, and there would be no way for them to generate a new nonce for their request, it’s easy to identify their request as being invalid.
I can see that your cURL request already includes a parameter for the nonce
https://www.subspacestudio.cz/wp-admin/admin.php?page=espresso_transactions&action=espresso_apply_payment&espresso_apply_payment_nonce=&txn_admin_payment...
but it just doesn’t have a value;
You can easily add one by adding the following in your PHP code prior to sending your request (i’m assuming your requests are being sent from the same server your WP site is on):
$nonce = wp_create_nonce('espresso_apply_payment_nonce')
and then use its value for the espresso_apply_payment_nonce URL parameter.
IF however, your requests are not originating from the same server your WP site is on, then you will need to do things a little differently. You could try something like:
-
create a secret endpoint you can send your requests to instead of directly trying to hit the
espresso_apply_payment admin route, THEN create another request to hit the espresso_apply_payment admin route but add the nonce value (not ideal)
-
OR create a secret endpoint that simply generates a nonce value for
espresso_apply_payment_nonce and returns that to your other server so you can include it in your cURL request that submits the payment (also not ideal)
-
OR (this might be the best option) hook into the incoming requests really early on and try to detect your cURL requests. When you find one, generate the nonce and add it to the request paramters. You could use the
FHEE___EventEspresso_core_services_bootstrap_BootstrapRequestResponseObjects__buildRequestResponse__request filter from EventEspresso\core\services\bootstrap\BootstrapRequestResponseObjects::buildRequestResponse() which would allow you to add your nonce directly to our Request object.
Maybe something like:
add_filter(
'FHEE___EventEspresso_core_services_bootstrap_BootstrapRequestResponseObjects__buildRequestResponse__request',
function (Request $request, array $request_params, array $server_params) {
if (/* logic to detect your request params within $request_params and/or $server_params */ ) {
$request->setRequestParam(
'espresso_apply_payment_nonce',
wp_create_nonce('espresso_apply_payment_nonce')
);
}
return $request;
},
10,
3
);
then when that request hits the espresso_apply_payment admin route, it will have the appropriate nonce
please note that the above code snippets are just off the top of my head and have not been verified to work correctly. If you know how to make cURL requests though then you shouldn’t have any issues figuring things out from there.
As well, you’ll want to set up some kind of additional security if you are going to do any of the above so that your requests can not be highjacked by bad actors. This could include something like setting up private and public keys on the servers and using that to validate some kind of signature first before proceeding, or you could use JWTs to send your requests between servers, which would handle that for you (this would be my aproach). Bottom line is just don’t leave an open door on your system for others to use.
Let me know how it goes and please don’t hesitate to ask any follow up questions.
Good luck, Brent
|
