Provided method to check transaction status to charge credit card is not accurate:
if response.messages.resultCode == MessageTypeEnum::Ok
# Payment is considered to be successful.
# Providing goods or services to the customer ...
end
This is taken from Hello World example and README of the current gem.
Please check XML responses for different cases:
Successful charge:
<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<messages>
<resultCode>Ok</resultCode>
<message>
<code>I00001</code>
<text>Successful.</text>
</message>
</messages>
<transactionResponse>
<responseCode>1</responseCode>
<authCode>UZJ0KN</authCode>
<avsResultCode>Y</avsResultCode>
<cvvResultCode>P</cvvResultCode>
<cavvResultCode>2</cavvResultCode>
<transId>2249638815</transId>
<refTransID />
<transHash>8614D9C8EA2ED3869D3CBE33D118B68C</transHash>
<testRequest>0</testRequest>
<accountNumber>XXXX4242</accountNumber>
<accountType>Visa</accountType>
<messages>
<message>
<code>1</code>
<description>This transaction has been approved.</description>
</message>
</messages>
</transactionResponse>
</createTransactionResponse>Failure:
<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<messages>
<resultCode>Error</resultCode>
<message>
<code>E00027</code>
<text>The transaction was unsuccessful.</text>
</message>
</messages>
<transactionResponse>
<responseCode>3</responseCode>
<authCode />
<avsResultCode>P</avsResultCode>
<cvvResultCode />
<cavvResultCode />
<transId>0</transId>
<refTransID />
<transHash>137CBC40236BA3F51C96439EC93BEF10</transHash>
<testRequest>0</testRequest>
<accountNumber>XXXX4242</accountNumber>
<accountType>Visa</accountType>
<errors>
<error>
<errorCode>8</errorCode>
<errorText>The credit card has expired.</errorText>
</error>
</errors>
</transactionResponse>
</createTransactionResponse>The transaction is declined:
<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<messages>
<resultCode>Ok</resultCode>
<message>
<code>I00001</code>
<text>Successful.</text>
</message>
</messages>
<transactionResponse>
<responseCode>2</responseCode>
<authCode />
<avsResultCode>N</avsResultCode>
<cvvResultCode>M</cvvResultCode>
<cavvResultCode />
<transId>8449440786</transId>
<refTransID />
<transHash>3BD3DB541ECEEE82758CABE23CF25B0B</transHash>
<testRequest>0</testRequest>
<accountNumber>XXXX3173</accountNumber>
<entryMode>Keyed</entryMode>
<accountType>MasterCard</accountType>
<errors>
<error>
<errorCode>2</errorCode>
<errorText>This transaction has been declined.</errorText>
</error>
</errors>
</transactionResponse>
</createTransactionResponse>So according to documentation both
successful transaction and declined transaction are considered as paid (response.messages.resultCode == "Ok").
More accurate would be to check transactionResponse message code:
if response.messages.resultCode == MessageTypeEnum::Ok &&
response.transactionResponse.messages &&
response.transactionResponse.messages.messages[0].code == "1"
# Payment is considered to be successful.
# Providing goods or services to the customer ...
end
I think this is serious vulnerability issue.
Thanks
Provided method to check transaction status to charge credit card is not accurate:
This is taken from Hello World example and README of the current gem.
Please check XML responses for different cases:
Successful charge:
Failure:
The transaction is declined:
So according to documentation both
successful transaction and declined transaction are considered as paid (
response.messages.resultCode == "Ok").More accurate would be to check
transactionResponsemessage code:I think this is serious vulnerability issue.
Thanks