Improving the endpoint validations (#1200)

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/__tests__/paypalExpress.test.js

@@ -28,10 +28,9 @@ describe('paypal express', () => {
     global.$.spinner = jest.fn(() => {return {
       start: start
     }})
-    global.fetch = jest.fn().mockResolvedValueOnce({
-      ok: true,
-      json: jest.fn(() => {return {action: {}}})
-    })
+    global.$.ajax = jest.fn().mockImplementation(({ success }) => {
+		success({ action : {}})
+    });
     const component = {
       handleError: jest.fn(),
       handleAction: jest.fn()
@@ -46,10 +45,9 @@ describe('paypal express', () => {
     global.$.spinner = jest.fn(() => {return {
       start: start
     }})
-    global.fetch = jest.fn().mockResolvedValueOnce({
-      ok: true,
-      json: jest.fn(() => {return {}})
-    })
+    global.$.ajax = jest.fn().mockImplementation(({ success }) => {
+		success({})
+    });
     const component = {
       handleError: jest.fn(),
       handleAction: jest.fn()

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenAccount.js

@@ -33,11 +33,16 @@ function handleAction(action) {
 
 // confirm onAdditionalDetails event and paymentsDetails response
 store.checkoutConfiguration.onAdditionalDetails = (state) => {
+  const requestData = JSON.stringify({
+    data: state.data,
+  });
   $.ajax({
     type: 'POST',
-    url: 'Adyen-PaymentsDetails',
-    data: JSON.stringify({ data: state.data }),
-    contentType: 'application/json; charset=utf-8',
+    url: window.paymentsDetailsURL,
+    data: {
+      csrf_token: $('#adyen-token').val(),
+      data: requestData,
+    },
     async: false,
     success(data) {
       if (data.isSuccessful) {

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenGiving.js

@@ -10,6 +10,7 @@ function handleOnDonate(state, component) {
     amountCurrency: selectedAmount.currency,
     orderNo: window.orderNo,
     orderToken: window.orderToken,
+    csrf_token: $('#adyen-token').val(),
   };
 
   $.ajax({

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/checkoutConfiguration.js

@@ -181,11 +181,14 @@ function getGiftCardConfig() {
       store.updateSelectedPayment(constants.GIFTCARD, 'stateData', state.data);
     },
     onBalanceCheck: (resolve, reject, requestData) => {
+      const payload = {
+        csrf_token: $('#adyen-token').val(),
+        data: JSON.stringify(requestData),
+      };
       $.ajax({
         type: 'POST',
         url: window.checkBalanceUrl,
-        data: JSON.stringify(requestData),
-        contentType: 'application/json; charset=utf-8',
+        data: payload,
         async: false,
         success: (data) => {
           giftcardBalance = data.balance;
@@ -248,8 +251,10 @@ function getGiftCardConfig() {
         $.ajax({
           type: 'POST',
           url: window.partialPaymentsOrderUrl,
-          data: JSON.stringify(requestData),
-          contentType: 'application/json; charset=utf-8',
+          data: {
+            csrf_token: $('#adyen-token').val(),
+            data: JSON.stringify(requestData),
+          },
           async: false,
           success: (data) => {
             if (data.resultCode === 'Success') {
@@ -293,14 +298,17 @@ const actionHandler = async (action) => {
 };
 
 function handleOnAdditionalDetails(state) {
+  const requestData = JSON.stringify({
+    data: state.data,
+    orderToken: window.orderToken,
+  });
   $.ajax({
     type: 'POST',
     url: window.paymentsDetailsURL,
-    data: JSON.stringify({
-      data: state.data,
-      orderToken: window.orderToken,
-    }),
-    contentType: 'application/json; charset=utf-8',
+    data: {
+      csrf_token: $('#adyen-token').val(),
+      data: requestData,
+    },
     async: false,
     success(data) {
       if (!data.isFinal && typeof data.action === 'object') {

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/helpers.js

@@ -33,6 +33,7 @@ function paymentFromComponent(data, component = {}) {
     url: window.paymentFromComponentURL,
     type: 'post',
     data: {
+      csrf_token: $('#adyen-token').val(),
       data: JSON.stringify(requestData),
       paymentMethod: document.querySelector('#adyenPaymentMethodName').value,
     },

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/makePartialPayment.js

@@ -7,8 +7,10 @@ function makePartialPayment(requestData) {
     $.ajax({
       url: window.partialPaymentUrl,
       type: 'POST',
-      data: JSON.stringify(requestData),
-      contentType: 'application/json; charset=utf-8',
+      data: {
+        csrf_token: $('#adyen-token').val(),
+        data: JSON.stringify(requestData),
+      },
     })
       .done((response) => {
         if (response.error) {

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/renderGiftcardComponent.js

@@ -56,8 +56,10 @@ function removeGiftCards() {
     $.ajax({
       type: 'POST',
       url: window.cancelPartialPaymentOrderUrl,
-      data: JSON.stringify(card),
-      contentType: 'application/json; charset=utf-8',
+      data: {
+        csrf_token: $('#adyen-token').val(),
+        data: JSON.stringify(card),
+      },
       async: false,
       success(res) {
         const adyenPartialPaymentsOrder = document.querySelector(

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayCheckout.js

@@ -42,6 +42,7 @@ function paymentFromComponent(data, component) {
     url: window.paymentFromComponentURL,
     type: 'post',
     data: {
+      csrf_token: $('#adyen-token').val(),
       data: JSON.stringify(requestData),
       paymentMethod: 'amazonpay',
       merchantReference: document.querySelector('#merchantReference').value,
@@ -80,14 +81,17 @@ async function mountAmazonPayComponent() {
     },
     onAdditionalDetails: (state) => {
       state.data.paymentMethod = 'amazonpay';
+      const requestData = JSON.stringify({
+        data: state.data,
+        orderToken: window.orderToken,
+      });
       $.ajax({
         type: 'post',
         url: window.paymentsDetailsURL,
-        data: JSON.stringify({
-          data: state.data,
-          orderToken: window.orderToken,
-        }),
-        contentType: 'application/json; charset=utf-8',
+        data: {
+          csrf_token: $('#adyen-token').val(),
+          data: requestData,
+        },
         success(data) {
           if (data.isSuccessful) {
             handleAuthorised(data);

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayExpressPart2.js

@@ -5,6 +5,7 @@ function saveShopperDetails(details) {
     url: window.saveShopperDetailsURL,
     type: 'post',
     data: {
+      csrf_token: $('#adyen-token').val(),
       shopperDetails: JSON.stringify(details),
       paymentMethod: 'amazonpay',
     },

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/applePayExpress.js

@@ -90,6 +90,7 @@ function callPaymentFromComponent(data, resolveApplePay, rejectApplePay) {
     url: window.paymentFromComponentURL,
     type: 'post',
     data: {
+      csrf_token: $('#adyen-token').val(),
       data: JSON.stringify(data),
       paymentMethod: APPLE_PAY,
     },

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/checkoutReviewButtons.js

@@ -6,11 +6,16 @@ const helpers = require('./adyen_checkout/helpers');
  * @return {undefined}
  */
 function makeExpressPaymentDetailsCall(data) {
+  const csrfToken = document.querySelector(
+    '#showConfirmationForm input[id="adyen-token"]',
+  ).value;
   $.ajax({
     type: 'POST',
     url: window.makeExpressPaymentDetailsCall,
-    data: JSON.stringify({ data }),
-    contentType: 'application/json; charset=utf-8',
+    data: {
+      csrf_token: csrfToken,
+      data: JSON.stringify({ data }),
+    },
     async: false,
     success(response) {
       helpers.setOrderFormData(response);

src/cartridges/app_adyen_SFRA/cartridge/client/default/js/paypalExpress.js

@@ -9,19 +9,26 @@ const { PAYPAL } = require('./constants');
 async function callPaymentFromComponent(data, component) {
   try {
     $.spinner().start();
-    const response = await fetch(window.makeExpressPaymentsCall, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
+
+    $.ajax({
+      type: 'POST',
+      url: window.makeExpressPaymentsCall,
+      data: {
+        csrf_token: $('#adyen-token').val(),
+        data: JSON.stringify(data),
+      }, // Send the data as a JSON string
+      success(response) {
+        const { action, errorMessage = '' } = response;
+        if (action) {
+          component.handleAction(action);
+        } else {
+          throw new Error(errorMessage);
+        }
+      },
+      error() {
+        component.handleError();
       },
-      body: JSON.stringify(data),
     });
-    const { action, errorMessage = '' } = await response.json();
-    if (response.ok && action) {
-      component.handleAction(action);
-    } else {
-      throw new Error(errorMessage);
-    }
   } catch (e) {
     component.handleError();
   }
@@ -33,6 +40,7 @@ async function saveShopperDetails(details, actions) {
     type: 'post',
     data: {
       shopperDetails: JSON.stringify(details),
+      csrf_token: $('#adyen-token').val(),
     },
     success() {
       actions.resolve();
@@ -55,15 +63,24 @@ function redirectToReviewPage(data) {
       value: JSON.stringify(data),
     });
 
+  $('<input>')
+    .appendTo(redirect)
+    .attr({
+      name: 'csrf_token',
+      value: $('#adyen-token').val(),
+    });
+
   redirect.submit();
 }
 
 function makeExpressPaymentDetailsCall(data) {
   return $.ajax({
     type: 'POST',
     url: window.makeExpressPaymentDetailsCall,
-    data: JSON.stringify({ data }),
-    contentType: 'application/json; charset=utf-8',
+    data: {
+      csrf_token: $('#adyen-token').val(),
+      data: JSON.stringify({ data }),
+    },
     async: false,
     success(response) {
       helpers.createShowConfirmationForm(window.showConfirmationAction);

src/cartridges/app_adyen_SFRA/cartridge/templates/default/account/payment/paymentForm.isml

@@ -17,6 +17,7 @@
                 environment: '${pdict.adyen.environment}'
             };
             window.redirectUrl = "${URLUtils.url('PaymentInstruments-List')}";
+            window.paymentsDetailsURL = "${URLUtils.https('Adyen-PaymentsDetails')}";
         </script>
         <form
             action="${URLUtils.url('PaymentInstruments-SavePayment', 'UUID', pdict.UUID)}"
@@ -64,4 +65,5 @@
     </isif>
 </div>
 <isinclude template="adyenActionModal" />
+<input type="hidden" id="adyen-token" name="${pdict.csrf.tokenName}" value="${pdict.csrf.token}"/>
 <iscomment> ### Custom Adyen cartridge end ### </iscomment>

src/cartridges/app_adyen_SFRA/cartridge/templates/default/adyen/checkoutReviewButtons.isml

@@ -17,6 +17,7 @@
         <input type="hidden" id="merchantReference" name="merchantReference"/>
         <input type="hidden" id="orderToken" name="orderToken"/>
         <input type="hidden" id="result" name="result" value="null"/>
+        <input type="hidden" id="adyen-token" name="${dw.web.CSRFProtection.getTokenName()}" value="${dw.web.CSRFProtection.generateToken()}"/>
       </form>
     </div>
   </div>

src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutButtons.isml

@@ -100,3 +100,4 @@
         </isif>
     </iselse>
 </isif>
+<input type="hidden" id="adyen-token" name="${pdict.csrf.tokenName}" value="${pdict.csrf.token}"/>

src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutReview.isml

@@ -1,4 +1,5 @@
 <isset name="AdyenConfigs" value="${require('*/cartridge/adyen/utils/adyenConfigs')}" scope="pdict"/>
+<input type="hidden" id="adyen-token" name="${pdict.csrf.tokenName}" value="${pdict.csrf.token}"/>
 <isdecorate template="common/layout/checkout">
     <isscript>
         var assets = require('*/cartridge/scripts/assets.js');

src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenComponentForm.isml

@@ -129,3 +129,4 @@
 
 </iselse>
 </isif>
+<input type="hidden" id="adyen-token" name="${pdict.csrf.tokenName}" value="${pdict.csrf.token}"/>

src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenGivingComponent.isml

@@ -2,6 +2,7 @@
     <isset name="AdyenHelper" value="${require('*/cartridge/adyen/utils/adyenHelper')}" scope="pdict"/>
     <link rel="stylesheet" type="text/css" href="${pdict.AdyenHelper.getCheckoutCSS()}"/>
     <script src="${pdict.AdyenHelper.getCheckoutUrl()}" type="text/javascript"></script>
+    <input type="hidden" id="adyen-token" name="${pdict.csrf.tokenName}" value="${pdict.csrf.token}"/>
     <isscript>
         var assets = require('*/cartridge/scripts/assets.js');
         assets.addJs('/js/adyenGiving.js');

src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentDetailsCall.test.js

@@ -13,7 +13,7 @@ const makeExpressPaymentDetailsCall = require('../makeExpressPaymentDetailsCall'
 beforeEach(() => {
   jest.clearAllMocks();
   req = {
-    body: JSON.stringify({data: {}})
+    form: {data: JSON.stringify({data: {}})}
   };
 
   res = {

src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentsCall.test.js

@@ -11,7 +11,7 @@ const makeExpressPaymentsCall = require('../makeExpressPaymentsCall');
 beforeEach(() => {
   jest.clearAllMocks();
   req = {
-  body: JSON.stringify({})
+  form: {data: JSON.stringify({})}
   };
 
   res = {

src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentDetailsCall.js

@@ -27,7 +27,7 @@ function setPaymentInstrumentFields(paymentInstrument, response) {
  */
 function makeExpressPaymentDetailsCall(req, res, next) {
   try {
-    const request = JSON.parse(req.body);
+    const request = JSON.parse(req.form.data);
     const currentBasket = BasketMgr.getCurrentBasket();
 
     const response = adyenCheckout.doPaymentsDetailsCall(request.data);

src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentsCall.js

@@ -23,7 +23,7 @@ function makeExpressPaymentsCall(req, res, next) {
         paymentInstrument.paymentMethod,
       );
       paymentInstrument.paymentTransaction.paymentProcessor = paymentProcessor;
-      paymentInstrument.custom.adyenPaymentData = req.body;
+      paymentInstrument.custom.adyenPaymentData = req.form.data;
     });
     // Creates order number to be utilized for PayPal express
     const paypalExpressOrderNo = OrderMgr.createOrderNo();

src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/cancelPartialPaymentOrder.js

@@ -12,7 +12,7 @@ const clearForms = require('*/cartridge/adyen/utils/clearForms');
 function cancelPartialPaymentOrder(req, res, next) {
   try {
     const currentBasket = BasketMgr.getCurrentBasket();
-    const request = JSON.parse(req.body);
+    const request = JSON.parse(req.form.data);
     const { partialPaymentsOrder } = request;
 
     const cancelOrderRequest = {

src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/checkBalance.js

@@ -52,7 +52,7 @@ function callCheckBalance(req, res, next) {
       ? giftCardsAdded[giftCardsAdded.length - 1].remainingAmount
       : orderAmount;
 
-    const request = JSON.parse(req.body);
+    const request = JSON.parse(req.form.data);
     const paymentMethod = request.paymentMethod
       ? request.paymentMethod
       : constants.ACTIONTYPES.GIFTCARD;

src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/partialPayment.js

@@ -16,7 +16,7 @@ function responseContainsErrors(response) {
 
 function makePartialPayment(req, res, next) {
   try {
-    const request = JSON.parse(req.body);
+    const request = JSON.parse(req.form.data);
     const currentBasket = BasketMgr.getCurrentBasket();
 
     const { paymentMethod, partialPaymentsOrder, amount, giftcardBrand } =