PayPal Express checkout: callback error 400

Question

PayPal Express checkout: callback error 400

Closed this issue 6 years ago · 6 comments

Hi there,

We're having trouble with the PayPal Express checkout and would appreciate any help, or if it's a bug, any fixes. :) The setup is as following:

PHP 7.0.30
Craft Pro 3.0.13.2
Craft Commerce 2.0.0-beta.6
PayPal for Craft Commerce 1.0.0
SSL enabled
tokenParam: [custom string]

PayPal Express Gateway Settings: Purchase + Test mode + Mark + Login (tried others too).
Using PayPal Sandbox account credentials

This is what happens: At checkout I choose PayPal express from the "native" twig gateway handler template that comes with commerce. After clicking, the expected popup appears and I pay with one of the sandbox accounts created, that also has more than enough funds. The popup closes and triggers a callback to actions/commerce/payments/complete-payment.

Query string parameters are: p, commerceTransactionHash, token, PayerID (which all look OK).

That callback then returns status 400 with following error:
{"error":"Es ist nicht möglich, Ihre Dateneingabe zu prüfen."}

Translated it means "It is not possible to check/verify your input".

I have also received the error 400 with "Uncaught Error: Request to post: failed with 400 error. Correlation id: unknown. {"error":"Es ist nicht möglich, Ihre Dateneingabe zu prüfen."}" on the same callback.

(My browser and craft user account are in English, so I'm not sure why it returns German errors. Site locale is German and PayPal account is based in Switzerland - maybe that's why.)

Thank you for looking into this!

Kind regards,
Meinhard

Answer 1 · 2018-07-18T06:45:01.000Z

Can you disable CSRF protection on Craft and see if that fixes your issue? It's mentioned only in Stripe gateway docs (https://github.com/craftcms/commerce-stripe#disabling-csrf-for-webhooks), but I suppose we should mention it for all gateways that complete payment via a callback.

Answer 2 · 2018-09-10T13:08:18.000Z

Closing due to inactivity.

Answer 3 · 2018-09-25T12:24:17.000Z

I'm sorry for not replying - adding the callback action to the CSRF-disabling code indeed fixed this issue... FYI

Answer 4 · 2019-03-20T11:21:00.000Z

Wouldn't it be nice to add this to the plugin itself?

class PluginController extends Controller
{
    // Disable CSRF validation for the entire controller 
    public $enableCsrfValidation = false;

    ...

In addition, it should at least be mentioned in the setup instructions of the plugin. It took me some time to find this post.

Answer 5 · 2019-06-07T19:19:45.000Z

For more information as to why CSRF must be disabled for PayPal routes: https://docs.craftcms.com/commerce/v2/payment-gateways.html#csrf-protection-issues

Answer 6 · 2019-07-03T07:08:12.000Z

Fixed in Commerce. See craftcms/commerce#900

Also removed the instructions in docs.