Need some instructions on how you might go about providing one vs many gateway types.

The module should make provision for either making payment via purchase or authorise & capture.
All gateways provide purchase, but some allow authorize & capture.

The payment module could always go for authorise, if available.

Provide some kind of datamodel for storing credit card tokens.

Security should be heavily considered here, because this could be a way for cards to be accessed.

Should tokens expire and be removed? Or would this happen at the gateway end?

it makes more sense to show the latest payment first...

Figuring out what actions should be allowed, according to a state machine. There are a few I'm not sure about.

Restricting the status of payments can help ensure things aren't changed accidentally, or when they shouldn't be.

A possible implementation:

    private $state_machine = array(
        'Created' => array('Captured','Authorized'),
        'Authorized' => array('Captured'),
        'Captured' => array('Refunded','Void')
        'Refunded' => null,
        'Void' => null
    );
    /**
     * Only allows updating the status, according to the state machine
     */
    public function setStatus($status){
        if($status instanceof Enum){
            $this->dbObject("Status")->setValue($status);
        } elseif($this->statusCanChangeTo($status)) {
            $this->dbObject("Status")->setValue($status);
        }
    }

• What states are there. Should I include intermediate states? see: http://kc.litiumstudio.se/get-started/litium-studio-4-6-2-get-started/start_with_ecommerce/working_with_state_transitions/payment_states
• What are the transitions + are there conditions for the transitions?
• Enforce state machine with 'can' functions

We don't need to test the gateway handling...that is the job of omnipay.

Use either dummy payment or manual payment for tests. Not sure how to test isRedirect == true functionality.

Things that still need to be tested for 1.0 release:

• configuring gateways
• creating a payment
• state machine restrictions
• onsite and offsite gateway interactions (using mock responses)
• dummy / manual gateways
• Payable extension
• logging: produce every type of PaymentMessage
• on-site missing credit card details
• on-site invalid credit card details (expired, lhun fail, etc)
• 0 or negative amounts

..as these are checked off, we may find that the system design may change a little

Omnipay's gateway factory has a special way of referencing gateway classes. eg PayPal_Express would use the Omnipay\PayPal\ExpressGateway class.

You can place an order with a manual payment, but you can't yet complete it.

Payment cms action needs to be added for approving, or cancelling a payment.

Hi Jeremy

I have setup paypal via omnipay.

It works with USD - but if I change it to NZD I get the following message:

"The transaction currency specified must be the same as previously specified."

I am just lodging this here, because it appears that the system is sending mixed messages to paypal. I am not sure yet, just flagging this as a potential issue.

This is the code I am using:

    function PaymentForm(){
        if($this->showPaymentForm) {
            $gateway = "PayPal_Express";
            $factory = new GatewayFieldsFactory($gateway);
            $fields = $factory->getFields();
            $actions = new FieldList(new FormAction("pay", "Pay Now"));
            return new Form($this, "PaymentForm", $fields, $actions);
        }
    }

    function pay($form, $data) {
        $isTestMode = Director::IsLive() ? false : true;
        if($amount = $myPage->AmountToPay() && $currency = $myPage->CurrencyToPay()) {
            $payment = Payment::create();
            $payment->init($gateway = "PayPal_Express", $amount, $currency);
            $paymentService = PurchaseService::create($payment);
            $paymentService->setReturnUrl($this->Link('completepayment'));
            $paymentService->setCancelUrl($this->Link('cancelpayment'));  
            $paymentService->oGateway()->setTestMode($isTestMode);
            $this->result->Payments()->add($payment);
            $purchase = $paymentService->purchase();
            $purchase->redirect();
        }
    }


    function completepayment($request){
        return $this->redirect($this->Link());
    }

    function cancelpayment($request){
        return $this->redirect($this->Link());
    }

I tried in both test and live mode. Same results: USD works, NZD fails.

There are a number of things that could be reported on:

• Comparison of gateways used
• Successful vs failed
  • Step(s) where failure occurred
• Currencies
• Plot graph of ammounts

Administrators sometimes need to make/complete a payment. The customer may give credit card details over the phone, or send through some kind of manual payment, and this needs to be recorded/updated by an administrator of the application.

An interface will need to be created to allow completing (possibly also creating) payments via any type of gateway. This interface should be accessible from the CMS.

Logging is really important for seeing a history of what has happened in a system. We want to know everything that has happened in regards to a payment over time.

• Every payment transaction should be time-stamped.
• Message sources could include: system, gateway, user, administrator
• Failures are acceptable outcomes.
• Errors are problems with the system / gateway.
• Logging could optionally also occur in a log file.
• Some things will be visible to the user, others won't. eg errors will probably be a generic message for the user
• Messages should be translatable

Do we want to log requests AND responses for gateway interactions? or should these be combined into one object?

I'm attempting to come up with some kind of exhaustive list:

more...?

This list of scenarios helps to understand where things can be logged:

https://github.com/burnbright/silverstripe-omnipay/blob/master/docs/en/payment-scenarios.md

Payment relies on it's PaymentMessages for retrieving the unique identifier, and the application return urls.

That data could instead be stored in Payment, removing any dependency on the PaymentMessaging 'audit' system.

These are the states I gather a payment can have: Created, Authorised, Captured, Refunded, or Void.

I'm guessing that if there are redirects occurring between steps, then you'll need to store gateway response data to be retrieved again.

One important question is where to store this data. It could go in the database model, or in the session.
I'm guessing some data you may want to store indefinitely for any later actions, other data you may want to log for debugging or viewing history, and some you may want to throw away asap because it is sensitive.

@adrianmacneil - do you have any recommendations about how to store data between requests?
Would you see any issue with authorising a payment at one step in your application, and then capturing during another step (different http requests)?

Gateway servers doing a notify callback will run in a new session.
Currently it will execute whatever it can as if it were the customer. That means redirect urls will potentially be called.

This module should introduce some way to tell if a completePurchase request has come from an external gateway server, and act accordingly.

This issue is not documented well

If there is only one gateway, then there is no need to select a gateway.

If a gateway is off-site, then there isn't much need to display a step where the user clicks 'make payment'. If we end up skipping the index view, then it should only be done if there are no previously failed payments. That is because a failed off-site payment could return to the merchant site, and then automatically redirect back to the external gateway....which may be a confusing user experience.

Hi Jeremy

I have the following code:

    function PaymentForm(){
        if($this->showPaymentForm) {
            $gateway = "PayPal_Express";
            $factory = new GatewayFieldsFactory($gateway);
            $fields = $factory->getFields();
            $actions = new FieldList(new FormAction("pay", "Pay Now"));
            return new Form($this, "PaymentForm", $fields, $actions);
        }
    }

    function pay($form, $data) {
        $isTestMode = Director::IsLive() ? false : true;
        if($amount = $this->result->AmountToPay()) {
            $currency = $this->result->CurrencyToPay();
            $payment = Payment::create()
                ->init($gateway = "PayPal_Express", $amount, $currency)
                ->setReturnUrl($this->Link('completepayment'))
                ->setCancelUrl($this->Link('cancelpayment'));  //$form->getData()
            Session::set("OmniPayPaymentID", $payment->ID);
          $payment->oGateway()->setTestMode($isTestMode);
            $purchase = $payment->purchase();
            $purchase->redirect();
        }
    }


    function completepayment($request){
        $id = Session::get("OmniPayPaymentID");
        Session::clear("OmniPayPaymentID");
        $payment = Payment::get()->byID($id);
        $payment->Status = "Authorized";
        $payment->write();
        return $this->redirect($this->Link());  }

    function cancelpayment($request){
        $id = Session::get("OmniPayPaymentID");
        Session::clear("OmniPayPaymentID");
        $payment = Payment::get()->byID($id);
        $payment->Status = "Void";
        $payment->write();
        return $this->redirect($this->Link());
    }

and in yml:

---
Name: payment

---
Payment:
  has_one:
    QuestionnaireResult: QuestionnaireResult
  allowed_gateways:
    - 'PayPal_Express'
    - 'Manual'
  parameters:
    PayPal_Express:
      username: 'pay_api1.sunnysideup.co.nz'
      password: 'real password'
      signature: 'real signature'

---
Only:
    environment: 'live'

---
Payment:
    parameters:
        PayPal_Express:
            username: 'liveexample.test'
            password: 'livepassawe23'
            signature: 'laivfe23235235'

This seems to work ok, except that I dont think it is in test mode...

I am not sure where I can find more information about this or how to fix his.

Ideally I could also write $payment->IsTestMode(true) rather than the construction above...

ALSO - the way I process the payments (cancel and success) is DEFINITELY wrong (you can just browse to the URLs to make a payment!) ... How do you envisage this to work?

Cheers

Nicolaas

@adrianmacneil - just wondering if you have any visual diagrams of either the omnipay classes, or a flow diagram of how the omnipay fits in within an application / the gateways it is talking to?

Some payments fail, so they show up as "Authorized" or "Created". Payments should not remain in these statuses. Sometimes these payments may have actually succeeded in the gateway.

There are a few ways to clean these up:

• Administrators should be able to run the 'completePayment' function so to do a lookup that either voids the payment, or completes it.
• Administrators should be able to complete/void manual payments. Replaces #51
• Automatic task can tidy up payments that are older than X period.
• When a payment is re-attempted on the same Payable object, it could check if incomplete payments were successful.

If a gateway is renamed or removed from the system, any transaction functions will fail, probably disastrously.

I think it would be good to allow omnipay payment types to come, and go from the system, yet everything still works. Payments won't be able to be completed.

some fields are still using the default length. Some strings may get cut off

Because there are multiple aspects that do much the same thing, there is some crossover of terms. This can make debugging and understanding the code quite difficult.

Below are terms to better clarify in code:

Response

• omnipay Responses
• GatewayResponse - used to encapsulate the omnipay response info and aid in redirection
• SS_HTTPResponse - ss native responses

Redirect

• Gateway redirects - to send the user to an offsite gateway website for entering payment creds
• Application redirects - after SS omnipay processing. Variables are inconsistent for this, eg: $message->SuccessURL = $data['returnUrl']

Identifiers / References

• Identifier (on PaymentMessage) - Internally random generated string for uniquely referencing the payment in url.
• TransactionReference - function on omnipay responses .... ?

Messages

• PaymentMessage vs
• Guzzle Message

@chillu - feel free to add your 2c to help make this clearer, or propose changes.

This file merges with one's real configuration causing Dummy, Manual, PayPal_Express, etc to show up alongside the real options. The only way to get rid of that is to use Config::inst()->remove in _config.php which is messy. This example data is already in the README.md so shouldn't this file be removed?

'Reference' => 'Varchar'

    /**
     * Generate a random reference that hasn't been used before.
     * @return [type] [description]
     */
    static function generate_unique_reference(){
        $ref = uniqid("",true);
        while(Payment::get()->filter('Reference',$ref)->exists()){
            $ref = uniqid("",true);
        }
        return $ref;
    }

Transactions is not a method for Payment, hence modeladmin is broken.

Hi,
When I apply the Payable Data Extension to a simple DataObject, like Order, I get a "[User Error] Uncaught Exception: No has_one found on class 'Payment', the has_many relation from 'Order' to 'Payment' requires a has_one on 'Payment'" error back and can not open the EditForm in the CMS of my Dependent Object anymore.

Not sure if you can do anything as it looks more like a core bug as $has_many relationships in DataExtensions may not work.

A trick to simulate an on-site payment form is to display the external payment form inside an iframe.

It would be good to provide either tools, or instructions on how to achieve this.

Omnipay library and gateways define their fields (parameters), and this is non-negotiable.

Need to provide a mechanism to easily map fields from given data / Payable into omnipay parameters.

What should happen on failure? > pass exceptions to developer

This might just need to be documented.

If a gateway doesn't support dynamic return urls, then this module currently won't work.

A solution to this is to implement your own PaymentGatewayController to look up a transaction/payment, based on the data that is passed back.

Another option could possibly be to store a payment id in the session, which is then referenced on return. This probably has implications.

This will require rewriting some of the way unit tests retrieve mock data. It is currently a hard-coded path, but will need to shift towards retrieving it from the appropriate composer package automatically.

Looking at the ominpay library tests should help here.

This will bring a few improvements, including being able to pass item descriptions to gateways: https://github.com/omnipay/omnipay/releases/tag/v2.0.0

If their github releases page is anything to go by, it looks like there are no further breaking changes, and as such could upgrade straight to omnipay 2.3.x

see also
http://omnipay.thephpleague.com/changelog/

IP addresses are handy to keep a log of, so these should be attached to each message.

There's definitely a way to capture the request IP from SilverStripe to put in omnipay request messages.
Not exactly sure how to get the ip for omnipay responses.

Add ip addresses to payment summary fields.

I get a [Notice] Undefined variable: factory error
it's on line 67 of /var/www/pdiver/omnipay/code/admin/PaymentDevelopmentAdmin.php

I think it's trying to return a bit of jQuery for the browser to read but the PHP interpreter is finding it first

It is tricky to write unit tests for apps that use the omnipay module. You currently need to replicate much of the setup used in the omnipay tests.

Currently difficult:

• Making use of mocking
• Getting the correct PaymentGatewayController endpoint to call for mimicking off-site redirects & callbacks.

This needs to be documented.

It may be worth making this improvement at the same time as upgrading to omnipay v2 #23

Also, worth documenting is how to mimic another running session, by creating a new TestSession during the test.

Restricting the status of payments can help ensure things aren't changed accidentally, or when they shouldn't be.

    private $state_machine = array(
        'Created' => array('Captured','Authorized'),
        'Authorized' => array('Captured'),
        'Captured' => array('Refunded','Void')
        'Refunded' => null,
        'Void' => null
    );
    /**
     * Only allows updating the status, according to the state machine
     */
    public function setStatus($status){
        if($status instanceof Enum){
            $this->dbObject("Status")->setValue($status);
        } elseif($this->statusCanChangeTo($status)) {
            $this->dbObject("Status")->setValue($status);
        }
    }

It is not clear how off-site payments continue execution on the site after redirecting back from the external gateway website.

The payment model will be updated automatically, but the application model will probably need to be updated at this point also.

Currently we have the Payment->onCaptured extension to be hooked into by creating a DataExtension for Payment.

thanks to @wilr for pointing this out.

If a gateway calls back to the server before redirecting the user, then the OrderProcessor->placeOrder() function will add the order to a session that is started for the gateway call. This means the user can't see the newly placed order.

One solution could be to migrate the user's cart id to the order history, if that cart id now points to a placed order. This could be triggered somewhere in OrderManipulation, but I wish it could happen before that.
Perhaps omnipay module needs a new extension hook in PaymentGatewayController->index() called onAlreadyComplete.

Thanks to @nimeso for helping to find this issue.

The new PaymentController could show past payment failures that have been attempted for the given Payable.

We don't want anyone to be able to hit the PaymentGatewayController endpoint to potentially mark payments as successful.

There are a few ways that restrictions could be imposed:

• gateway callback - if the gateway supports CompletePurchase or CompleteAuthorize, then the model can only be updated by those functions.
• unique token - generate a securitytoken that must be passed back in the return url.
• server IP address - only allow gateway server to contact the payment controller.
• client IP address - only allow the ip address that initiated the payment to finish it.
• require HTTPS for any use of the PaymentController
• logged in member matches

The current logging approach is rather limited:

• Only dumping arrays and objects, rather than raw data.
• Uses SilverStripe debug.log, which could get cluttered with other things.

Solution: make use of existing guzzle logging tools. Such logging has a great amount of flexibility to log in various formats and to various locations.

It would be good if raw data could be stored in db, if desired. This could pose security issues however.

Here's how we can hook directly into the Guzzle client and log raw requests and responses:

Additional composer requirements

composer require guzzle/log *@stable
composer require guzzle/plugin-log *@stable
composer require monolog/monolog *@stable

Add this to mysite/_config.php:

<?php

use Guzzle\Http\Client;
use Guzzle\Log\MessageFormatter;
use Guzzle\Log\MonologLogAdapter;
use Guzzle\Plugin\Log\LogPlugin;
use Monolog\Handler\StreamHandler;
use Monolog\Logger;

$logger = new Logger('client');
$logger->pushHandler(new StreamHandler(BASE_PATH.'/omnipay.log'));
$logAdapter = new MonologLogAdapter($logger);
$logPlugin = new LogPlugin($logAdapter, MessageFormatter::DEBUG_FORMAT);
$client = new Client();
$client->addSubscriber($logPlugin);

PaymentService::set_http_client($client);

Adding to _config.php probably isn't the best idea. Would be better to set up on some closure callback. The static setter isn't that great either.

Cons to this approach

If a gateway doesn't use guzzle, it will need to do its own logging. I suspect this is rare, but it should be noted at least.

Should form fields be provided?
Could provide fields for data that is not already provided, and is requred by gateway. > can omnipay providet this? (requiredParameters on gateway) provide a credit card entry form / page for on-site payments

I installed the Omnipay module by Composer. Now when I click Payments in the CMS menu this error appears:

Error at line 763 of /home/sites/development/hesteric/www/framework/core/Object.php

SilverStripe version: 3.1.6

The Payment model has_many GatewayTransactions. These are a way of keeping a log of what communications have been made with gateway. This log will definitely be useful to see the history of payment transactions.

We could potentially allow making a payment via a different gateway, if the first chosen gateway fails.
A payment becomes a successful payment when any appropriate transaction completes successfully.

Currently Payment has a Gateway field, which just stores the gateway that has been used to make payment.
Payment also has a Status field, with a few possible statuses: Created,Authorized,Captured,Refunded,Void
If a payment has been completed via a particular gateway, then it should only be allowed to be void or refunded by that same gateway.

The current behaviour is to allow changing the gateway only when the status is 'created'. Any other status means that the gateway (and amount+currency) is locked in.

Should we definitely allow more than one gateway to be used to attempt to complete a single payment? The alternative is to force multiple payments per order/invoice/thing.
Do we allow starting a transaction by any such payment type, and concluding it any other way?

Using shop module and omnipay + default test yaml in readme.

The error occurs at the checkout

Fatal error: Class 'Omnipay\Common\GatewayFactory' not found in C:\wamp\www\bike2013\omnipay\code\model\GatewayInfo.php on line 29

As @chillu mentioned on the mailing list:

"Architecturally it would be cleaner to leave gateway interactions out of the Payment class, and e.g. have a PaymentService->purchase() which stores the outcome in a Payment object."

I have started this work in a new branch: https://github.com/burnbright/silverstripe-omnipay/tree/paymentservice

As pointed out in silvershop/silvershop-core#230, there is with redirects after a declined payment via offsite gateway.

An assumption has been made that the omnipay gateway will use the 'cancelURL' when a payment fails. Apparently this isn't the case, and this assumption should no longer be made.

I need to introduce a way to redirect to different urls, based on the gateway response. The current approach is limited to only one url, which encoded in a request parameter.

A new approach could be to store the url in the database. Specifically, adding SuccessURL and FailureURL TEXT database fields to the GatewayRequestMessage class. Only the relative url would need to be stored.

Doing this could help with debugging, because we would have an idea of exact urls that would be visited for each payment type.

@wilr do you think this is a good approach?

For example, you shouldn't be able to update the currency or price when the payment is complete. We may not ever want the payment and currency to be updated via CMS for that matter.

I have tried this:

            $purchase = $paymentService->purchase(array_merge($form->getData(), array(
                "item_name" => "item name",
                "PAYMENTREQUEST_0_DESC" => "PAYMENTREQUEST_0_DESC message"
            )));

but that does not seem to do anything.