Headless sales channel - webhooks cannot be used #401
Comments
|
@peterojo I think this might actually be quite simple to fix, by e.g. creating a store api route that has auth required set to false, and the sales channel ID as path parameter (potentially optional parameter) and the sales channel ID passed to the notfication service, and then calls the notfiication service. that one should also work for storefront sales channels but using different routes could even be by design. I could create a corresponding PR. I would suggest something like |
|
any news regarding this? |
|
Hello, Thank you for reaching out. This is just a quick note to inform you that we received your ticket. We will take this issue into consideration as soon as possible. Best regards |
|
Hi, Please note that we are actively working on addressing this matter. Once we have more updates or a resolution, we will inform you. Thank you for your patience and understanding. Best regards |
|
Hi @AndreasA , The Adyen plugin uses the sw-sales-channel-id request attribute set by Shopware framework to determine the sales channel for the webhooks requests. Shopware sets the sw-sales-channel-id request based on the request URL by matching the configured domains of a sales channel with the request domain. Once the sales channel is determined from the webhooks request, the plugin will perform HMAC and username/password authentication based on plugin configuration values. Please note that you can set up different configuration values for each sales channel. Please note that Adyen plugin exposes store API endpoints to enable building a custom front end for your headless Shopware 6 integration using either Adyen's pre-built UI solutions or your own UI. Your front end connects to your existing back end that uses Shopware's Store API endpoints (more details can be found here). Based on the above, the plugin behavior behind the NotificationReceiverController is in line with its purpose of handling webhooks from Adyen. This is a duplicate of this ticket that we already responded: #261 We will close that ticket so please let us know if you need further assistance or if there’s anything else we can do to support you on this ticket. Best regards |
|
Hi @teodoratimoti that is not entirely correct. If one reates a headless sales channel that channel can only access store-api calls and some special routes like finalize payment (as that route is not a Storefront route but available in general). Furthermore, the domain of the sales channel is not used to determine the See also: Also Storefront is a separate composer dependency that might not even be installed on headless only installations. The NotificationReceiverController is a Storefront only controller, see https://github.com/Adyen/adyen-shopware6/blob/develop/src/Storefront/Controller/NotificationReceiverController.php#L33 Therefore, it cannot be accessed with a headless sales channel as such a sales channel only exposes the store-api routes. Furthermore, even if the routescope is changed, it will not set the sales-channel-id correctly (at least not through the path alone). You would need a second route that e.g. uses the sales channel id as part of its route or similar. Shopware usually provides a Storefront controller that calls a headless route - or in your case, you would just need a second controller that calls the notfication process service. However, in your scenario you would need to also mark the route as being callable without the access-key which can be easily done by setting auth_required to false see https://github.com/shopware/shopware/blob/trunk/src/Core/Framework/Api/EventListener/Authentication/SalesChannelAuthenticationListener.php#L63 otherwise the sw-access-key header would have to be added by the webhook call: https://shopware.stoplight.io/docs/store-api/authentication to determine the correct context/sales channel id. So e.g. a store api controller like this would probably work: <?php declare(strict_types=1);
/**
* ######
* ######
* ############ ####( ###### #####. ###### ############ ############
* ############# #####( ###### #####. ###### ############# #############
* ###### #####( ###### #####. ###### ##### ###### ##### ######
* ###### ###### #####( ###### #####. ###### ##### ##### ##### ######
* ###### ###### #####( ###### #####. ###### ##### ##### ######
* ############# ############# ############# ############# ##### ######
* ############ ############ ############# ############ ##### ######
* ######
* #############
* ############
*
* Adyen Payment Module
*
* Copyright (c) 2020 Adyen B.V.
* This file is open source and available under the MIT license.
* See the LICENSE file for more info.
*
* Author: Adyen <[email protected]>
*/
namespace Adyen\Controller\StoreApi;
use Shopware\Storefront\Controller\StorefrontController;
use Symfony\Component\HttpFoundation\Request;
use Adyen\Shopware\Service\NotificationReceiverService;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Routing\Attribute\Route;
#[Route(defaults: ['_routeScope' => ['store-api']])]
class NotificationReceiverController extends StorefrontController
{
/** @var NotificationReceiverService */
private NotificationReceiverService $notificationReceiverService;
/**
* NotificationReceiverController constructor.
*
* @param NotificationReceiverService $notificationReceiverService
*/
public function __construct(NotificationReceiverService $notificationReceiverService)
{
$this->notificationReceiverService = $notificationReceiverService;
}
#[Route(
'/store-api/adyen/notification/{salesChannelId}',
name: 'store-api.adyen.notification',
defaults: ['auth_required' => false, 'csrf_protected' => false],
methods: ['POST']
)]
public function execute(Request $request, string $salesChannelId): JsonResponse
{
// TODO: Verify sales channel id iis not empty and the sales channel exists and is active.
// If not, probably throw an unauthorized excpetion or similar.
// All other authentication checks should be done in the notificationREceiverService.
// TODO 2: Probably better to pass the sales channel id to the notificationREceiverService directly
// instead of modifying the request headers.
$request->headers->set('sw-sales-channel-id', $salesChannelId);
return $this->notificationReceiverService->process($request);
}
} |
|
Hi @AndreasA , Thank you for the detailed explanation of the issue and the proposed solution. In the upcoming period, we plan to release a new version of the plugin that will include a new store-api endpoint with a path parameter for the sales channel ID, which will call the notification service for processing notifications. Best regards |
|
Thanks, That sounds great and will finally allow the use of webhooks with a headless project, after the corresponding update. |
|
Hi @AndreasA , We want to inform you that the new version has been released and you can download it on the next links: https://github.com/Adyen/adyen-shopware6/releases/tag/3.17.7 - version 3 https://github.com/Adyen/adyen-shopware6/releases/tag/4.2.6 - version 4 Please download the update and test to see if everything is working as expected. Let us know if you encounter any issues. Best regards |
|
Hi, that's great to hear. I will probably not have time to test it for some time - depending on when then ext updates are planned for our headless project. So maybe close the issue for now and I will create a new issue if there are still issues. One thing though, maybe add it as information to the Plugin documentation https://docs.adyen.com/plugins/shopware-6/ for headless as well in the webhook setup https://docs.adyen.com/plugins/shopware-6/#set-up-webhooks and maybe the headlesss integration part? |
|
Hi @AndreasA , You are right, we can update the README file on GitHub, but we don’t have permission to edit the Adyen documentation. We will make the necessary changes on our side and inform the team to update the documentation accordingly. Best regards |
Describe the bug
The webhook notification receiver currently requires Storefront sales channels as its route scope is storefront.
It would be great if it could also be used for headless sales channels.
Necessary changes:
adyen, so the old path can be used and keep the current authentication methods.It will work for storefront sales channels that are also used headless, but for headless only sales channels it will fail.
Versions
Shopware version: 6.5.3.3
Plugin version: 3.12.1
See https://github.com/Adyen/adyen-shopware6/blob/3.12.1/src/Storefront/Controller/NotificationReceiverController.php
The text was updated successfully, but these errors were encountered: