I'm trying to implement AcceptHosted using an iFrame, but I'm stuck on how to securely confirm the success of the payment.
If I use the redirect method, I can include a secret key in the continue/return URL that proves that the call could only have come from authorize.net. BUT using the redirect method, I can't get the responseCode so I don't know if the payment succeeded or not.
If I use the iFrameUrlCommunicator method, I do get the response code, but I can't find a way to include a secret key. The message could easily be faked. This is what I get:
action=transactResponse&response={"accountType":"Visa","accountNumber":"XXXX0027","transId":"60027782085",
"responseCode":"1","authorization":"HXF01L","billTo":{},"shipTo":{},"orderDescription":"Red T Shirt", "totalAmount":"1.00","dateTime":"8/9/2017 6:42:52 AM"}
I know I can check the referrer, but that could easily be faked - certainly the way it is implemented in the sample app.
Is there a way to include a secret key in the token request and have it come back in the transactResponse message? I tried the userFields but they don't come back in the transactResponse message.
I must be missing something because I seem to have hit a total impasse.
08-09-2017 01:04 AM
Ok, I found a solution. I'm using theiFrameUrlCommunicator message to send an Ajax request to my server, which then does a getTransactionDetailsRequest API call. That gives me the responseCode and lots of other useful info.
I'm guessing this is the intention, I just didn't see it mentioned anywhere.
Problem solved but any comments welcome.
08-09-2017 02:08 AM
Hi @Chris2017,
That's one of our usual suggestions, with the other being to wait for a Webhooks notification of the transaction.
The advantage of doing it your way is it will be as close to real time as possible. With Webhooks, there's always the small chance that the notification could be delayed, so you'd have to build some sort of waiting screen to keep people at while either waiting for the Webhook notification, or giving up and querying the system.
08-09-2017 05:41 PM
Been floundering way to long over on this topic
So wish I would have found this thread sooner.
If this is "one of our usual suggestions" why not isn't there sample code of it?
Also, with SIM and Relay Response (RR) the RR code is basically real time. Im trying to migrate from SIM to Accept Hosted but webhooks is a dog, as timing 18 transactions found average delay before webhook ran to be 13.6 seconds. After a pending member finishing paying for their membership their membership status could easily be still "pending"! Talk about leaving a bad taste in their mouth on their first visit! Sure I can say to them "take another look, it's now 'active'" but the damage is already done...
10-02-2019 03:22 AM