Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ussage instructions issue: Declined transaction is considered successful #89

Open
shhavel opened this issue May 30, 2016 · 7 comments
Open

Ussage instructions issue: Declined transaction is considered successful #89

shhavel opened this issue May 30, 2016 · 7 comments
Labels
documentation-update

Comments

@shhavel
Copy link

shhavel commented May 30, 2016
edited
Loading

Provided method to check transaction status to charge credit card is not accurate:

if response.messages.resultCode == MessageTypeEnum::Ok
  # Payment is considered to be successful.
  # Providing goods or services to the customer ...
end

This is taken from Hello World example and README of the current gem.

Please check XML responses for different cases:

Successful charge:

<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
  <messages>
    <resultCode>Ok</resultCode>
    <message>
      <code>I00001</code>
      <text>Successful.</text>
    </message>
  </messages>
  <transactionResponse>
    <responseCode>1</responseCode>
    <authCode>UZJ0KN</authCode>
    <avsResultCode>Y</avsResultCode>
    <cvvResultCode>P</cvvResultCode>
    <cavvResultCode>2</cavvResultCode>
    <transId>2249638815</transId>
    <refTransID />
    <transHash>8614D9C8EA2ED3869D3CBE33D118B68C</transHash>
    <testRequest>0</testRequest>
    <accountNumber>XXXX4242</accountNumber>
    <accountType>Visa</accountType>
    <messages>
      <message>
        <code>1</code>
        <description>This transaction has been approved.</description>
      </message>
    </messages>
  </transactionResponse>
</createTransactionResponse>

Failure:

<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
  <messages>
    <resultCode>Error</resultCode>
    <message>
      <code>E00027</code>
      <text>The transaction was unsuccessful.</text>
    </message>
  </messages>
  <transactionResponse>
    <responseCode>3</responseCode>
    <authCode />
    <avsResultCode>P</avsResultCode>
    <cvvResultCode />
    <cavvResultCode />
    <transId>0</transId>
    <refTransID />
    <transHash>137CBC40236BA3F51C96439EC93BEF10</transHash>
    <testRequest>0</testRequest>
    <accountNumber>XXXX4242</accountNumber>
    <accountType>Visa</accountType>
    <errors>
      <error>
        <errorCode>8</errorCode>
        <errorText>The credit card has expired.</errorText>
      </error>
    </errors>
  </transactionResponse>
</createTransactionResponse>

The transaction is declined:

<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
  <messages>
    <resultCode>Ok</resultCode>
    <message>
      <code>I00001</code>
      <text>Successful.</text>
    </message>
  </messages>
  <transactionResponse>
    <responseCode>2</responseCode>
    <authCode />
    <avsResultCode>N</avsResultCode>
    <cvvResultCode>M</cvvResultCode>
    <cavvResultCode />
    <transId>8449440786</transId>
    <refTransID />
    <transHash>3BD3DB541ECEEE82758CABE23CF25B0B</transHash>
    <testRequest>0</testRequest>
    <accountNumber>XXXX3173</accountNumber>
    <entryMode>Keyed</entryMode>
    <accountType>MasterCard</accountType>
    <errors>
      <error>
        <errorCode>2</errorCode>
        <errorText>This transaction has been declined.</errorText>
      </error>
    </errors>
  </transactionResponse>
</createTransactionResponse>

So according to documentation both
successful transaction and declined transaction are considered as paid (response.messages.resultCode == "Ok").

More accurate would be to check transactionResponse message code:

if response.messages.resultCode == MessageTypeEnum::Ok &&
  response.transactionResponse.messages &&
  response.transactionResponse.messages.messages[0].code == "1"
  # Payment is considered to be successful.
  # Providing goods or services to the customer ...
end

I think this is serious vulnerability issue.
Thanks
@vttoonses
Copy link

I spoke with Authorize.Net about this and the MessageTypeEnum::Ok value just means the request was processed successfully, it does not reflect the results of that request. You must do something along the lines of what you show to verify those results. I believe their "Hello World" sample needs updating as this is very misleading.

@shhavel
Copy link
Author

shhavel commented Jun 3, 2016

@vttoonses Yes, this issue requires only changes in documentation and "Hello World" sample, no need any changes in the code. I emailed to Authorize.Net with this and they confirmed that they will do some clarifications (changes) in the docs.
Thanks

@akankaria
Copy link
Contributor

Hi @shhavel,
We have updated our sample codes (for all the languages) to demonstrate the various scenarios of response handling. For example, you can take a look at our charge a credit card sample @ https://github.com/AuthorizeNet/sample-code-ruby/blob/master/PaymentTransactions/charge-credit-card.rb

You can also use : http://developer.authorize.net/api/reference/dist/json/responseCodes.json
to check for details about all the possible response/error codes to handle them appropriately in your code.

Let us know if anything is not clear.

@shhavel
Copy link
Author

shhavel commented Sep 13, 2016
edited
Loading

@akankaria Thanks for updating example codes.
Can I ask you one more question please.
How can I send a credit card owner (name), is this correct sample?

transaction = Transaction.new(config['api_login_id'], config['api_transaction_key'], gateway: :sandbox)

request = CreateTransactionRequest.new

request.transactionRequest = TransactionRequestType.new()
request.transactionRequest.amount = 5
request.transactionRequest.payment = PaymentType.new
request.transactionRequest.payment.creditCard = CreditCardType.new('4242424242424242', '0220', '123')
request.transactionRequest.transactionType = TransactionTypeEnum::AuthCaptureTransaction
request.transactionRequest.billTo = CustomerAddressType.new("Firts name", "Last name")

response = transaction.create_transaction(request)

Thanks

@akankaria
Copy link
Contributor

Hi @shhavel,

Customer payment profile comprises of payment details (creditcard, bank account, etc.) and billTo information.
The sample you have provided is correct.

@shhavel
Copy link
Author

shhavel commented Sep 19, 2016

@akankaria Thank you!

@shhavel shhavel closed this as completed Sep 19, 2016
@ericboehs
Copy link

ericboehs commented Sep 30, 2016
edited
Loading

This issue shouldn't be closed until the documentation is updated. This is a significant bug and has affected hundreds of our users.

Both the README and the Hello World Example still do not mention to check the response code.

@shhavel shhavel reopened this Sep 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation-update
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ericboehs @vttoonses @shhavel @akankaria @chsriniv9