Invalid Form Key Error in Magento After Payment No...

wolofol3788fbe · ‎10-30-2024

Hello everyone,

I'm encountering an issue with my Magento store related to payment notifications. When a payment notification is received from the payment gateway, the request does not include the form_key parameter. As a result, Magento is unable to process the request and redirects to the homepage, displaying an "Invalid Form Key" error.

However, I am unsure how to resolve the missing form_key in the payment notification request. One potential solution could be to disable the form_key check for POST requests coming from specific origins. This way, we can allow the payment notifications to be processed without the form_key parameter.

Has anyone experienced a similar issue or can anyone provide guidance on how to handle this? Any help would be greatly appreciated!

Thank you!

johnwebdes40a5 · ‎11-15-2024

Hello @wolofol3788fbe

The payment module must handle incoming callbacks correctly. Check the following:

POST Request Handling: Ensure the payment gateway is sending valid POST data to Magento, including required parameters (e.g., order ID).

Bypass Form Key Validation: For callbacks, Magento generally doesn't require a form key. If the payment module is incorrectly enforcing form key validation, you can bypass it.

In the module's callback controller, ensure the csrf validation is disabled for the callback action:

namespace Vendor\Module\Controller\Callback;
use Magento\Framework\App\Action\Action;
use Magento\Framework\App\RequestInterface;
class Notify extends Action
{
    protected function _processRequest(RequestInterface $request)
    {
        // Logic for processing payment notifications
    }
    public function execute()
    {
        // Example implementation
        $this->_processRequest($this->getRequest());
    }
    protected function _validateCallback()
    {
        // Add any necessary validation here
    }
}

Alternatively, in di.xml, disable CSRF validation for the callback URL:

<type name="Magento\Framework\App\Request\CsrfValidatorInterface">
    <arguments>
        <argument name="skippedUrls" xsi:type="array">
            <item name="payment/notify" xsi:type="string">payment/notify</item>
        </argument>
    </arguments>
</type>

Replace payment/notify with your payment module's callback URL.

Hope it helps !

If you find our reply helpful, please give us kudos.

A Leading Magento Development Agency That Delivers Powerful Results, Innovation, and Secure Digital Transformation.

WebDesk Solution Support Team

Get a Free Quote | | Adobe Commerce Partner | Hire Us | Call Us 877.536.3789

Thank You,

WebDesk Solution Support Team
Get a Free Quote | Email | Adobe Commerce Partner | Hire Us | Call Us 877.536.3789

Location: 150 King St. W. Toronto, ON M5H 1J9

Milople

Hello @wolofol3788fbe,

Yes, this is a common issue when dealing with third-party payment gateways, as these notifications (typically sent via a webhook or direct server-to-server call) don’t include a form_key parameter. In Magento, form_key validation is used to protect against CSRF attacks, but for certain backend calls—like payment notifications from trusted sources—you can safely bypass this validation.

You can override the specific controller handling the payment notification to skip the form_key check. This is done by extending the controller's _processRequest method or modifying the relevant controller action.

Add a condition to check the origin of the request (usually by inspecting the IP or request headers). If it’s from a trusted source, you can safely skip the form key validation.

Here’s an example of how you could disable form key validation in your custom module:

namespace Vendor\Module\Observer;

use Magento\Framework\Event\ObserverInterface;

class DisableFormKeyCheck implements ObserverInterface

{

    public function execute(\Magento\Framework\Event\Observer $observer)

    {

        $request = $observer->getEvent()->getRequest();

        $action = $observer->getEvent()->getControllerAction();



        // Example: check if the request path matches your payment notification endpoint

        if ($request->getOriginalPathInfo() == '/payment/notification/endpoint') {

            $action->getRequest()->setParam('form_key', true); // Bypass form key check

        }

    }

}

Register this observer in events.xml to disable the form key check for the specific route:

<event name="controller_action_predispatch">

    <observer name="disable_form_key_check" instance="Vendor\Module\Observer\DisableFormKeyCheck" />
</event>

Instead of relying on the default Magento endpoint, create a custom controller specifically for handling payment notifications. In this controller, you can disable the form key validation entirely, ensuring that the notifications are processed without triggering the form key error.

As a best practice, implement additional checks to verify that requests are genuinely coming from the payment gateway. Many payment providers include a signature in the header or specify the IP range they use for notifications. This will help maintain security while bypassing the form_key validation.

Magento’s configuration settings also offer a way to exclude certain URLs from CSRF validation. This approach avoids custom code and may be preferable if you want to avoid the added complexity.

Add Exclusions to the web/secure configuration in app/etc/env.php by adding your notification route in the csrf_skip_urls array:

'web' => [

    'secure' => [

        'csrf_skip_urls' => [

            'payment/notification/route' // Replace with the actual notification URL

        ],

    ],

],

If the issue is resolved, click Kudos and accept it as a solution.

Contact Us if you need any additional help at Milople.com

Invalid Form Key Error in Magento After Payment Notification

Invalid Form Key Error in Magento After Payment Notification

Re: Invalid Form Key Error in Magento After Payment Notification

Re: Invalid Form Key Error in Magento After Payment Notification