I am developing a site where users can buy features using paypal. If user's paypal email is different from the email stored in our site how can i get notified about the user's payment via IPN?
You tagged your question with C#, so I'm assuming you're developing an ASP.NET site. And in the absence of more specific information, I'm going to assume you're using the default SqlMembershipProvider for your site.
So, to identify your user, you should probably use the ProviderUserKey property of the MembershipUser object. Use the following code to get the ProviderUserKey for your currently logged-in user:
MembershipUser currentUser = Membership.GetUser();
string userId = currentUser.ProviderUserKey.ToString();
Once you have a String containing the ProviderUserKey, you can pass it to PayPal using the custom HTML variable in your form:
<input type="hidden" name="custom" value="<%=userId%>"/>
When PayPal send the IPN message, it will send back the value that you set for the custom HTML variable. You can get the value from Response.Form and get the corresponding user:
object userId = Request.Form["custom"];
MembershipUser user = Membership.GetUser(userId);
Hope this helps!
You need to use the email of the user (the one which he/she used for your website) as an identifier.
When the user pays you, your website needs to send this email to Paypal as a "custom" field, and Paypal will send it back to you, among other IPN notification parameters.
Related
I have this code in order to get the email
string code = Request.QueryString["code"];
if (!string.IsNullOrEmpty(code)){
string data = FaceBookConnect.Fetch(code, "me");
FaceBookUser faceBookUser = new JavaScriptSerializer().Deserialize<FaceBookUser>(data);
And on the click event I defined this:
FaceBookConnect.Authorize("email", Request.Url.AbsoluteUri.Split('?')[0]);
The problem is that it gives me a null value as email, i tried doing the same for the name and it is the only field that actually works. I read that thay have changed the version to v2.6 and it is necessary to do the facebookConnect.Fetch in another way, but I am unable to find how. Anyone knows something? Thanks everyone!
Have you requested the email info from Facebook? You must do that at start of login and the user has to approve this before Facebook will provide it. Facebook also says it will be null if the address is not valid or if they used a phone number to sign up:
"Note, even if you request the email permission it is not guaranteed you will get an email address. For example, if someone signed up for Facebook with a phone number instead of an email address, the email field may be empty."
https://developers.facebook.com/docs/facebook-login/permissions#reference-email
I have a scenario here whereby when a user wants to reset a password, the system will have to send a temporary random generated password to the user by email. I tried storing the temporary password into a new column in the database but I am not really sure about whether this approach works well. Some people recommend using token such as below:
string code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);
However, I am really new to ASP.NET and I am not familiar with token. How do I compare the temporary generated token with the token in the database?
Another method that I found to implement this is to have a Membership.GeneratePassword function that generates a random string of characters:
model.temppwd = Membership.GeneratePassword(10, 1);
Can anybody provide me an ideal way to implement this functionality with some example? Thank you!
In our project we used
Guid.NewGuid();
and sent the email containing the link to the recover password action (MVC) as a query string: https://yoursite.com/account/reset/?code=your_guid_code
Example:
ResetPassword resetPassword = new resetPassword();
resetPassword.Code = Guid.NewGuid();
string strLink = string.Format("{0}", actionUrl + "?code="+ resetPassword.Code);`
And now you can use the strLink to send with your e-mail. You'll need to store the Guid in a database table alongside with the userId, so that you can implement the resetting procedure. When the user clicks the link from your email he'll get in a form / view that asks for a new password. Also you'll want to add an extra column to that table in order to provide an expiration limit for that code. If the user clicks the link in the e-mail and the code expired you'll have to inform the user and send another e-mail with another code.
To reset a password we need to know a UserId and pass it to the UserManager.ResetPasswordAsync method. In the Identity 1.0 it was possible to obtain UserId from the UserManager.PasswordResetTokens.Validate method ((UserManager.PasswordResetTokens.Validate(token)).UserId). Now it's gone and all existing examples telling me that I need to ask an user for username or email. This is not user friendly, I don't want my users enter username again if token is valid.
This is already established tradition in ASP.NET Identity - something that worked before is broken in the new release. Of course I can create my own combined token with embedded UserId, but why I need to do extra work? New releases should improve things, not make them worse.
Asp.Net Identity 2.x do not provide a way to find a user by a token created from GeneratePasswordResetTokenAsync method.
You have two options:
1) Add the user id at the url you will send to the user. Ex:
var token = await _userManager.GeneratePasswordResetTokenAsync(applicationUser);
var callbackUrl = $"/reset-password/?user={WebUtility.UrlEncode(applicationUser.Id)}&code={WebUtility.UrlEncode(token)}";
This approach is more user friendly. But I know people that says this is a security issue because anyone with the link could reset the user password.
2) Ask for the user name at the reset password page, as you did. Ex:
public async Task<YourResultModel> ResetPassword(ResetPasswordViewModel vm)
{
// Your password validations...
var user = await _userManager.FindByNameAsync(vm.UserName);
// could be FindByEmailAsync if your app uses the user e-mail to login.
IdentityResult result = await _userManager.ResetPasswordAsync(user, vm.Token, vm.NewPassword);
return YourResultModelFromIdentityResult(result);
}
Before choose between this two approaches you need to think about your specific scenario. For example: If your app uses the user e-mail as username and to intercept the token the "interceptor" needs to access the user e-mail box, remove the user id from reset password link will not improve the security of your app. Because who has the link already knows the e-mail of the user.
I have made custom login control for DNN (DotNetNuke). Now I am trying to implement the forgot password feature. I am able to retrieve password from the database using the code:
UserInfo uInfo = UserController.GetUserByName(this.PortalId, userName);
if (uInfo != null)
{
string password = UserController.GetPassword(ref uInfo, String.Empty);
}
I want to send the retrieved password to the user using DNN.
Any help will be appreciated.
Sending passwords via email is considered as a big security vulnerability and really not recomended.
If you still need this functionality though, I guess you can simply accomplish this by sending email through SendMail or SendEmail methods:
DotNetNuke.Services.Mail.Mail.SendEmail()
DotNetNuke.Services.Mail.Mail.SendMail()
The SendMail method provides more options/parameters than the SendEmail method. The paramters names should be self explanatory enough to use the methods.
The simplest way to send a user their password is to call the DotNetNuke.Services.Mail.Mail.SendMail overload that takes a UserInfo, a MessageType, and PortalSettings. You can pass in the user and MessageType. PasswordReminder and DNN will take care of the rest.
That said, I join the crowd in saying that it would be much better to switch to using hashed passwords and consider this an impossible feature request (that should, instead, be fulfilled with a password reset feature).
On payPal I added return page URL where user is redirected when payment is finished.
http://somewhere/back.aspx
But when I return from payPal after payment I don't get 'tx' or anything in queryString, what could be reason for that? I use correct token.
You cannot rely on the returnurl parameter for getting back any information about the PayPal transaction, those would be to easy to change.
You need to implement Instant Payment Notification (IPN) so you will get all the variables returned, here is an example : https://www.paypal.com/us/cgi-bin/webscr?cmd=p/pdn/ipn-codesamples-pop-outside