Fix paypal same-site origin opener policy

2022-05-01 10:47:08 -06:00 · 2022-05-01 10:47:08 -06:00 · b3c75bdb7d
commit b3c75bdb7d
parent f2003a711f
3 changed files with 17 additions and 12 deletions
--- a/src/ptcoffee/config.py
+++ b/src/ptcoffee/config.py
@ -20,6 +20,7 @@ CACHE_CONFIG = {

 PAYPAL_CLIENT_ID = os.environ.get('PAYPAL_CLIENT_ID', '')
 PAYPAL_SECRET_ID = os.environ.get('PAYPAL_SECRET_ID', '')
+PAYPAL_ENVIRONMENT = os.environ.get('PAYPAL_ENVIRONMENT', 'SANDBOX')
 USPS_USER_ID = os.environ.get('USPS_USER_ID', '639NATHA3105')
 DEFAULT_ZIP_ORIGINATION = os.environ.get('DEFAULT_ZIP_ORIGINATION', '98368')

@ -37,3 +38,4 @@ SECURE_HSTS_SECONDS = os.environ.get('SECURE_HSTS_SECONDS', 3600)
 SECURE_SSL_REDIRECT = os.environ.get('SECURE_SSL_REDIRECT', 'False') == 'True'
 SESSION_COOKIE_SECURE = os.environ.get('SESSION_COOKIE_SECURE', 'False') == 'True'
 CSRF_COOKIE_SECURE = os.environ.get('CSRF_COOKIE_SECURE', 'False') == 'True'
+SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin-allow-popups'
--- a/src/static/scripts/payment.js
+++ b/src/static/scripts/payment.js
@ -5,6 +5,12 @@ let form = document.querySelector('.order-create-form')
 // Render the PayPal button into #paypal-button-container
 paypal.Buttons({

+    style: {
+        color: "gold",
+        shape: "rect",
+        layout: "vertical"
+    },
+
    // Call your server to set up the transaction
    createOrder: function(data, actions) {
        const formData = new FormData(form)
@ -24,22 +30,19 @@ paypal.Buttons({
        })

        return fetch(request, options)
-            .then(function(res) {
-                return res.json();
-            }).then(function(orderData) {
-                return orderData.id;
-            });
+            .then((response) => response.json())
+            .then((order) => order.id)
    },

    // Call your server to finalize the transaction
-    onApprove: function(data, actions) {
+    onApprove: (data, actions) => {
        const csrftoken = getCookie("csrftoken")
        return fetch('/paypal/order/' + data.orderID + '/capture/', {
            method: 'post',
            headers: {'X-CSRFToken': csrftoken}
-        }).then(function(res) {
-            return res.json();
-        }).then(function(orderData) {
+        })
+        .then((response) => response.json())
+        .then((orderData) => {
            var errorDetail = Array.isArray(orderData.details) && orderData.details[0];

            if (errorDetail && errorDetail.issue === 'INSTRUMENT_DECLINED') {
--- a/src/storefront/payments.py
+++ b/src/storefront/payments.py
@ -23,10 +23,10 @@ class PayPalClient:
        """Setting up and Returns PayPal SDK environment with PayPal Access credentials.
           For demo purpose, we are using SandboxEnvironment. In production this will be
           LiveEnvironment."""
-        if settings.DEBUG:
-            self.environment = SandboxEnvironment(client_id=self.client_id, client_secret=self.client_secret)
-        else:
+        if settings.PAYPAL_ENVIRONMENT == 'LIVE':
            self.environment = LiveEnvironment(client_id=self.client_id, client_secret=self.client_secret)
+        else:
+            self.environment = SandboxEnvironment(client_id=self.client_id, client_secret=self.client_secret)

        """ Returns PayPal HTTP client instance with environment which has access
            credentials context. This can be used invoke PayPal API's provided the