phorge-phorge/src/applications/phortune/provider/PhortunePaypalPaymentProvider.php

<?php

final class PhortunePaypalPaymentProvider extends PhortunePaymentProvider {

  public function isEnabled() {
    return $this->getPaypalAPIUsername() &&
           $this->getPaypalAPIPassword() &&
           $this->getPaypalAPISignature();
  }

  public function getProviderType() {
    return 'paypal';
  }

  public function getProviderDomain() {
    return 'paypal.com';
  }

  public function getPaymentMethodDescription() {
    return pht('Credit Card or Paypal Account');
  }

  public function getPaymentMethodIcon() {
    return celerity_get_resource_uri('rsrc/image/phortune/paypal.png');
  }

  public function getPaymentMethodProviderDescription() {
    return 'Paypal';
  }

  public function canHandlePaymentMethod(PhortunePaymentMethod $method) {
    $type = $method->getMetadataValue('type');
    return ($type == 'paypal');
  }

  protected function executeCharge(
    PhortunePaymentMethod $payment_method,
    PhortuneCharge $charge) {
    throw new Exception('!');
  }

  private function getPaypalAPIUsername() {
    return PhabricatorEnv::getEnvConfig('phortune.paypal.api-username');
  }

  private function getPaypalAPIPassword() {
    return PhabricatorEnv::getEnvConfig('phortune.paypal.api-password');
  }

  private function getPaypalAPISignature() {
    return PhabricatorEnv::getEnvConfig('phortune.paypal.api-signature');
  }

/* -(  One-Time Payments  )-------------------------------------------------- */

  public function canProcessOneTimePayments() {
    return true;
  }

/* -(  Controllers  )-------------------------------------------------------- */


  public function canRespondToControllerAction($action) {
    switch ($action) {
      case 'checkout':
      case 'charge':
      case 'cancel':
        return true;
    }
    return parent::canRespondToControllerAction();
  }

  public function processControllerRequest(
    PhortuneProviderController $controller,
    AphrontRequest $request) {

    $cart = $controller->loadCart($request->getInt('cartID'));
    if (!$cart) {
      return new Aphront404Response();
    }

    switch ($controller->getAction()) {
      case 'checkout':
        $return_uri = $this->getControllerURI(
          'charge',
          array(
            'cartID' => $cart->getID(),
          ));

        $cancel_uri = $this->getControllerURI(
          'cancel',
          array(
            'cartID' => $cart->getID(),
          ));

        $price = $cart->getTotalPriceAsCurrency();

        $result = $this
          ->newPaypalAPICall()
          ->setRawPayPalQuery(
            'SetExpressCheckout',
            array(
              'PAYMENTREQUEST_0_AMT'            => $price->formatBareValue(),
              'PAYMENTREQUEST_0_CURRENCYCODE'   => $price->getCurrency(),
              'RETURNURL'                       => $return_uri,
              'CANCELURL'                       => $cancel_uri,
              'PAYMENTREQUEST_0_PAYMENTACTION'  => 'Sale',
              ))
          ->resolve();

        $uri = new PhutilURI('https://www.sandbox.paypal.com/cgi-bin/webscr');
        $uri->setQueryParams(
          array(
            'cmd'   => '_express-checkout',
            'token' => $result['TOKEN'],
          ));

        return id(new AphrontRedirectResponse())
          ->setIsExternal(true)
          ->setURI($uri);
      case 'charge':
        var_dump($_REQUEST);
        break;
      case 'cancel':
        var_dump($_REQUEST);
        break;
    }

    throw new Exception("The rest of this isn't implemented yet.");
  }

  private function newPaypalAPICall() {
    return id(new PhutilPayPalAPIFuture())
      ->setHost('https://api-3t.sandbox.paypal.com/nvp')
      ->setAPIUsername($this->getPaypalAPIUsername())
      ->setAPIPassword($this->getPaypalAPIPassword())
      ->setAPISignature($this->getPaypalAPISignature());
  }


}
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00			`<?php`

			`final class PhortunePaypalPaymentProvider extends PhortunePaymentProvider {`

			`public function isEnabled() {`
			`return $this->getPaypalAPIUsername() &&`
			`$this->getPaypalAPIPassword() &&`
			`$this->getPaypalAPISignature();`
			`}`

			`public function getProviderType() {`
			`return 'paypal';`
			`}`

			`public function getProviderDomain() {`
			`return 'paypal.com';`
			`}`

			`public function getPaymentMethodDescription() {`
Make Phortune checkout UI a little less bad Summary: Ref T2787. There were some mega-uggo buttons and such; reduce the uggo-ness by a hair. Test Plan: {F179686} Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D10006 2014-07-23 10:36:37 -07:00			`return pht('Credit Card or Paypal Account');`
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00			`}`

			`public function getPaymentMethodIcon() {`
Make Phortune checkout UI a little less bad Summary: Ref T2787. There were some mega-uggo buttons and such; reduce the uggo-ness by a hair. Test Plan: {F179686} Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D10006 2014-07-23 10:36:37 -07:00			`return celerity_get_resource_uri('rsrc/image/phortune/paypal.png');`
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00			`}`

			`public function getPaymentMethodProviderDescription() {`
Change double quotes to single quotes. Summary: Ran `arc lint --apply-patches --everything` over rP, mainly to change double quotes to single quotes where appropriate. These changes also validate that the `ArcanistXHPASTLinter::LINT_DOUBLE_QUOTE` rule is working as expected. Test Plan: Eyeballed it. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, Korvin, hach-que Differential Revision: https://secure.phabricator.com/D9431 2014-06-09 11:36:49 -07:00			`return 'Paypal';`
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00			`}`

			`public function canHandlePaymentMethod(PhortunePaymentMethod $method) {`
			`$type = $method->getMetadataValue('type');`
			`return ($type == 'paypal');`
			`}`

			`protected function executeCharge(`
			`PhortunePaymentMethod $payment_method,`
			`PhortuneCharge $charge) {`
Change double quotes to single quotes. Summary: Ran `arc lint --apply-patches --everything` over rP, mainly to change double quotes to single quotes where appropriate. These changes also validate that the `ArcanistXHPASTLinter::LINT_DOUBLE_QUOTE` rule is working as expected. Test Plan: Eyeballed it. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, Korvin, hach-que Differential Revision: https://secure.phabricator.com/D9431 2014-06-09 11:36:49 -07:00			`throw new Exception('!');`
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00			`}`

			`private function getPaypalAPIUsername() {`
			`return PhabricatorEnv::getEnvConfig('phortune.paypal.api-username');`
			`}`

			`private function getPaypalAPIPassword() {`
			`return PhabricatorEnv::getEnvConfig('phortune.paypal.api-password');`
			`}`

			`private function getPaypalAPISignature() {`
			`return PhabricatorEnv::getEnvConfig('phortune.paypal.api-signature');`
			`}`

			`/* -( One-Time Payments )-------------------------------------------------- */`

			`public function canProcessOneTimePayments() {`
			`return true;`
			`}`

			`/* -( Controllers )-------------------------------------------------------- */`


			`public function canRespondToControllerAction($action) {`
			`switch ($action) {`
			`case 'checkout':`
			`case 'charge':`
			`case 'cancel':`
			`return true;`
			`}`
			`return parent::canRespondToControllerAction();`
			`}`

			`public function processControllerRequest(`
			`PhortuneProviderController $controller,`
			`AphrontRequest $request) {`

			`$cart = $controller->loadCart($request->getInt('cartID'));`
			`if (!$cart) {`
			`return new Aphront404Response();`
			`}`

			`switch ($controller->getAction()) {`
			`case 'checkout':`
			`$return_uri = $this->getControllerURI(`
			`'charge',`
			`array(`
			`'cartID' => $cart->getID(),`
			`));`

			`$cancel_uri = $this->getControllerURI(`
			`'cancel',`
			`array(`
			`'cartID' => $cart->getID(),`
			`));`

Make Currency a more formal type Summary: Ref T2787. Phortune currently stores a bunch of stuff as `...inUSDCents`. This ends up being pretty cumbersome and I worry it will create a huge headache down the road (and possibly not that far off if we do Coinbase/Bitcoin soon). Even now, it's more of a pain than I figured it would be. Instead: - Provide an application-level serialization mechanism. - Provide currency serialization. - Store currency in an abstract way (currently, as "1.23 USD") that can handle currencies in the future. - Change all `...inUSDCents` to `..asCurrency`. - This generally simplifies all the application code. - Also remove some columns which don't make sense or don't make sense anymore. Notably, `Product` is going to get more abstract and mostly be provided by applications. Test Plan: - Created a new product. - Purchased a product. - Backed an initiative. - Ran unit tests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D10633 2014-10-06 10:26:48 -07:00			`$price = $cart->getTotalPriceAsCurrency();`
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00
			`$result = $this`
			`->newPaypalAPICall()`
			`->setRawPayPalQuery(`
			`'SetExpressCheckout',`
			`array(`
Show prices in "$... USD" in Phortune Summary: Ref T2787. See discussion in D5834. - Replace `PhortuneUtil` with `PhortuneCurrency`, which feels a little better and more flexible / future-proof. - Add unit tests. - Display prices explicitly as "$... USD". Test Plan: Hit product list, cart, purchase flow, verified displays. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5841 2013-05-06 18:04:45 -07:00			`'PAYMENTREQUEST_0_AMT' => $price->formatBareValue(),`
			`'PAYMENTREQUEST_0_CURRENCYCODE' => $price->getCurrency(),`
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00			`'RETURNURL' => $return_uri,`
			`'CANCELURL' => $cancel_uri,`
			`'PAYMENTREQUEST_0_PAYMENTACTION' => 'Sale',`
			`))`
			`->resolve();`

			`$uri = new PhutilURI('https://www.sandbox.paypal.com/cgi-bin/webscr');`
			`$uri->setQueryParams(`
			`array(`
			`'cmd' => '_express-checkout',`
			`'token' => $result['TOKEN'],`
			`));`

Be more strict about "Location:" redirects Summary: Via HackerOne. Chrome (at least) interprets backslashes like forward slashes, so a redirect to "/\evil.com" is the same as a redirect to "//evil.com". - Reject local URIs with backslashes (we never generate these). - Fully-qualify all "Location:" redirects. - Require external redirects to be marked explicitly. Test Plan: - Expanded existing test coverage. - Verified that neither Diffusion nor Phriction can generate URIs with backslashes (they are escaped in Diffusion, and removed by slugging in Phriction). - Logged in with Facebook (OAuth2 submits a form to the external site, and isn't affected) and Twitter (OAuth1 redirects, and is affected). - Went through some local redirects (login, save-an-object). - Verified file still work. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D10291 2014-08-18 14:11:06 -07:00			`return id(new AphrontRedirectResponse())`
			`->setIsExternal(true)`
			`->setURI($uri);`
Add initial cut of PayPal and pay-once-at-checkout providers to Phortune Summary: Paypal doesn't let us capture cards in a PCI-free way like Stripe and Balanced do, but we can provide a "pay with paypal" option at checkout. (For subscriptions, we'll have to invoice monthly to retain control over billing, but this doesn't seem wildly unreasonable.) The bitcoin provider MtGox works in a similar way, as do some other providers we might some day want to implement. This adds: - Hooks to providers so they can offer "pay once at checkout" workflows. - Hooks so providers can have controllers, for redirect-based third-party workflows. - Basic Paypal integration using the "Express Checkout Merchant API", which seems like the best fit for our use case. This only goes as far as shoving the user through the payment flow; we don't actually capture payments yet (paypal has around 35 different APIs, but this one seems to be the only PCI-free one which wouldn't give users an awful experience). This diff is fairly checkpointey, but Phortune doesn't really bill anything yet anyway. Ref T2787. Test Plan: Ran through Paypal sandbox workflow; "paid" for stuff. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2787 Differential Revision: https://secure.phabricator.com/D5834 2013-05-06 11:44:24 -07:00			`case 'charge':`
			`var_dump($_REQUEST);`
			`break;`
			`case 'cancel':`
			`var_dump($_REQUEST);`
			`break;`
			`}`

			`throw new Exception("The rest of this isn't implemented yet.");`
			`}`

			`private function newPaypalAPICall() {`
			`return id(new PhutilPayPalAPIFuture())`
			`->setHost('https://api-3t.sandbox.paypal.com/nvp')`
			`->setAPIUsername($this->getPaypalAPIUsername())`
			`->setAPIPassword($this->getPaypalAPIPassword())`
			`->setAPISignature($this->getPaypalAPISignature());`
			`}`


			`}`