View Issue Details

IDProjectCategoryView StatusLast Update
0007359module Amazon Paymainpublic2023-02-01 11:36
Reporterosanger 
PriorityurgentSeverityblockReproducibilityalways
Status resolvedResolutionunable to reproduce 
Product Version2.0.0 
Target VersionFixed in Version2.0.1 
Summary0007359: Amazon Pay Button not working
DescriptionMerchants are reaching out to us since the button in version 2.0.0 is not working. The button triggers an AJAX request ending up in a 500 error (find gif attached).
This issue is reproducible with our test shop in a blank oxid installation.
We double checked that the merhcant is using the correct keys - the fact the button is rendering shows us that the account is valid and the right keys are in use.
This is a major issue for us causing a loss of merchant trust and a bad customer experience. Can you please investigate?
Steps To ReproduceOption 1:
Go to https://shop.kemmlit.de/ and hit the Button on the Product detail page (see gif attached)

Option 2:
Go to our oxid test shop https://amzn-module.oxid-esales.com/ (htaccess: amazon/oxid)
TagsNo tags attached.

Activities

osanger

2022-09-20 09:51

reporter  

issue-oxid-1.gif (1,641,695 bytes)

mario_lorenz

2022-09-20 10:05

developer   ~0014313

@osanger: Mostly it has something todo with die Private-Key. The Amazon-SDK, that we use for the module check the string of the ssh-key:

\vendor\amzn\amazon-pay-api-sdk-php\Amazon\Pay\API\Client.php -> setupRSA()

If it not found "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY" in the string, than the client think, that the string is a path on the server. And try to read this path for getting the Private-Key.

So the solution would be to set a complete private-key with all comments in the config-backend.

osanger

2022-09-20 11:30

reporter   ~0014317

We have to support both key headers With and without the RSA. If this is the root cause, please fix.

mario_lorenz

2022-09-29 17:14

developer   ~0014335

@osanger: We couldnĀ“t fix it, because the behavoir is in your SDK. Please let your development fix it and let us know a new SDK version.

osanger

2022-10-03 14:11

reporter   ~0014347

It's available in the SDK now: https://github.com/amzn/amazon-pay-api-sdk-php/blob/6c579f070b4d9a05266cd728e3f5e7281628f538/Amazon/Pay/API/Client.php#L419

Please fix.

mario_lorenz

2022-10-04 09:50

developer   ~0014400

Hello @osanger,

Nothing has been fixed by Amazon yet. Once again:

The SDK you maintain, which we cannot change, checks at this point (which you sent us as a link in the ticket:
https://github.com/amzn/amazon-pay-api-sdk-php/blob/6c579f070b4d9a05266cd728e3f5e7281628f538/Amazon/Pay/API/Client.php#L419
) ,.. whether the string contains the word "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY".

If not, the SDK assumes it's a URL, even though it ended up being a key.

The string "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY" is part of a comment placed at the head of the key string. It is normally not necessary for the function of the key. However, the SDK uses this comment to identify a "formally" correct key.

Amazon did not change the position in the SDK either. It still looks the same as we're using it right now.

Now there are two solutions:

1) You fix the SDK
2) We will also reject keys that do NOT contain the comment string "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY" in the future.

As I said, this leads to confusion because the key is correct even without the comment.

osanger

2022-10-21 16:05

reporter   ~0014520

Dear Mario,

I heard your concerns. The merchant tried with both keys containing "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY" it did not work either.
Can you have a look again. Is it possible that the key is not stored within the database or it gets lost?

I setup the testshop with a private key on Wednesday and it worked there, but on thursday it didn't work anymore. Did you change any settings here?
However, I added a working key now and the integration is working again.

Best,
Oliver

mario_lorenz

2022-11-01 11:16

developer   ~0014603

Hello @osanger,

If I understand correctly, you are using our demo system for your tests. This is sufficient for quick tests. But if you want to be sure that nobody else changes your settings, then install your own test system. Then you can work better with it.

Bu back to the merchant. I can't reproduce the wrongdoing. If I store my private key, it always stays there, even if I log out of my shop and then log back in and look at the settings.

My key looks like this (! It's not real, it only looks like it!) and it works:

-----BEGIN PRIVATE KEY-----
MIIEogIBAAKCAQEAmucpxPAGWbDShBp6wmz09wcTqICSeSZZrGPfG0trzFvAC8Ct
YleoeIy/wiufgYXEaEO+OmDmCths4x0+kSSdf8iDtdHy8ZbllLE8UMmZw9wT4p6T
5QoxkVZa3SbJH3e80Ck5PBoAQtcaWLT2Hry/iTFpfavhhBH5Qkt2Ukj2yaosz1Tt
kLERlB2NnzeMycCElytV87B3+NheXULWqxSnLmk2i0hcoXliqyNmMONZe9ztBHtf
yNzVRn7ZCtHY9SbSaXfnD0MNthPtCMU1WWfH7kOtfKEAfnT49ohjUVYvotgiIVrd
KVtGwdx0Fb3m2A+EyjMdefXBpx8U7gaNLX1Q0QIDAQABAoIBACtNrjaY5x2Rufgm
MuVBcmXQe6VidBAcMXto3AkUV4lkqNZgQdg5KyawKjdM3KVn0NVZAsftKMIlaKNB
HKmUs9byJifhDmqNRZcAyRzIjwza7FAxBqVD6UF5A6PJYPZEEeubap2royEMYxgj
Vp6XI3Bl+NiiAURbhfQLhoNQVHVhhZozuM353PRvVimJVqIgGbQGNC4YYTCsK3fG
NWphYc0Q+pPuZN1x3osQQ9mFX9h7pVHVDZuAPqv2PpZHhJ4y73FELvc892UhHDri
fc7II22YU11lgSnwrl2KaPml+CnUoTVzu3lqCOeTHIYo0tAZhztLes1iDSp6Rwqh
cnUmCEECgYEA6oeHEWVmvUWs7t+f0toaaVNPAWyLoK2flJ03P+p9BOb7ZTe2rwAQ
h23qdJXictMFIgkkL1ZW2rF0xegviBJVG1hZg+Q9asfG/bUir6FaY8xT5e/Akvbx
bp/IHWXczZA+QGXY2zA1UM3i6NEajkmYz6kiZivuYUKi8HkMUSMIB4kCgYEAqRV/
JlsuOwLT53dC4TGiHNQMuty8IxU2BPuPmn0ltY44Lh9k5cMvpqVEskE1rAtuCKNc
c3C5D9UQomhQ7KlP+wA+l4wNPi8WIKpiI433XeBZw/oiOBOGnDUQsdjD2RkIFih8
ABW3Tcdts1M1A+UbEVb2nPCJiqrjjLJztwJcZQkCgYB/h6Tdw8sDPwETf8yTxn+4
KFH8zz556A+vq3Hgsqy63rNzTcFsFdfnHNDyBpL1p2PSJzBjAUsHbpm2CFTYZEed
MAS1IIZ5Kxs82KN853uUawZwMVgBUoDki8QwoDRaH4aKVBeA0Q0c3Gf3+8S5/LE4
spr+/gKJJsgdhWU6NZdnKQKBgFOCOnpHLl4W13HKhU2Tpe13DZJ80q7BGxz64cH7
bVRuGXEuMDcKX85+cZ9YdZmzS3UYueCKG9yl7sFHpDA+rzHYvRE8Ko4700Hu5OmK
hFHpLGyObbgkbKdZzhUIajIfGs9Wz2d7Uj0n8hZPUi/KR8QYn1SDuGq0XA5xVJVe
pSOBAoGAJnCk8jgxFzYxkGM3urgEot2jAHph6tfkppi3o6dkdcL5akqAq8cyNAeq
wZQw6NsDkRUjcbbE5F8v9BPkltWXddT0hOPpSZG/SiWYYnO61nSKdt/PqDfIYCPC
bgpYXLT/YUzVzqYfJDCZcGLxseX1Y042IX48U5IutOBvXJ3S6K4=
-----END PRIVATE KEY-----