Cybersource Developer Community Cybersource Developer Community

ravuriauth200 · ‎02-19-2017

Hi. I have configured Authorize.net, accept hosted payment method for my client requirement, where everything is happening fine, except Transaction response. I am using webhook event but which is displaying an error when i make request for list of available webhook events.

My doubts are:

My Code displaying this error when calling list of available webhooks

`{
  "status": 405,
  "reason": "Method Not Allowed",
  "message": "The requested resource does not support http method 'POST' for given parameters.",
  "correlationId": "ff90ee25-0ba7-4006-bb1e-225ea64897e3"
}`

Should i configure webhook anywhere in my Merchant Panel
How would i get my transaction response using webhook

Following is my code

 <?php
	      $login_transKey = 'xxx:xxx'; //Login and Transaction Key of Authorize.net
	      $jsonObj = '{
			"name": "Get WebHooks",
			"request": {
				"url": "http://localhost:81/hosted_payment_form/webhookstwo.php",
				"method": "GET",
				"header": [
					{
						"key": "Content-Type",
						"value": "application/json",
						"description": ""
					},
					{
						"key": "Authorization",
						"value": "'.$login_transKey.'",
						"description": ""
					}
				],
				"body": {
					"mode": "formdata",
					"formdata": []
				},
				"description": ""
			},
			"response": []
		}';
       	$jsonObj = json_encode($jsonObj);
       	$url = "https://apitest.authorize.net/rest/v1/eventtypes";		
       	curl_setopt($ch, CURLOPT_URL, $url);
	    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
        curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonObj);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_DNS_USE_GLOBAL_CACHE, false );
        $content = curl_exec($ch);
 	    echo '<pre>'; print_r($content); die();
        curl_close($ch);
        ?>

Please, let me know if you need anymore information.

Lilith · ‎02-21-2017

I am not a PHP developer, so please take my suggestions with a grain of salt.

But I couldn't help but notice you have CURLOPT_POSTFIELDS in your code. If I undersand that cURL directive correctly, that should only be used with HTTP POST. However, the correct way to make this API call is with HTTP GET -- which is why you got an HTTP 405 Method Not Allowed response.

As this API call doesn't have any fields that must be submitted via HTTP POST, I would recommend dropping CURLOPT_POSTFIELDS from your code.

(Also, as an unrelated side-note: I also noticed you have CURLOPT_VERIFYPEER and CURLOPT_VERIFYHOST set to "false." This is not a recommended practice for PCI compliant applications, as your solution should be verifying the server hosting any TLS connections. This might be acceptable for early development, but I recommend setting both to "true" before using this code in a production environment.)

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

View solution in original post

Aaron · ‎02-21-2017

Just to build on what Lilith says, the Webhooks API is a REST API, which means requests are constructed using HTTP verbs and URLs, and only sometimes posting data. The request for listing the event types is a request you make via an HTTP GET, and doesn't actually require any JSON to be posted to make the request.

The next issue is authentication. Each request of the Webhooks API (whether POST or GET) has to have a standard HTTP basic authentication header in it to show that you're authorized. Authorization is explained in the documentation, but is basically a header with the key "Authorization" and the value of the word "Basic" followed by a base 64 encoding of your login ID and transaction key separated by a colon.

Here's an example of what a proper request for the event types list would look like:

 <?php
	$login_transKey = 'xxx:xxx'; //Login and Transaction Key of Authorize.net
       	$url = "https://apitest.authorize.net/rest/v1/eventtypes";		
        $headers = array( 'Content-Type:application/json','Authorization: Basic '. base64_encode("$login_transKey") );
        $ch = curl_init();
       	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        $content = curl_exec($ch);
 	    echo '<pre>'; print_r($content); die();
        curl_close($ch);
?>

I did it this way to make it clearer how the authentication header was being constructed, but you could also let curl create the header for you by adding a couple of more curl_setopt lines:

 <?php
	$login_transKey = 'xxx:xxx'; //Login and Transaction Key of Authorize.net
       	$url = "https://apitest.authorize.net/rest/v1/eventtypes";		

        $ch = curl_init();
       	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
        curl_setopt($ch, CURLOPT_USERPWD, $login_transkey);
        $content = curl_exec($ch);
 	    echo '<pre>'; print_r($content); die();
        curl_close($ch);
?>

To do the Webhooks stuff that requires POST, you'd do it more like your code example (POSTing JSON to the server), but you don't include the Content-Type or Authorization in the JSON. They're HTTP headers. The JSON that you post should follow the examples in our documentation.

One more thing: If you use Postman, find the link that says "Webhooks REST API Postman Collection" in our documentation. If you don't use Postman, you should. :) It's an invaluable tool for seeing how this request response stuff works in HTTP, and testing your own requests.

View solution in original post

Aaron · ‎02-22-2017

Hi @ravuriauth200,

These are excellent questions, and I'll try my best to answer them all. If I miss any, just ask again!

Let's start with a little bit of background on Webhooks. Here are a couple of articles I found on the web discussing the basic concept, with a little bit of an eye towards developing and testing the listeners or receivers on your end:

At this point, our implementation of Webhooks is entirely controlled through the Webhooks API. There's nothing in the merchant interface that needs to be set up for Webhooks, nor is there anything in the interface that will tell you anything about your existing Webhook setup.

To setup a Webhook, you send a request through the API which tells us what events you want to be notified about, and which URL on your site you want us to post those requests to. Then, whenever one of those events that you've registered happens, we post something to that URL on your site that you gave us.

Since a registered Webhook will post a notification to a URL, that URL you send us has to be a working one that we can reach. That means you can't send us a localhost URL, as we'd never be able to post anything to it from our servers. If, during development, you can't yet set up a URL on your server that will accept a POST request, you could get a temporary URL from a service like http://requestb.in, which can receive the notifications for you and let you review them at will.

The ultimate goal is to set up a url on your end that we can do an HTTP post to. So, you might set up a listener URL like http://www.yourserver.com/webhooks/TransactionResponseListener. You'd have a script or program at that URL set to listen for the notification.

Then, you'd send the request to our Webhooks API to set up a Webhook to be notified of the net.authorize.payment.authcapture.created event. You only need to send this request once to register the URL. At that point, every time an authcapture transaction is created, our server would post a string of JSON data to that URL, so your script or application would receive it and process it appropriately.

The JSON and the code that you posted looks fine. If you sent that to our server, you'd either get a HTTP status code of 200, indicating that it's okay, or you would get another status code if there was an error. In your case, if you sent it as is, our system would give you an HTTP 400 error because it wouldn't recognize the localhost URL as valid. But, as long you sent in a valid URL, that would register that URL as a listener for the post that would happen every time a transaction was created.

When we post a notification in that URL, the notification itself will take the form of the response examples in our Webhooks documentation.

Since you said you were doing Accept Hosted, I want to point out that there's another way to get notified of transactions. If you are bringing up the payment form in an iframe, you can tell the payment form to also include another page from your site that has some javascript embedded as a listener. There's some information about that in our Accept Hosted documentation, but if you want to go down that road instead, we can definitely help you with that.

View solution in original post

Aaron · ‎02-23-2017

Hi @ravuriauth200,

I know you said you got it working in your next post, and I'll respond to that shortly, but I wanted to address testing.

Once you have registered a Webhook, you can request that we send a test notification for any Webhook using the "pings" command. A pings request to our server looks like this:

https://apitest.authorize.net/rest/v1/webhooks/{{webhookId}}/pings

or, as an example:

https://apitest.authorize.net/rest/v1/webhooks/72a55c78-66e6-4b1e-a4d6-3f925c00561f/pings

This request is a POST request with an empty message body. You construct the URL with the Webhook ID you want to test, and then do a POST to that URL. Once we receive that post, we'll send a notification to the registered URL for that Webhook just as if the event for that Webhook actually happened.

Note: To prevent confusion with Webhooks listener URLs that are listening for actual events to occur, the "pings" command only works on Webhooks that are set as inactive. To test a Webhook that isn't currently set to an inactive status, you must first set the status to inactive by sending a request to update the Webhook.

View solution in original post

Aaron · ‎02-23-2017

Hi @ravuriauth200,

For your first issue, you can get the Webhook ID (that unique code) in a couple of places. It's returned in the response when the Webhook is first created. However, if you didn't save the response (like if the Webhook was created by accident), you can always get the ID and status for all of your Webhooks by sending an HTTP GET request (with your authorization header) to

https://apitest.authorize.net/rest/v1/webhooks

The response will list all registered webhooks, with their IDs, status, and what event types they are registered for.

Then you'd delete the ones you don't need by sending an HTTP DELETE request to a url like this:

https://apitest.authorize.net/rest/v1/webhooks/{{webhookId}}

replace the placeholder with the Webhook ID at the end of the URL.

Now, curl by default will do a GET, or it will do a POST if you're posting data, but to do a DELETE request in HTTP using curl, you'll need to add one more curl_setopt line:

    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "DELETE");

View solution in original post

Aaron · ‎02-23-2017

For the second issue, displaying the line items on the receipt is not something currently supported by Accept Hosted.

You are welcome to post this as a new feature using our Ideas forum. This will allow others to vote on and make suggestions to improve the request.

View solution in original post

Lilith · ‎02-21-2017

I am not a PHP developer, so please take my suggestions with a grain of salt.

But I couldn't help but notice you have CURLOPT_POSTFIELDS in your code. If I undersand that cURL directive correctly, that should only be used with HTTP POST. However, the correct way to make this API call is with HTTP GET -- which is why you got an HTTP 405 Method Not Allowed response.

As this API call doesn't have any fields that must be submitted via HTTP POST, I would recommend dropping CURLOPT_POSTFIELDS from your code.

(Also, as an unrelated side-note: I also noticed you have CURLOPT_VERIFYPEER and CURLOPT_VERIFYHOST set to "false." This is not a recommended practice for PCI compliant applications, as your solution should be verifying the server hosting any TLS connections. This might be acceptable for early development, but I recommend setting both to "true" before using this code in a production environment.)

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

Aaron · ‎02-21-2017

Just to build on what Lilith says, the Webhooks API is a REST API, which means requests are constructed using HTTP verbs and URLs, and only sometimes posting data. The request for listing the event types is a request you make via an HTTP GET, and doesn't actually require any JSON to be posted to make the request.

The next issue is authentication. Each request of the Webhooks API (whether POST or GET) has to have a standard HTTP basic authentication header in it to show that you're authorized. Authorization is explained in the documentation, but is basically a header with the key "Authorization" and the value of the word "Basic" followed by a base 64 encoding of your login ID and transaction key separated by a colon.

Here's an example of what a proper request for the event types list would look like:

 <?php
	$login_transKey = 'xxx:xxx'; //Login and Transaction Key of Authorize.net
       	$url = "https://apitest.authorize.net/rest/v1/eventtypes";		
        $headers = array( 'Content-Type:application/json','Authorization: Basic '. base64_encode("$login_transKey") );
        $ch = curl_init();
       	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        $content = curl_exec($ch);
 	    echo '<pre>'; print_r($content); die();
        curl_close($ch);
?>

I did it this way to make it clearer how the authentication header was being constructed, but you could also let curl create the header for you by adding a couple of more curl_setopt lines:

 <?php
	$login_transKey = 'xxx:xxx'; //Login and Transaction Key of Authorize.net
       	$url = "https://apitest.authorize.net/rest/v1/eventtypes";		

        $ch = curl_init();
       	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
        curl_setopt($ch, CURLOPT_USERPWD, $login_transkey);
        $content = curl_exec($ch);
 	    echo '<pre>'; print_r($content); die();
        curl_close($ch);
?>

To do the Webhooks stuff that requires POST, you'd do it more like your code example (POSTing JSON to the server), but you don't include the Content-Type or Authorization in the JSON. They're HTTP headers. The JSON that you post should follow the examples in our documentation.

One more thing: If you use Postman, find the link that says "Webhooks REST API Postman Collection" in our documentation. If you don't use Postman, you should. :) It's an invaluable tool for seeing how this request response stuff works in HTTP, and testing your own requests.

ravuriauth200 · ‎02-22-2017

Thank you Aaron & Lilith.

Now everything works fine. But i have stucked at one point, which i have already raised in my first question. I would request you to provide, some inputs.

Should i configure webhook anywhere in my Merchant Panel
- I have read that, after successful transaction, the transaction reponse would be sent to registed url with webhook. May i know how it can be done. should i configure that in Merchant panel to notify me for every transaction.
How would i get my transaction response using webhook
- Using net.authorize.payment.authcapture.created, to notify me after transaction. but i am getting blank screen.

I am passing my Json like this.

$jsonQuery = '{
	"url": "http://localhost:81/api/webhooks",
	"eventTypes": [
	"net.authorize.payment.authcapture.created",
	"net.authorize.customer.created",
	"net.authorize.customer.paymentProfile.created",
	"net.authorize.customer.subscription.expiring"
	],
	"status": "active"
	}';

and code is here

$url = "https://apitest.authorize.net/rest/v1/webhooks";		
		$headers = array( 'Content-Type:application/json','Authorization: Basic '.$login_transKey) );
		$ch = curl_init();
		curl_setopt($ch, CURLOPT_URL, $url);
		curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
		curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonQuery);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($ch, CURLOPT_DNS_USE_GLOBAL_CACHE, false );
		$content = curl_exec($ch);
		curl_close($ch);
		echo '<pre>'; print_r($content); 
		die();

Please, provide some inputs, as i am new to this webhook concept. I have read that, by registering our server url to webhook, where we hold response and progress it programatically. How would i test it. i mean, after succesful transaction, shall i go to merchant panel to see anything about notifications.

How my custom url is registered to webhook ?

Once again. Thank you Aaron and Lilith.

Aaron · ‎02-22-2017