MAGETWO-93786: Payment APIs webhooks are now expecting a form key

Oleksandr Gorkun · Oleksandr Gorkun · commit acccc1a5cb2d · 2018-07-25T18:06:30.000+03:00
diff --git a/app/code/Magento/Authorizenet/Controller/Directpost/Payment/BackendResponse.php b/app/code/Magento/Authorizenet/Controller/Directpost/Payment/BackendResponse.php
@@ -10,12 +10,15 @@
 use Magento\Authorizenet\Model\Directpost;
 use Magento\Authorizenet\Model\DirectpostFactory;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Registry;
 use Psr\Log\LoggerInterface;
 
-class BackendResponse extends \Magento\Authorizenet\Controller\Directpost\Payment
+class BackendResponse extends \Magento\Authorizenet\Controller\Directpost\Payment implements CsrfAwareActionInterface
 {
     /**
      * @var LoggerInterface
@@ -48,6 +51,23 @@ public function __construct(
         $this->logger = $logger ?: $this->_objectManager->get(LoggerInterface::class);
     }
 
+    /**
+     * @inheritDoc
+     */
+    public function createCsrfValidationException(
+        RequestInterface $request
+    ): ?InvalidRequestException {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
     /**
      * Response action.
      * Action for Authorize.net SIM Relay Request.
diff --git a/app/code/Magento/Authorizenet/Controller/Directpost/Payment/Response.php b/app/code/Magento/Authorizenet/Controller/Directpost/Payment/Response.php
@@ -6,8 +6,29 @@
  */
 namespace Magento\Authorizenet\Controller\Directpost\Payment;
 
-class Response extends \Magento\Authorizenet\Controller\Directpost\Payment
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
+
+class Response extends \Magento\Authorizenet\Controller\Directpost\Payment implements CsrfAwareActionInterface
 {
+    /**
+     * @inheritDoc
+     */
+    public function createCsrfValidationException(
+        RequestInterface $request
+    ): ?InvalidRequestException {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
     /**
      * Response action.
      * Action for Authorize.net SIM Relay Request.
diff --git a/app/code/Magento/Paypal/Controller/Ipn/Index.php b/app/code/Magento/Paypal/Controller/Ipn/Index.php
@@ -7,12 +7,15 @@
 
 namespace Magento\Paypal\Controller\Ipn;
 
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
 use Magento\Framework\Exception\RemoteServiceUnavailableException;
 
 /**
  * Unified IPN controller for all supported PayPal methods
  */
-class Index extends \Magento\Framework\App\Action\Action
+class Index extends \Magento\Framework\App\Action\Action implements CsrfAwareActionInterface
 {
     /**
      * @var \Psr\Log\LoggerInterface
@@ -39,6 +42,23 @@ public function __construct(
         parent::__construct($context);
     }
 
+    /**
+     * @inheritDoc
+     */
+    public function createCsrfValidationException(
+        RequestInterface $request
+    ): ?InvalidRequestException {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
     /**
      * Instantiate IPN model and pass IPN request to it
      *
diff --git a/app/code/Magento/Paypal/Controller/Payflow/CancelPayment.php b/app/code/Magento/Paypal/Controller/Payflow/CancelPayment.php
@@ -6,8 +6,29 @@
  */
 namespace Magento\Paypal\Controller\Payflow;
 
-class CancelPayment extends \Magento\Paypal\Controller\Payflow
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
+
+class CancelPayment extends \Magento\Paypal\Controller\Payflow implements CsrfAwareActionInterface
 {
+    /**
+     * @inheritDoc
+     */
+    public function createCsrfValidationException(
+        RequestInterface $request
+    ): ?InvalidRequestException {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
     /**
      * When a customer cancel payment from payflow gateway.
      *
diff --git a/app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php b/app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php
@@ -6,11 +6,14 @@
  */
 namespace Magento\Paypal\Controller\Payflow;
 
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
 use Magento\Paypal\Controller\Payflow;
 use Magento\Paypal\Model\Config;
 use Magento\Sales\Model\Order;
 
-class ReturnUrl extends Payflow
+class ReturnUrl extends Payflow implements CsrfAwareActionInterface
 {
     /**
      * @var array of allowed order states on frontend
@@ -30,6 +33,23 @@ class ReturnUrl extends Payflow
         Config::METHOD_PAYFLOWLINK
     ];
 
+    /**
+     * @inheritDoc
+     */
+    public function createCsrfValidationException(
+        RequestInterface $request
+    ): ?InvalidRequestException {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
     /**
      * When a customer return to website from payflow gateway.
      *
diff --git a/app/code/Magento/Paypal/Controller/Payflow/SilentPost.php b/app/code/Magento/Paypal/Controller/Payflow/SilentPost.php
@@ -6,8 +6,29 @@
  */
 namespace Magento\Paypal\Controller\Payflow;
 
-class SilentPost extends \Magento\Paypal\Controller\Payflow
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
+
+class SilentPost extends \Magento\Paypal\Controller\Payflow implements CsrfAwareActionInterface
 {
+    /**
+     * @inheritDoc
+     */
+    public function createCsrfValidationException(
+        RequestInterface $request
+    ): ?InvalidRequestException {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
     /**
      * Get response from PayPal by silent post method
      *
diff --git a/app/code/Magento/Paypal/Controller/Transparent/Response.php b/app/code/Magento/Paypal/Controller/Transparent/Response.php
@@ -5,6 +5,9 @@
  */
 namespace Magento\Paypal\Controller\Transparent;
 
+use Magento\Framework\App\CsrfAwareActionInterface;
+use Magento\Framework\App\Request\InvalidRequestException;
+use Magento\Framework\App\RequestInterface;
 use Magento\Framework\Registry;
 use Magento\Framework\App\Action\Context;
 use Magento\Framework\View\Result\LayoutFactory;
@@ -20,7 +23,7 @@
 /**
  * Class Response
  */
-class Response extends \Magento\Framework\App\Action\Action
+class Response extends \Magento\Framework\App\Action\Action implements CsrfAwareActionInterface
 {
     /**
      * Core registry
@@ -91,6 +94,23 @@ public function __construct(
         $this->paymentFailures = $paymentFailures ?: $this->_objectManager->get(PaymentFailuresInterface::class);
     }
 
+    /**
+     * @inheritDoc
+     */
+    public function createCsrfValidationException(
+        RequestInterface $request
+    ): ?InvalidRequestException {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validateForCsrf(RequestInterface $request): ?bool
+    {
+        return true;
+    }
+
     /**
      * @return ResultInterface
      */
