4

I am integrating Paypal Express Checkout with server-side REST into my codeigniter website. As per Paypal doc's i added the following to my checkout page:

<script src="https://www.paypalobjects.com/api/checkout.js"></script>
<script>
    var CREATE_PAYMENT_URL  = 'https://#######/paypal/create';
    var EXECUTE_PAYMENT_URL = 'https://######/paypal/execute';

    paypal.Button.render({

        env: 'production', // Or 'sandbox'

        commit: true, // Show a 'Pay Now' button

        payment: function() {
            return paypal.request.post(CREATE_PAYMENT_URL).then(function(data) {
                return data.id;
            });
        },

        onAuthorize: function(data) {
            return paypal.request.post(EXECUTE_PAYMENT_URL, {
                paymentID: data.paymentID,
                payerID:   data.payerID
            }).then(function() {

                // The payment is complete!
                // You can now show a confirmation message to the customer
            });
        }

    }, '#paypal-button');
</script>

Everything is working perfectly but, when i turn on codeigniter CSRF protection the call that checkout.js makes to my server using the CREATE_PAYMENT_URL gets rejected do to the fact of the missing CSRF token. I have very little knowledge of JavaScript, I need some help to pass the token to checkout.js, Paypal's doc are no help.

What I've tried:

Turn off CSRF on codeigniter config Works! Paypal express checkout works perfectly but this is not an option, CSRF security must be on. Excluded the URI from the CSRF check in codeignter config Again works perfectly but I am not satisfied. There must be a way to protect the call to server with CSRF token. I hope my problem is clear and you can suggest some solution. Thank you!

AL DI
  • 560
  • 6
  • 24
  • Make sure to review this if you haven't already. Looks like some good leads: https://stackoverflow.com/questions/7348383/codeigniter-ajax-csrf-problem – Drew Angell Jul 15 '17 at 10:11

2 Answers2

3
return paypal.request({
    method: 'post',
    url: CREATE_PAYMENT_URL,
    headers: {
        'x-csrf-token': CSRF_TOKEN
    }
}).then(function(data) {
    return data.id;
});
bluepnume
  • 16,460
  • 8
  • 38
  • 48
2

You should be able to resolve this by adding the X-CSRF-TOKEN parameter to your http headers for ajax requests. Assuming you are utilizing jquery, the below should resolve the issue:

$(document).ready(function(){


    $.ajaxSetup({
        headers: {
            'X-CSRF-TOKEN': '{{PUT_YOU_CSRF_VARIABLE_HERE}}'
        }
    });

    var CREATE_PAYMENT_URL  = 'https://#######/paypal/create';
    var EXECUTE_PAYMENT_URL = 'https://######/paypal/execute';

    paypal.Button.render({

        env: 'production', // Or 'sandbox'

        commit: true, // Show a 'Pay Now' button

        payment: function() {
            return paypal.request.post(CREATE_PAYMENT_URL).then(function(data) {
                return data.id;
            });
        },

        onAuthorize: function(data) {
            return paypal.request.post(EXECUTE_PAYMENT_URL, {
                paymentID: data.paymentID,
                payerID:   data.payerID
            }).then(function() {

                // The payment is complete!
                // You can now show a confirmation message to the customer
            });
        }

    }, '#paypal-button');


});
whitwhoa
  • 2,389
  • 4
  • 30
  • 61
  • Added this as sugested: $.ajaxSetup({ headers: { 'X-CSRF-TOKEN': 'security->get_csrf_hash(); ?>' } }); still no luck. – AL DI Jul 14 '17 at 22:53