Authorize.Net Direct Post Patch for M2 and M1

Perhaps I missed something, but where is the composer info to update for the patch?

Thanks!

@DigitalStudioNW the composer patch is in the "select a format" drop-down.

Looks like the difference is just the file paths in the patch and the github version includes tests.

This is also helpful for tracking patches via composer: https://support.magento.com/hc/en-us/articles/360005484154-Create-a-patch-for-a-Magento-2-Composer-i...

I know that Magento likes to document things  the slashdot way with 1) Do this explicit step, 2) Do another explicit step, 3) ... , 4) Profit!!!, but really guys, how do you apply this composer patch? I've tried several different approaches using your documentation

Things obviously missing from your documentation:

1) What module are we applying the patch to? assuming magento/module-authorizenet

2) Do we need to run composer update first?

I've added this to my composer.json file:

"extra": {
"magento-force": "override",
"composer-exit-on-patch-failure": true,
"patches": {
"magento/module-authorizenet": {
"MAGE1: Authorize.net update without any help from Magento": "patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch"
}
}
}

But all I get when running 'composer -v install' is this:

Could not apply patch! Skipping. The error was: Cannot apply patch patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch

[Exception]
Cannot apply patch MAGE1: Authorize.net update without any help from Magento (patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch)!

Exception trace:
() at /var/www/vhosts/magento.local/code/magento/vendor/cweagans/composer-patches/src/Patches.php:320
cweagans\Composer\Patches->postInstall() at n/a:n/a
call_user_func() at phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php:171
Composer\EventDispatcher\EventDispatcher->doDispatch() at phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php:116
Composer\EventDispatcher\EventDispatcher->dispatchPackageEvent() at phar:///usr/bin/composer/src/Composer/Installer.php:605
Composer\Installer->doInstall() at phar:///usr/bin/composer/src/Composer/Installer.php:223
Composer\Installer->run() at phar:///usr/bin/composer/src/Composer/Command/InstallCommand.php:119
Composer\Command\InstallCommand->execute() at phar:///usr/bin/composer/vendor/symfony/console/Command/Command.php:267
Symfony\Component\Console\Command\Command->run() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:846
Symfony\Component\Console\Application->doRunCommand() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:191
Symfony\Component\Console\Application->doRun() at phar:///usr/bin/composer/src/Composer/Console/Application.php:227
Composer\Console\Application->doRun() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:122
Symfony\Component\Console\Application->run() at phar:///usr/bin/composer/src/Composer/Console/Application.php:100
Composer\Console\Application->run() at phar:///usr/bin/composer/bin/composer:54
require() at /usr/bin/composer:24

@brandonmts 

composer.json looks fine to me, copy if mine below for checking against.

I didn't see a need to run composer update.

Did you also edit the patch file to remove references to "vendor/magento/module-authorizenet/" ?

The cweagans/composer-patches plugin method of patching seems to be working fine for me on a fresh M2.2.7 composer-based setup.

"extra": {
"magento-force": "override",
"composer-exit-on-patch-failure": true,
"patches": {
"magento/module-authorizenet": {
"MAGETWO-AuthNetDPM: Authorize.Net Direct Post Method SHA2 verification.": "patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch"
}
}
}

@lkrell FYI Auth.Net has bumped their production deadline to March 28th:

https://community.developer.authorize.net/t5/News-and-Announcements/MD5-Hash-Removal-Disablement-Mar...

https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement

I run an old 1.7 version. I see no "Downloads" tab when I log in under My Account. Is there another place to access the patch file? Am I missing something?

@et_rolmos 

I'm a bit confused when you mentioned "Did you also edit the patch file to remove references to "vendor/magento/module-authorizenet/" ?" Could you copy and paste the patch file with these removed? It'd be easier to see.

@mtp_webmaster  

Hopefully this helps: https://gist.github.com/robolmos/7a3bf336516b18f8e0bd48a13d93e1ef

Basically where you see lines like this in the original patch file:

Index: vendor/magento/module-authorizenet/Model/Directpost.php
<+>UTF-8
===================================================================
+++ vendor/magento/module-authorizenet/Model/Directpost.php    (revision a0dade4d8bc15b651d8b1ea0e7e4e3580fb1d3ae)
--- vendor/magento/module-authorizenet/Model/Directpost.php    (revision 01fbfeba9bd743266199e30260376a9c1b95fbf5)

They become this after the text replacement so that they're relative to the package:

Index: Model/Directpost.php
<+>UTF-8
===================================================================
+++ Model/Directpost.php   (revision a0dade4d8bc15b651d8b1ea0e7e4e3580fb1d3ae)
--- Model/Directpost.php   (revision 01fbfeba9bd743266199e30260376a9c1b95fbf5)

@doug_hvsl unfortunately the download instructions are still incorrect.

I downloaded the M1 patch from the release archive page: https://magento.com/tech-resources/download#download2280

I have gotten the following error on two separate Magento1 stores after installing the patch:

Fatal error: Can't use method return value in write context in [path]../app/code/core/Mage/Authorizenet/Model/Directpost.php on line 391

In both instances the patch applied successfully.  But then when I tried to add the directpost configuration values I got the errors, and then also when I tried to checkout on the front end (even if the directpost method was turned off).

@gismagento2 

Which specific versions of M1 and which version of PHP?

Any other stacktrace for that error?

With a fresh M1.9.4.0 and PATCH_SUPEE-11085_CE_1.14.4.0_v1-2019-02-28-05-21-55.sh applied.

Line 391: $response = $this->getResponse();

Code around that line:

/**
* Validate response data. Needed in controllers.
*
* @return bool true in case of validation success.
* @throws Mage_Core_Exception in case of validation error
*/
public function validateResponse()
{
$response = $this->getResponse();
$hashConfigKey = !empty($response->getData('x_SHA2_Hash')) ? 'signature_key' : 'trans_md5';

//hash check
if (!$this->getConfigData($hashConfigKey)
|| !$response->isValidHash($this->getConfigData($hashConfigKey), $this->getConfigData('login'))
) {
Mage::throwException(
Mage::helper('authorizenet')->__('Response hash validation failed. Transaction declined.')
);
}
return true;
}

Version 1.8.1 and 1.7.0.2

I can't find any other error data except for that Fatal error message.

I've reverted the patches on both sites so I'm not re-applying them and hosing the sites again.

Directly download the pre-patched files from Github to easily install the patch in your Magento 1 or Magento 2. For the detailed and stepwise guide, follow the tutorial to Update Authorize.Net Direct Post from MD5 to SHA-512 in Magento

Using the pre-patched files still throws the same error.  Just tried it on yet another Magento 1 site, this one version 1.9.1.0

And do you have to enter the Merchant MD5 value in the configuration to make the payment module work?

Does this MD5 phase out affect the "Authorize.net" payment method that's inside Mage_Paygate?  

@Just_Andy 

It should only affect the stock "Direct Post Method" payment method.

The stock "Authorize.Net" code doesn't have any MD5 hash verification that I could find.

do you have to enter the Merchant MD5 value in the configuration to make the payment module work?

Is it the patch thats the problem or the instructions....I can't tell....is it both?

Note:

Try these instructions. Use GitHub patch if you can: https://support.magento.com/hc/en-us/articles/360005484154-Create-a-patch-for-a-Magento-2-Composer-i...

So just confirming, if we're on M1 1.9.2.4 and we're using the stock Authorize.net payment method (NON Direct Post), are we affected by this change?

For the Authorize.NET Security Key update we have built a new Authorize.NET extension for Magento 2. You may consider moving to a brand new version of the integration which is built using Payment Gateway API and follows the service isolation approach.

Check it out and let me know if you have questions.

New Authorize.NET Payment Method Extension Release for Magento 2

Some updates to help out!

Which Authorize.Net modules are affected? Only the Direct Post. This patch is a short term aid to replace the MD5 Field with a Signature Key field. You will need to follow the KB article to get that new key and update your config. In 2.3.1, we will have a new Authorize.Net option available on install/upgrade with Authorize.Net Direct Post updated with (Deprecated) in the UI and these patch changes to help those transitioning. 

Abosolute date may change. Thanks @et_rolmos for the heads up! We've seen it change a couple times. Applying the patch now can help until and through the deprecation. 

What should I see on the downloads page?

Here are a couple screen shots with notes.

Example Magento 1 download link:

Example Magento 2 download link:

I'm having trouble getting this patch installed via composer. This is my first run at installing a patch in M2 (2.2.7), but from what I understand I need to do the following:

- Download the Auth.net.md5.composer-2019-02-27-11-51-12.patch

- Remove ALL references to: vendor/magento/module-authorizenet/ paths in that file, so for instance it's just "Model/Directpost.php" ... does this include ALL references including the "Index:" referenced paths?

- Upload the patch file to my magento root under "patches/composer/"

- Update composer.json in my magento root at the end of file to the following:

    "extra": {
        "magento-force": "override",
        "composer-exit-on-patch-failure": true,
        "patches": {
            "magento/module-authorizenet": {
                "MAGETWO-AuthNetDPM: Authorize.Net Direct Post Method SHA2 verification.": "patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch"
            }
        }
    }

- As my magento system user, run: composer update

** I would expect to see a note that the Auth.net patch is found and applied, or at least something to indicate it's reading the file to update? I get nothing... just:

Loading composer repositories with package information
Updating dependencies (including require-dev)
Nothing to install or update
Package phpunit/phpunit-mock-objects is abandoned, you should avoid using it. No replacement was suggested.
Writing lock file
Generating autoload files

- I run: bin/magento setup:upgrade

*** Again, I'd expect to see something related to the Auth.net module getting an update. But I just see the list of existing modules and at the end: Nothing to import.

I've cleared cache, restarted varnish, checked the acutal Auth.net files it's supposed to be updating with the diff (nothing has changed in those files), and checked the backend payment module to see if the SHA2 hash entry is there for me to use it.

What am I doing wrong where composer is not finding my extra block and trying to run it? Like I said, this is my first attempt at a patch. Other than running composer update in the past, which updates existing modules that need new versions, I've not figured this patch out.

Thanks

Hi @Rich1000 

Try running composer -v install instead and then run composer update --lock. Below is an excerpt from a post from the Magento Help Center

Apply the patch. Use the -v option only if you want to see debugging information.

composer -v install

Update the composer.lock file. The lock file tracks which patches have been applied to each Composer package in an object.

composer update --lock

This is the full post which helped me a ton:

https://support.magento.com/hc/en-us/articles/360005484154-Create-a-patch-for-a-Magento-2-Composer-i.... Even though it shows  how to create a patch from github a lot of the same rules apply. Thanks to  @et_rolmos for the link.

Before that though, make sure you've added cweagans/composer-patches plugin to the composer.json file.

how to install Authorize.Net Direct Post Patch for magento 2.0 ? Above comments shows results for M2 2.1x, 2.2x and 2.3x.

Wow what a Cluster@#$%

First their instructions didn't work. Every link they said to look for after following the link in the email did not exist. I had to find the content with the patch manually. I finally found the patch and downloaded it and the instructions were for magento cloud. I initially sought to manually implement the patch just to test it. It seemed to work but, despite my downloading the version that said it was for v2.2.4, the patch entries for the file Model/DirectPost.php were offset by 12 lines.
The patch worked manually, but to avoid further difficulties, I modified the patch to reflect the 12 line offset difference. I then went to implement it with cweagans plugin so composer could handle applying the patch. It is a standard patch and not compatible with github patch files.  You have to go into all the file references and add "a/" to be beginning of the original file references and "b/" to the beginning of all the modified file references. Then it will work with cweagans plugin via composer.

After applying the patch, I tried it out on the sandbox server. It produced an error in the cart and threw an exception with the error: "The transaction was declined because the response hash validation failed"

I contacted authorize support and they said to remove the value in the MD5 field and the transaction key fields. I tried it again and got the same error. They suggested opening a support ticket so I did. In the meantime, I went through and double checked all the values re-entering the app ID, creating a new sandbox signature and double checking the urls.

Now I get the error: " Please enter a transaction ID to authorize this payment."

DATE MOVED: Authorize.Net moved the date to June 28, 2019. For more information, see this post.

@Meetanshi Thank you for doing this. This is how good support is done

From the github thread there's a couple things to check if you're having issues:

1. Maintenance mode is not enabled, otherwise Authorize.Net can't connect to your Magento site

2. The Signature Key from Authorize.Net includes a carriage return at the beginning for some reason that the "Copy to Clipboard" button also copies. That carriage return is not part of the Signature Key.

https://github.com/magento/community-features/issues/127

Where is 2.1.x CE patch? On the downloads section I see only 2.2.x patch and it doesn't work for the 2.1.x because module-authorizenet/Model/Directpost.php file is different.

The download section is empty how can I apply this patch?!

Someone pointed out something in another thread ( https://github.com/magento/magento2/issues/21696 )

The authorize console shows the payment as approved, but the error is occuring in magento and thus the checkout doesn't complete. So I don't think it's a problem with keys having carriage returns.

This patch related only for Authorize.net DP (non Authorize.net) . Am I wrong?

The patch is for the CE/EE built in DirectPost in Magento itself. I've been playing with the authorize.net plugin but having some other issues with that.

Anyone have a patch link for 2.0.x versions of Magento, that is not in the selection dropdown of the downloads sections.

@chris_gridley Magento 2.0 support ended a year ago, in March 2018. It's end-of-life and no longer receives fixes or security updates. You need to upgrade, preferably to 2.3 (latest).

See https://community.magento.com/t5/Magento-DevBlog/DevDocs-for-Magento-2-0-is-EOL/ba-p/103591

Hey Team,

Any update here? Still there's an issue of checkout failed due to the error "The transaction was declined because the response hash validation failed", but the transaction was successful in Authorize.Net.

Thanks,

Mak

Hello,

I am also trying to apply this patch. My Magento version is EE 2.1.4. But while applying getting the error

patch -p0 < Auth.net.md5.composer-2019-02-27-11-51-12.patch
patching file vendor/magento/module-authorizenet/Model/Directpost.php
Hunk #1 FAILED at 543.
1 out of 1 hunk FAILED -- saving rejects to file vendor/magento/module-authorizenet/Model/Directpost.php.rej
patching file vendor/magento/module-authorizenet/Model/Directpost/Request.php
patching file vendor/magento/module-authorizenet/Model/Directpost/Response.php
patching file vendor/magento/module-authorizenet/etc/adminhtml/system.xml
patching file vendor/magento/module-authorizenet/etc/config.xml

Can you please let me know why and how can I fix it?

Thank You!

Abbas

See my comments above on the patch. It's offset by 12 lines. You can either lower your patch scrutiny (doing so varies upon what tools you are using - some patch tools may not support it) or correct for the offset. (what I eventually did)

@albumenvy @scott_wood1 

For the 12 line offset issue, which 12 lines did you edit to make the patch install work?

Also, I have been getting the error message when trying to install:

Could not apply patch! Skipping. The error was: Cannot apply patch patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch

When I run "composer -v install" I also see a lot of error messages like for every single patch block.

can't find file to patch at input line 6
Perhaps you used the wrong -p or --strip option?

Lastly, and possibly the weirdest of them all. Even though I have yet to install the patch successfully in any way, when I go to the dashboard I see the new field for "Signature Key" within the DPM section. I do not feel confident pushing these changes to production at all at this point, but would like to know how the patch is seemingly applied even though I've gotten error after error while trying to install. Thanks!

@fjorgedigital No, I mean the line-number references in the patch for the DirectPost.php are all off by a factor of 12. I think it was +12 but you would have to check. i.e. the patch files include lines above and lines below the part actually replaced. The offset may vary on your own version. Check your own DirectPost.php and see what line number the above/below lines fall upon then adjust the numeric line references accordingly. (e.g. if it says line 320 and yours is on 308, then you need to subtract 12 from all references. If yours is on line 332 then you need to add 12)

thank you for providing the information

freaken magento ......

https://community.magento.com/t5/Merchant-Chat/Magento-2-3-0-Authorize-Net-MD5-Hash-to-SHA-256/m-p/1...

after successfullly applying the patch im getting

Type Error occurred when creating object: Magento\Authorizenet\Model\Directpost\Request

Hello,

we just upgraded to Mage 2.3.4 CE.

Is this Auth.net Direct Post update already integrated in 2.3.4 or do we need to apply this patch ?

I tried to run the patch on 2.3.4 on a local sandbox but get FAILED CHUNK for all of the updates... and all of our Auth.net requests do not reach Auth.net anymore...

Thanks.