I’ve been asked to integrate a windows form application with SagePay to take payments directly from the application. The SagePay documentation talks about ASP.NET so I’m not sure whether this is possible. Has anyone integrated a WinForm application with SagePay before? Is it possible?
I know some payment processors have a connection option where the payment part is hosted on a form on their server. You could try embedding a web browser control into your app to display the payment page.
Usually there is another type of connection option where you can send your information via HttpWebRequest, but I'm not sure that this would work as it requires SSL. Since you are running your app as a desktop client, I'm not sure what you would have available.
I am not sure this is possible given that sagepay needs to redirect users to Mastercard securecode or Verified by Visa, I think they would need to redirect to the bank which then redirects back to a supplied URL. I would think this needs to be within a browser environment.
You can post to urls and get back a response via .net objects and parse the results to display on a form.
You can also ask SagePay to create a Vendor account with 3d secure switched off. This allows you to take payments in house in your winforms app without the customers password however most card vendors if you bypass 3d secure will not protect you if someone calls and uses a card fraudulently.
However it can definitely be done.
You can normally post to secure servers from non secure pages so again this isn't usually an issue.
Related
I wrote a web application which connects to the Salesforce API using the OAuth 2.0 web server flow, and that all works fine.
But now there is a requirement to access the Salesforce API from a WinForms desktop application and I'm stuck. Salesforce suggest using the User-Agent, or implict, flow for desktop applications.
The flow is described by Salesforce here - https://help.salesforce.com/articleView?id=remoteaccess_oauth_user_agent_flow.htm&type=5
I've created a WinForms application and used the CefSharp library to embed a browser. I can open a web page in the embedded browser using the URL syntax shown in the article, e.g.
https://login.salesforce.com/services/oauth2/authorize?response_type=token&
client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
But I don't know where to go from here.
I'm guessing the redirect URI has to be a public endpoint, but how would the token returned by Salesforce to the URI finds it's way back to my desktop application so it can be used in the headers of WebRequests to access the API.
I would be grateful for any help, pointers, sample code, etc.
Thanks.
redirect uri doesn't have to be public. It can be localhost:somePort and your application would have to be listening to traffic on that port.
For example if you want to develop SF code using SFDX CLI + Visual Studio Code - there's a nice way to authorise access to SF org where you type your credentials on the website but when all is good - the OAuth piece gets sent to localhost:1717. As long as nothing else is listening on this port you're fine. Similar with Salesforce Data Loader - you can type username and pass to it but it also has this web-based flow. And sometimes it's the only option really, if your SF admin enabled Single Sign-On that authenticates against Active Directory/Google/Facebook/... - you might not be able to use SF username and password.
My C# days are long gone but listening on a port on local machine shouldn't be the end of the world? You shouldn't need a full-blown web server bundled with your app...
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow has some good theory
https://learn.microsoft.com/en-us/dotnet/api/system.net.sockets.tcplistener?redirectedfrom=MSDN&view=netcore-3.1 example code?
As eyescream's answer explains, there are security issues with the Webserver flow, since any malware listening to that port could also access the security token.
Thus, I want to explain how to use the User-Agent flow in this scenario:
Set REDIRECT_URI to any https-endpoint that you trust. Since your data will never reach that endpoint, it doesn't matter what endpoint you choose.
For example, I use REDIRECT_URI = https:\\login.salesforce.com\, since I am sure that Salesforce themselves will not do anything harmful with a token to their own API, in case something goes wrong and they do actually receive it.
Since you are using a browser (CefSharp) directly in your application, you have access to the URL string. I do not know CefSharp, but I am sure there is something like a BeforeRedirect event which tells you the URL before actually redirecting.
Before every redirect, search the URL string for "access_token=". If you find that string, extract the token from the URL string and close the browser.
Make sure that you close the browser before the redirect. This ensures that the token never reaches the endpoint you chose in step 1.
i want to add Paypal payment through unity without direct the users to the web browser at all.
https://devtools-paypal.com/guide/pay_paypal/dotnet?interactive=OFF&env=sandbox
I looked at this tutorial but at step 3 the user is asked to go through the web browser to log in,
There is any way do the log in process directly with .net / c# code through unity
thank you
As far as I know this is only possible by including a browser (cause security reasons). C# has a WebBrowser class, which you could modify, so the user thinks it's in the game.
An other thing you can try is a http request via c# where you pass the username and the password to the website (but I don't know if this is possible with paypal).
I am currently working on a project for which there exists both a mobile app and a web site. One task can be performed on either the web site (meant for desktop users) or the app. Right now, the requested functionality for the site is as follows:
If a desktop user visits the web page, continue on that page as usual.
If a mobile user visits the web page, redirect them to the installed mobile app.
I have already implemented logic to tell whether the user is on a desktop or mobile device (most of the time, at least); however, it occurred to me that some users may not have the app installed, or that a desktop device could be incorrectly identified as a mobile device in the future. If a computer that does not have the app installed is redirected, they will encounter some error or an about:blank page. So, my question is, is there any way to tell whether a Response.Redirect to a mobile app will succeed?
So far I have investigated the HttpWebRequest/HttpWebResponse option to try and determine success or failure based on a requested page response prior to the redirect, but this does not seem like a valid option since a URL linked to an app will not provide a valid URI for the HttpWebRequest to test with. Any assistance or advice would be greatly appreciated. Thank you!
For clarification, the redirect looks something like this:
Response.Redirect("opencustomapp://SomePage?Parameter1=bar&Parameter2=foo");
The expected result is not to open a web page, but rather to interact with an app installed on the user's phone which has been mapped to this url.
EDIT: I have accepted the answer that it does not seem possible to do what I was asking for, but in case others have this problem, I wanted to attach some useful links to other questions about how to use a cookie to determine if the app is installed and how to redirect the user to some other place if the cookie is not set. For my own code, I will probably be going with a combination of a user-agent check and the setTimeout() function, as this can be implemented from code-behind using ClientScript.RegisterStartupScript without requiring any changes to the existing app.
No, there is no way to tell at the server if the redirect would succeed. This is because the redirect is sent back to the client from your server and executed at the client. Probably the best thing that you can do is use the mobile app to set a cookie for the website on the device, and then check for that cookie on the server side of the request... if it exists, redirect. Be careful to clear the cookie if they delete the app (if possible, not super familiar with mobile apps), otherwise the redirect would fail.
For the past 2 years we have created 3 desktop application and 2 admin section(web) for one of my client.
Every application uses its own authentication process.
I have merged the authentication process for web in single unit.
But the client wants to have one screen for getting authenticated on desktop application as well as on website.
he also want to use different browser and the username /password should be asked only once irrespective of browser opend.
I tried to use cookies for web. but every browser has got its own cookies.
Can any one suggest how can i authenticate a user for the whole computer so that authentication information is available to desktop application as well as to website irrespective of the browser being used?
Edit: As suggested by joe using windows authentication is not possible in my case.
So i created one more table with following column
ip,userid,authenticatedat
when ever a user is authenticated i insert its ip,userid, and time in table.
when ever a non authenticate user comes first i look in the table if the ip is present and authenticatedat is within 30 min i assume user is authenticated and set the session/variable with data required.
This i have checked and found it is working .
I have found this is not secure.
Windows authentication is the only way I know of doing this. Assuming your users are on a domain you control, then their Windows credentials would validate them, and they wouldn't ever need to enter a username and password.
Outside of that, I can only think of hacky dirty methods of making this happen. You could install a single authentication service on their machine which is available to connect to remotely from other applications - those apps would call your service, and that service would authenticate the user and pass an authentication token back. Easy enough for Windows apps, but making that work on a web app wouldn't be fun. Your web server wouldn't be able to talk to this service, so you'd have to rely on the client javascript talking to the service and retrieving a token or hash, and then the javascript passing this on to the web server.
Anything you put on a local machine, you have to assume the user can reverse engineer and manipulate, so if you need real security, I doubt you'll find a solution. Best bet is just to make the user log in every time you need to, and have your authentication/authorization code on your web service layer.
I'm currently toying around with the Clarity .NET Facebook API but am finding certain situations with authentication to be kind of limiting. I keep going through the tutorials but always end up hitting a brick wall with what I want to do. Perhaps I just cannot do it?
I want to make a Web Service that takes in the require credentials (APIKey, SecretKey, UsersId (or Session Key?) and whatever else I would need), and then do various tasks: Post to users wall, add events etc.
The problem I am having is this: The current documentation, examples and support provide a way to do this within the context of a Web site. Within this context, the required "connect" popup can be initiated and allow the user to authenticate and and connect the application. From that point on the Web can go on with its business to do what it needs to do.
If I close the browser and come back to the page, I have to push the connect button again. Except this time, since I was already logged into facebook, I don't have to go through the whole connection process.
But still ... How do applications like Tweetdeck get around this? They seemingly have you connect once, when you install their application, and you don't have to do it again. I would assume that this same idea would have to applied towards making a web service because: You don't know what context the user is in when making the Web service call. The web service methods being called could be coming from a Windows Form app, or code behind in a workflow.
I would advise you to try Steve's blog and starter kit
you can also find a reference to his post in this so question
Good luck
Edited/Added below
You cannot store the facebook login credentials for users and pass them to FB.
(terms & conditions)
but you can use: offline_access, to access some usage without flagging the user as logged in.
Cool tip from this forum:
Use the following URL with your API Key
http://www.facebook.com/login.php?api_key=YOURAPIKEY&connect_display=popup&v=1.0&next=http://www.facebook.com/connect/login_success.html&cancel_url=http://www.facebook.com/connect/login_failure.html&fbconnect=true&return_session=true&req_perms=offline_access
Register for the Facebook Developer
App on your facebook profile.
Create a new app Web App(By default)
through your "Facebook Developer
App". Change the Application Type to
"Desktop App". Note down the API Key
& Secret Key for you app.
Authorize the app & authenticate the user and
then get the permanent session_key.
Authentication
For a fully logged in session, you are asked to use (again terms and conditions) login.php and you can login via JavaScript
HTH
Ric