From a7012aa5c9184479bb1675c3f0f0604576ee4922 Mon Sep 17 00:00:00 2001 From: Aleksandar Mihajlovski Date: Thu, 31 Oct 2024 10:00:03 +0100 Subject: [PATCH] Improving the endpoint validations (#1200) --- .../js/__tests__/paypalExpress.test.js | 14 ++-- .../client/default/js/adyenAccount.js | 11 ++- .../client/default/js/adyenGiving.js | 1 + .../adyen_checkout/checkoutConfiguration.js | 26 +++--- .../default/js/adyen_checkout/helpers.js | 1 + .../js/adyen_checkout/makePartialPayment.js | 6 +- .../adyen_checkout/renderGiftcardComponent.js | 6 +- .../client/default/js/amazonPayCheckout.js | 14 ++-- .../default/js/amazonPayExpressPart2.js | 1 + .../client/default/js/applePayExpress.js | 1 + .../default/js/checkoutReviewButtons.js | 9 ++- .../client/default/js/paypalExpress.js | 43 +++++++--- .../default/account/payment/paymentForm.isml | 2 + .../default/adyen/checkoutReviewButtons.isml | 1 + .../default/cart/checkoutButtons.isml | 1 + .../default/cart/checkoutReview.isml | 1 + .../checkout/billing/adyenComponentForm.isml | 1 + .../billing/adyenGivingComponent.isml | 1 + .../makeExpressPaymentDetailsCall.test.js | 2 +- .../__tests__/makeExpressPaymentsCall.test.js | 2 +- .../paypal/makeExpressPaymentDetailsCall.js | 2 +- .../paypal/makeExpressPaymentsCall.js | 2 +- .../cancelPartialPaymentOrder.js | 2 +- .../scripts/partialPayments/checkBalance.js | 2 +- .../scripts/partialPayments/partialPayment.js | 2 +- .../__tests__/paymentsDetails.test.js | 2 +- .../adyen/scripts/payments/paymentsDetails.js | 2 +- .../cartridge/controllers/Adyen.js | 79 ++++++++++++++----- .../cartridge/controllers/Cart.js | 14 ++++ 29 files changed, 179 insertions(+), 72 deletions(-) create mode 100644 src/cartridges/int_adyen_SFRA/cartridge/controllers/Cart.js diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/__tests__/paypalExpress.test.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/__tests__/paypalExpress.test.js index 93339a8f0..1abe660af 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/__tests__/paypalExpress.test.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/__tests__/paypalExpress.test.js @@ -28,10 +28,9 @@ describe('paypal express', () => { global.$.spinner = jest.fn(() => {return { start: start }}) - global.fetch = jest.fn().mockResolvedValueOnce({ - ok: true, - json: jest.fn(() => {return {action: {}}}) - }) + global.$.ajax = jest.fn().mockImplementation(({ success }) => { + success({ action : {}}) + }); const component = { handleError: jest.fn(), handleAction: jest.fn() @@ -46,10 +45,9 @@ describe('paypal express', () => { global.$.spinner = jest.fn(() => {return { start: start }}) - global.fetch = jest.fn().mockResolvedValueOnce({ - ok: true, - json: jest.fn(() => {return {}}) - }) + global.$.ajax = jest.fn().mockImplementation(({ success }) => { + success({}) + }); const component = { handleError: jest.fn(), handleAction: jest.fn() diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenAccount.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenAccount.js index b2f3b28e8..59f693060 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenAccount.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenAccount.js @@ -33,11 +33,16 @@ function handleAction(action) { // confirm onAdditionalDetails event and paymentsDetails response store.checkoutConfiguration.onAdditionalDetails = (state) => { + const requestData = JSON.stringify({ + data: state.data, + }); $.ajax({ type: 'POST', - url: 'Adyen-PaymentsDetails', - data: JSON.stringify({ data: state.data }), - contentType: 'application/json; charset=utf-8', + url: window.paymentsDetailsURL, + data: { + csrf_token: $('#adyen-token').val(), + data: requestData, + }, async: false, success(data) { if (data.isSuccessful) { diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenGiving.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenGiving.js index 6ab787e9c..ee559d513 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenGiving.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyenGiving.js @@ -10,6 +10,7 @@ function handleOnDonate(state, component) { amountCurrency: selectedAmount.currency, orderNo: window.orderNo, orderToken: window.orderToken, + csrf_token: $('#adyen-token').val(), }; $.ajax({ diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/checkoutConfiguration.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/checkoutConfiguration.js index a2a828587..d924d4f12 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/checkoutConfiguration.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/checkoutConfiguration.js @@ -181,11 +181,14 @@ function getGiftCardConfig() { store.updateSelectedPayment(constants.GIFTCARD, 'stateData', state.data); }, onBalanceCheck: (resolve, reject, requestData) => { + const payload = { + csrf_token: $('#adyen-token').val(), + data: JSON.stringify(requestData), + }; $.ajax({ type: 'POST', url: window.checkBalanceUrl, - data: JSON.stringify(requestData), - contentType: 'application/json; charset=utf-8', + data: payload, async: false, success: (data) => { giftcardBalance = data.balance; @@ -248,8 +251,10 @@ function getGiftCardConfig() { $.ajax({ type: 'POST', url: window.partialPaymentsOrderUrl, - data: JSON.stringify(requestData), - contentType: 'application/json; charset=utf-8', + data: { + csrf_token: $('#adyen-token').val(), + data: JSON.stringify(requestData), + }, async: false, success: (data) => { if (data.resultCode === 'Success') { @@ -293,14 +298,17 @@ const actionHandler = async (action) => { }; function handleOnAdditionalDetails(state) { + const requestData = JSON.stringify({ + data: state.data, + orderToken: window.orderToken, + }); $.ajax({ type: 'POST', url: window.paymentsDetailsURL, - data: JSON.stringify({ - data: state.data, - orderToken: window.orderToken, - }), - contentType: 'application/json; charset=utf-8', + data: { + csrf_token: $('#adyen-token').val(), + data: requestData, + }, async: false, success(data) { if (!data.isFinal && typeof data.action === 'object') { diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/helpers.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/helpers.js index cd3956990..dd1d8a8d5 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/helpers.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/helpers.js @@ -33,6 +33,7 @@ function paymentFromComponent(data, component = {}) { url: window.paymentFromComponentURL, type: 'post', data: { + csrf_token: $('#adyen-token').val(), data: JSON.stringify(requestData), paymentMethod: document.querySelector('#adyenPaymentMethodName').value, }, diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/makePartialPayment.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/makePartialPayment.js index 0e656dd0e..9db360830 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/makePartialPayment.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/makePartialPayment.js @@ -7,8 +7,10 @@ function makePartialPayment(requestData) { $.ajax({ url: window.partialPaymentUrl, type: 'POST', - data: JSON.stringify(requestData), - contentType: 'application/json; charset=utf-8', + data: { + csrf_token: $('#adyen-token').val(), + data: JSON.stringify(requestData), + }, }) .done((response) => { if (response.error) { diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/renderGiftcardComponent.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/renderGiftcardComponent.js index 2f4401f6c..e2f73a19b 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/renderGiftcardComponent.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/adyen_checkout/renderGiftcardComponent.js @@ -56,8 +56,10 @@ function removeGiftCards() { $.ajax({ type: 'POST', url: window.cancelPartialPaymentOrderUrl, - data: JSON.stringify(card), - contentType: 'application/json; charset=utf-8', + data: { + csrf_token: $('#adyen-token').val(), + data: JSON.stringify(card), + }, async: false, success(res) { const adyenPartialPaymentsOrder = document.querySelector( diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayCheckout.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayCheckout.js index ef6a2462d..4d4bc3f30 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayCheckout.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayCheckout.js @@ -42,6 +42,7 @@ function paymentFromComponent(data, component) { url: window.paymentFromComponentURL, type: 'post', data: { + csrf_token: $('#adyen-token').val(), data: JSON.stringify(requestData), paymentMethod: 'amazonpay', merchantReference: document.querySelector('#merchantReference').value, @@ -80,14 +81,17 @@ async function mountAmazonPayComponent() { }, onAdditionalDetails: (state) => { state.data.paymentMethod = 'amazonpay'; + const requestData = JSON.stringify({ + data: state.data, + orderToken: window.orderToken, + }); $.ajax({ type: 'post', url: window.paymentsDetailsURL, - data: JSON.stringify({ - data: state.data, - orderToken: window.orderToken, - }), - contentType: 'application/json; charset=utf-8', + data: { + csrf_token: $('#adyen-token').val(), + data: requestData, + }, success(data) { if (data.isSuccessful) { handleAuthorised(data); diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayExpressPart2.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayExpressPart2.js index 9da564676..301e9a380 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayExpressPart2.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/amazonPayExpressPart2.js @@ -5,6 +5,7 @@ function saveShopperDetails(details) { url: window.saveShopperDetailsURL, type: 'post', data: { + csrf_token: $('#adyen-token').val(), shopperDetails: JSON.stringify(details), paymentMethod: 'amazonpay', }, diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/applePayExpress.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/applePayExpress.js index ebd0c3027..2aa5954ed 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/applePayExpress.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/applePayExpress.js @@ -90,6 +90,7 @@ function callPaymentFromComponent(data, resolveApplePay, rejectApplePay) { url: window.paymentFromComponentURL, type: 'post', data: { + csrf_token: $('#adyen-token').val(), data: JSON.stringify(data), paymentMethod: APPLE_PAY, }, diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/checkoutReviewButtons.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/checkoutReviewButtons.js index 6a33eb2da..21553f9fa 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/checkoutReviewButtons.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/checkoutReviewButtons.js @@ -6,11 +6,16 @@ const helpers = require('./adyen_checkout/helpers'); * @return {undefined} */ function makeExpressPaymentDetailsCall(data) { + const csrfToken = document.querySelector( + '#showConfirmationForm input[id="adyen-token"]', + ).value; $.ajax({ type: 'POST', url: window.makeExpressPaymentDetailsCall, - data: JSON.stringify({ data }), - contentType: 'application/json; charset=utf-8', + data: { + csrf_token: csrfToken, + data: JSON.stringify({ data }), + }, async: false, success(response) { helpers.setOrderFormData(response); diff --git a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/paypalExpress.js b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/paypalExpress.js index 20f5bff8e..53cbc3ffd 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/paypalExpress.js +++ b/src/cartridges/app_adyen_SFRA/cartridge/client/default/js/paypalExpress.js @@ -9,19 +9,26 @@ const { PAYPAL } = require('./constants'); async function callPaymentFromComponent(data, component) { try { $.spinner().start(); - const response = await fetch(window.makeExpressPaymentsCall, { - method: 'POST', - headers: { - 'Content-Type': 'application/json', + + $.ajax({ + type: 'POST', + url: window.makeExpressPaymentsCall, + data: { + csrf_token: $('#adyen-token').val(), + data: JSON.stringify(data), + }, // Send the data as a JSON string + success(response) { + const { action, errorMessage = '' } = response; + if (action) { + component.handleAction(action); + } else { + throw new Error(errorMessage); + } + }, + error() { + component.handleError(); }, - body: JSON.stringify(data), }); - const { action, errorMessage = '' } = await response.json(); - if (response.ok && action) { - component.handleAction(action); - } else { - throw new Error(errorMessage); - } } catch (e) { component.handleError(); } @@ -33,6 +40,7 @@ async function saveShopperDetails(details, actions) { type: 'post', data: { shopperDetails: JSON.stringify(details), + csrf_token: $('#adyen-token').val(), }, success() { actions.resolve(); @@ -55,6 +63,13 @@ function redirectToReviewPage(data) { value: JSON.stringify(data), }); + $('') + .appendTo(redirect) + .attr({ + name: 'csrf_token', + value: $('#adyen-token').val(), + }); + redirect.submit(); } @@ -62,8 +77,10 @@ function makeExpressPaymentDetailsCall(data) { return $.ajax({ type: 'POST', url: window.makeExpressPaymentDetailsCall, - data: JSON.stringify({ data }), - contentType: 'application/json; charset=utf-8', + data: { + csrf_token: $('#adyen-token').val(), + data: JSON.stringify({ data }), + }, async: false, success(response) { helpers.createShowConfirmationForm(window.showConfirmationAction); diff --git a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/account/payment/paymentForm.isml b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/account/payment/paymentForm.isml index 5b9441f13..c917ee659 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/account/payment/paymentForm.isml +++ b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/account/payment/paymentForm.isml @@ -17,6 +17,7 @@ environment: '${pdict.adyen.environment}' }; window.redirectUrl = "${URLUtils.url('PaymentInstruments-List')}"; + window.paymentsDetailsURL = "${URLUtils.https('Adyen-PaymentsDetails')}";
+ ### Custom Adyen cartridge end ### diff --git a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/adyen/checkoutReviewButtons.isml b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/adyen/checkoutReviewButtons.isml index cf4924988..d98492f14 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/adyen/checkoutReviewButtons.isml +++ b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/adyen/checkoutReviewButtons.isml @@ -17,6 +17,7 @@ + diff --git a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutButtons.isml b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutButtons.isml index 630c5db42..97db6c106 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutButtons.isml +++ b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutButtons.isml @@ -100,3 +100,4 @@ + diff --git a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutReview.isml b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutReview.isml index a7f24beda..82526062b 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutReview.isml +++ b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/cart/checkoutReview.isml @@ -1,4 +1,5 @@ + var assets = require('*/cartridge/scripts/assets.js'); diff --git a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenComponentForm.isml b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenComponentForm.isml index caf04bbcf..276a6f889 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenComponentForm.isml +++ b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenComponentForm.isml @@ -129,3 +129,4 @@ + \ No newline at end of file diff --git a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenGivingComponent.isml b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenGivingComponent.isml index 86b4ad9ed..ebf1ea55a 100644 --- a/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenGivingComponent.isml +++ b/src/cartridges/app_adyen_SFRA/cartridge/templates/default/checkout/billing/adyenGivingComponent.isml @@ -2,6 +2,7 @@ + var assets = require('*/cartridge/scripts/assets.js'); assets.addJs('/js/adyenGiving.js'); diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentDetailsCall.test.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentDetailsCall.test.js index 75dd0cf47..ee4d7a232 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentDetailsCall.test.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentDetailsCall.test.js @@ -13,7 +13,7 @@ const makeExpressPaymentDetailsCall = require('../makeExpressPaymentDetailsCall' beforeEach(() => { jest.clearAllMocks(); req = { - body: JSON.stringify({data: {}}) + form: {data: JSON.stringify({data: {}})} }; res = { diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentsCall.test.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentsCall.test.js index d202459e8..bb6c5c8fc 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentsCall.test.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/__tests__/makeExpressPaymentsCall.test.js @@ -11,7 +11,7 @@ const makeExpressPaymentsCall = require('../makeExpressPaymentsCall'); beforeEach(() => { jest.clearAllMocks(); req = { - body: JSON.stringify({}) + form: {data: JSON.stringify({})} }; res = { diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentDetailsCall.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentDetailsCall.js index 1c77030eb..07a47445d 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentDetailsCall.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentDetailsCall.js @@ -27,7 +27,7 @@ function setPaymentInstrumentFields(paymentInstrument, response) { */ function makeExpressPaymentDetailsCall(req, res, next) { try { - const request = JSON.parse(req.body); + const request = JSON.parse(req.form.data); const currentBasket = BasketMgr.getCurrentBasket(); const response = adyenCheckout.doPaymentsDetailsCall(request.data); diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentsCall.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentsCall.js index 98f0f88ec..c3cba57a9 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentsCall.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/expressPayments/paypal/makeExpressPaymentsCall.js @@ -23,7 +23,7 @@ function makeExpressPaymentsCall(req, res, next) { paymentInstrument.paymentMethod, ); paymentInstrument.paymentTransaction.paymentProcessor = paymentProcessor; - paymentInstrument.custom.adyenPaymentData = req.body; + paymentInstrument.custom.adyenPaymentData = req.form.data; }); // Creates order number to be utilized for PayPal express const paypalExpressOrderNo = OrderMgr.createOrderNo(); diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/cancelPartialPaymentOrder.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/cancelPartialPaymentOrder.js index d51fff773..e13123f73 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/cancelPartialPaymentOrder.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/cancelPartialPaymentOrder.js @@ -12,7 +12,7 @@ const clearForms = require('*/cartridge/adyen/utils/clearForms'); function cancelPartialPaymentOrder(req, res, next) { try { const currentBasket = BasketMgr.getCurrentBasket(); - const request = JSON.parse(req.body); + const request = JSON.parse(req.form.data); const { partialPaymentsOrder } = request; const cancelOrderRequest = { diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/checkBalance.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/checkBalance.js index dd8430dd9..a38e90512 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/checkBalance.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/checkBalance.js @@ -52,7 +52,7 @@ function callCheckBalance(req, res, next) { ? giftCardsAdded[giftCardsAdded.length - 1].remainingAmount : orderAmount; - const request = JSON.parse(req.body); + const request = JSON.parse(req.form.data); const paymentMethod = request.paymentMethod ? request.paymentMethod : constants.ACTIONTYPES.GIFTCARD; diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/partialPayment.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/partialPayment.js index 51e4b4a58..49109ce33 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/partialPayment.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/partialPayments/partialPayment.js @@ -16,7 +16,7 @@ function responseContainsErrors(response) { function makePartialPayment(req, res, next) { try { - const request = JSON.parse(req.body); + const request = JSON.parse(req.form.data); const currentBasket = BasketMgr.getCurrentBasket(); const { paymentMethod, partialPaymentsOrder, amount, giftcardBrand } = diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/__tests__/paymentsDetails.test.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/__tests__/paymentsDetails.test.js index 60d335c87..e54d150c8 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/__tests__/paymentsDetails.test.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/__tests__/paymentsDetails.test.js @@ -15,7 +15,7 @@ beforeEach(() => { }; req = { - body: JSON.stringify({}), + form: {data : JSON.stringify({})}, }; }); diff --git a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/paymentsDetails.js b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/paymentsDetails.js index b974e4872..9a405f9b0 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/paymentsDetails.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/adyen/scripts/payments/paymentsDetails.js @@ -33,7 +33,7 @@ function getRedirectUrl(paymentsDetailsResponse, orderToken) { */ function paymentsDetails(req, res, next) { try { - const request = JSON.parse(req.body); + const request = JSON.parse(req.form.data); const isAmazonpay = request?.data?.paymentMethod === 'amazonpay'; if (request.data) { diff --git a/src/cartridges/int_adyen_SFRA/cartridge/controllers/Adyen.js b/src/cartridges/int_adyen_SFRA/cartridge/controllers/Adyen.js index c487831a1..2d2996511 100644 --- a/src/cartridges/int_adyen_SFRA/cartridge/controllers/Adyen.js +++ b/src/cartridges/int_adyen_SFRA/cartridge/controllers/Adyen.js @@ -2,13 +2,19 @@ const server = require('server'); const consentTracking = require('*/cartridge/scripts/middleware/consentTracking'); const adyenGiving = require('*/cartridge/adyen/scripts/donations/adyenGiving'); const { adyen } = require('*/cartridge/controllers/middlewares/index'); +const csrf = require('*/cartridge/scripts/middleware/csrf'); const EXTERNAL_PLATFORM_VERSION = 'SFRA'; /** * Show confirmation after return from Adyen */ -server.get('ShowConfirmation', server.middleware.https, adyen.showConfirmation); +server.get( + 'ShowConfirmation', + server.middleware.https, + csrf.generateToken, + adyen.showConfirmation, +); /** * Confirm payment status after receiving redirectResult from Adyen @@ -17,6 +23,7 @@ server.post( 'PaymentsDetails', server.middleware.https, consentTracking.consent, + csrf.validateRequest, adyen.paymentsDetails, ); @@ -45,6 +52,7 @@ server.post( server.get( 'Redirect3DS1Response', server.middleware.https, + csrf.generateToken, adyen.redirect3ds1Response, ); @@ -60,20 +68,25 @@ server.post( /** * Complete a donation through adyenGiving */ -server.post('Donate', server.middleware.https, (req /* , res, next */) => { - const { orderNo, orderToken } = req.form; - const donationAmount = { - value: req.form.amountValue, - currency: req.form.amountCurrency, - }; - const donationResult = adyenGiving.donate( - orderNo, - donationAmount, - orderToken, - ); - - return donationResult.response; -}); +server.post( + 'Donate', + server.middleware.https, + csrf.validateRequest, + (req /* , res, next */) => { + const { orderNo, orderToken } = req.form; + const donationAmount = { + value: req.form.amountValue, + currency: req.form.amountCurrency, + }; + const donationResult = adyenGiving.donate( + orderNo, + donationAmount, + orderToken, + ); + + return donationResult.response; + }, +); /** * Make a payment from inside a component (paypal) @@ -81,6 +94,7 @@ server.post('Donate', server.middleware.https, (req /* , res, next */) => { server.post( 'PaymentFromComponent', server.middleware.https, + csrf.validateRequest, adyen.paymentFromComponent, ); @@ -90,12 +104,14 @@ server.post( server.post( 'SaveExpressShopperDetails', server.middleware.https, + csrf.validateRequest, adyen.saveExpressShopperDetails, ); server.get( 'GetPaymentMethods', server.middleware.https, + csrf.generateToken, adyen.getCheckoutPaymentMethods, ); @@ -105,6 +121,7 @@ server.get( server.post( 'CheckoutReview', server.middleware.https, + csrf.validateRequest, adyen.handleCheckoutReview, ); @@ -116,7 +133,12 @@ server.post('Notify', server.middleware.https, adyen.notify); /** * Called by Adyen to check balance of gift card. */ -server.post('CheckBalance', server.middleware.https, adyen.checkBalance); +server.post( + 'CheckBalance', + server.middleware.https, + csrf.validateRequest, + adyen.checkBalance, +); /** * Called by Adyen to cancel a partial payment order. @@ -124,6 +146,7 @@ server.post('CheckBalance', server.middleware.https, adyen.checkBalance); server.post( 'CancelPartialPaymentOrder', server.middleware.https, + csrf.validateRequest, adyen.cancelPartialPaymentOrder, ); @@ -133,13 +156,19 @@ server.post( server.post( 'PartialPaymentsOrder', server.middleware.https, + csrf.validateRequest, adyen.partialPaymentsOrder, ); /** * Called by Adyen to apply a giftcard */ -server.post('partialPayment', server.middleware.https, adyen.partialPayment); +server.post( + 'partialPayment', + server.middleware.https, + csrf.validateRequest, + adyen.partialPayment, +); /** * Called by Adyen to make /payments call for PayPal Express flow @@ -147,6 +176,7 @@ server.post('partialPayment', server.middleware.https, adyen.partialPayment); server.post( 'MakeExpressPaymentsCall', server.middleware.https, + csrf.validateRequest, adyen.makeExpressPaymentsCall, ); @@ -156,17 +186,28 @@ server.post( server.post( 'MakeExpressPaymentDetailsCall', server.middleware.https, + csrf.validateRequest, adyen.makeExpressPaymentDetailsCall, ); /** * Called by Adyen to save the shopper data coming from PayPal Express */ -server.post('SaveShopperData', server.middleware.https, adyen.saveShopperData); +server.post( + 'SaveShopperData', + server.middleware.https, + csrf.validateRequest, + adyen.saveShopperData, +); /** * Called by Adyen to fetch applied giftcards */ -server.get('fetchGiftCards', server.middleware.https, adyen.fetchGiftCards); +server.get( + 'fetchGiftCards', + server.middleware.https, + csrf.generateToken, + adyen.fetchGiftCards, +); function getExternalPlatformVersion() { return EXTERNAL_PLATFORM_VERSION; diff --git a/src/cartridges/int_adyen_SFRA/cartridge/controllers/Cart.js b/src/cartridges/int_adyen_SFRA/cartridge/controllers/Cart.js new file mode 100644 index 000000000..fba2cc4eb --- /dev/null +++ b/src/cartridges/int_adyen_SFRA/cartridge/controllers/Cart.js @@ -0,0 +1,14 @@ +const server = require('server'); +const csrf = require('*/cartridge/scripts/middleware/csrf'); + +server.extend(module.superModule); + +/* + * Prepends Cart's 'MiniCartShow' function to have csrf token. + * This is needed for csrf protection for express payments on mini cart. + */ +server.prepend('MiniCartShow', csrf.generateToken, (req, res, next) => { + next(); +}); + +module.exports = server.exports();