Update to Mollie v2 API: Part 2 electric boogaloo (#1147)

* feat: update to mollie v3 api * chore: run linter * fix: add ideal as method so we return to Koala on failure * chore: linter ✨ * chore: satisfy linter 🤡 * chore: satisfy linter 🤡 * feat: remove issuer * fix: resolved brakeman warning * fix: resolved linter warning * fix: second attempt at securing mollie redirect * fix: pass stirng to `redirect_to` funciton * fix: update mollie host * chore: add comment about whitelisted mollie uri --------- Co-authored-by: Silas <[email protected]>
svsticky · Dec 28, 2024 · 0d85b36 · 0d85b36
1 parent f372405
commit 0d85b36
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/app/controllers/members/payments_controller.rb b/app/controllers/members/payments_controller.rb
@@ -45,6 +45,7 @@ def pay_activities
       transaction_type: :activity,
       redirect_uri: member_payments_path
     )
+
     if payment.save
       # Check URI for safety (supresses brakeman warning)
       url = begin
@@ -54,8 +55,8 @@ def pay_activities
       end
 
       # Check if it's a valid URI and matches your whitelist of acceptable domains (e.g., only http(s)://example.com)
-      if url.is_a?(URI::HTTP) && ['mollie.com'].include?(url.host)
-        redirect_to(url)
+      if url.is_a?(URI::HTTP) && ['www.mollie.com'].include?(url.host)
+        redirect_to(url.to_s)
       else
         # Fallback to a safe default redirect if the URI is invalid or not in the whitelist
         redirect_to(root_path)

diff --git a/app/models/payment.rb b/app/models/payment.rb
@@ -65,6 +65,9 @@ def request_payment
       )
 
       self.trxid = payment.id
+
+      # The host of this url is `www.mollie.com` so it will redirect to the mollie payment page
+      # if this ever chanes, the redirect_uri whitelist in the controller should be updated
       self.payment_uri = payment._links['checkout']['href']
       self.status = :in_progress