cancel
Showing results for 
Search instead for 
Did you mean: 

Authorize.Net Direct Post Patch for M2 and M1

lkrell
New Contributor

Magento’s implementation of the Authorize.Net Direct Post payment method currently uses MD5 based hash for all M1 and M2 installations. As of June 28, 2019, Authorize.Net will stop supporting MD5 based hash usage (announcement).

 

This will result in Magento merchants not being able to process payments using Authorize.Net Direct Post. To avoid disruption and to continue processing payments, merchants need to apply a patch provided by Magento and add a Signature Key (SHA-512) in the Magento Admin configuration settings.

 

Magento Versions Requiring Patch

 

Merchants using the following Magento versions and editions need to update:

 

  • Magento Commerce and Open Source 1.X.X
  • Magento Commerce, Commerce Cloud, and Open Source 2.1.X, 2.2.X, 2.3.X
  • Net Direct Post

 

Patch Information

 

The patch name is Authorize.net Direct Post Signature Key. The patch for 2.X can be applied to all 2.3.X, 2.2.X, and 2.1.X instances. Merchants on M1 have specific patches to download.

 

This patch replaces the MD5 Hash field with Signature Key field. You can obtain the new key and configure your Magento Admin following the KB article.

 

Required Steps to Update

 

startup.png Complete the following steps using our KB Article Update Authorize.Net Direct Post from MD5 to SHA-512. The KB includes information for all M1 and M2 merchants.

 

  1. Download and install the patch update through your Magento account.
  2. Get a new Signature Key through your Authorize.Net account.
  3. Add the new Signature Key in the Magento Admin for Authorize.Net Direct Post.

 

More information 

 

Questions?

 

Magento Commerce merchants and Partners can contact Magento Support with questions.

 

46 Comments
DigitalStudioNW
Occasional Contributor

Perhaps I missed something, but where is the composer info to update for the patch?

 

Thanks!

et_rolmos
Occasional Contributor

@DigitalStudioNW the composer patch is in the "select a format" drop-down.

 

Looks like the difference is just the file paths in the patch and the github version includes tests.

 

This is also helpful for tracking patches via composer: https://support.magento.com/hc/en-us/articles/360005484154-Create-a-patch-for-a-Magento-2-Composer-i...

 

brandonmts
Occasional Visitor

I know that Magento likes to document things  the slashdot way with 1) Do this explicit step, 2) Do another explicit step, 3) ... , 4) Profit!!!, but really guys, how do you apply this composer patch? I've tried several different approaches using your documentation

 

Things obviously missing from your documentation:

1) What module are we applying the patch to? assuming magento/module-authorizenet

2) Do we need to run composer update first?

 

I've added this to my composer.json file:

"extra": {
"magento-force": "override",
"composer-exit-on-patch-failure": true,
"patches": {
"magento/module-authorizenet": {
"MAGE1: Authorize.net update without any help from Magento": "patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch"
}
}
}

 

But all I get when running 'composer -v install' is this:

 

Could not apply patch! Skipping. The error was: Cannot apply patch patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch


[Exception]
Cannot apply patch MAGE1: Authorize.net update without any help from Magento (patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch)!

Exception trace:
() at /var/www/vhosts/magento.local/code/magento/vendor/cweagans/composer-patches/src/Patches.php:320
cweagans\Composer\Patches->postInstall() at n/a:n/a
call_user_func() at phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php:171
Composer\EventDispatcher\EventDispatcher->doDispatch() at phar:///usr/bin/composer/src/Composer/EventDispatcher/EventDispatcher.php:116
Composer\EventDispatcher\EventDispatcher->dispatchPackageEvent() at phar:///usr/bin/composer/src/Composer/Installer.php:605
Composer\Installer->doInstall() at phar:///usr/bin/composer/src/Composer/Installer.php:223
Composer\Installer->run() at phar:///usr/bin/composer/src/Composer/Command/InstallCommand.php:119
Composer\Command\InstallCommand->execute() at phar:///usr/bin/composer/vendor/symfony/console/Command/Command.php:267
Symfony\Component\Console\Command\Command->run() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:846
Symfony\Component\Console\Application->doRunCommand() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:191
Symfony\Component\Console\Application->doRun() at phar:///usr/bin/composer/src/Composer/Console/Application.php:227
Composer\Console\Application->doRun() at phar:///usr/bin/composer/vendor/symfony/console/Application.php:122
Symfony\Component\Console\Application->run() at phar:///usr/bin/composer/src/Composer/Console/Application.php:100
Composer\Console\Application->run() at phar:///usr/bin/composer/bin/composer:54
require() at /usr/bin/composer:24

et_rolmos
Occasional Contributor

@brandonmts 

 

composer.json looks fine to me, copy if mine below for checking against.

 

I didn't see a need to run composer update.

 

Did you also edit the patch file to remove references to "vendor/magento/module-authorizenet/" ?

 

The cweagans/composer-patches plugin method of patching seems to be working fine for me on a fresh M2.2.7 composer-based setup.

 

"extra": {
"magento-force": "override",
"composer-exit-on-patch-failure": true,
"patches": {
"magento/module-authorizenet": {
"MAGETWO-AuthNetDPM: Authorize.Net Direct Post Method SHA2 verification.": "patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch"
}
}
}

et_rolmos
Occasional Contributor
doug_hvsl
Frequent Visitor

I run an old 1.7 version. I see no "Downloads" tab when I log in under My Account. Is there another place to access the patch file? Am I missing something?

mtp_webmaster
Frequent Visitor

@et_rolmos 

I'm a bit confused when you mentioned "Did you also edit the patch file to remove references to "vendor/magento/module-authorizenet/" ?" Could you copy and paste the patch file with these removed? It'd be easier to see.

et_rolmos
Occasional Contributor

@mtp_webmaster  

 

Hopefully this helps: https://gist.github.com/robolmos/7a3bf336516b18f8e0bd48a13d93e1ef

 

Basically where you see lines like this in the original patch file:

 

Index: vendor/magento/module-authorizenet/Model/Directpost.php
<+>UTF-8
===================================================================
+++ vendor/magento/module-authorizenet/Model/Directpost.php (revision a0dade4d8bc15b651d8b1ea0e7e4e3580fb1d3ae)
--- vendor/magento/module-authorizenet/Model/Directpost.php (revision 01fbfeba9bd743266199e30260376a9c1b95fbf5)

 

They become this after the text replacement so that they're relative to the package:

 

Index: Model/Directpost.php
<+>UTF-8
===================================================================
+++ Model/Directpost.php (revision a0dade4d8bc15b651d8b1ea0e7e4e3580fb1d3ae)
--- Model/Directpost.php (revision 01fbfeba9bd743266199e30260376a9c1b95fbf5)

 

et_rolmos
Occasional Contributor

@doug_hvsl unfortunately the download instructions are still incorrect.

 

I downloaded the M1 patch from the release archive page: https://magento.com/tech-resources/download#download2280

 

gismagento2
New Contributor

I have gotten the following error on two separate Magento1 stores after installing the patch:

 

Fatal error: Can't use method return value in write context in [path]../app/code/core/Mage/Authorizenet/Model/Directpost.php on line 391

 

In both instances the patch applied successfully.  But then when I tried to add the directpost configuration values I got the errors, and then also when I tried to checkout on the front end (even if the directpost method was turned off).

et_rolmos
Occasional Contributor

@gismagento2 

 

Which specific versions of M1 and which version of PHP?

Any other stacktrace for that error?

 

With a fresh M1.9.4.0 and PATCH_SUPEE-11085_CE_1.14.4.0_v1-2019-02-28-05-21-55.sh applied.

 

Line 391: $response = $this->getResponse();

 

Code around that line:

 

/**
* Validate response data. Needed in controllers.
*
* @return bool true in case of validation success.
* @throws Mage_Core_Exception in case of validation error
*/
public function validateResponse()
{
$response = $this->getResponse();
$hashConfigKey = !empty($response->getData('x_SHA2_Hash')) ? 'signature_key' : 'trans_md5';

//hash check
if (!$this->getConfigData($hashConfigKey)
|| !$response->isValidHash($this->getConfigData($hashConfigKey), $this->getConfigData('login'))
) {
Mage::throwException(
Mage::helper('authorizenet')->__('Response hash validation failed. Transaction declined.')
);
}
return true;
}

gismagento2
New Contributor

Version 1.8.1 and 1.7.0.2

 

I can't find any other error data except for that Fatal error message.

 

I've reverted the patches on both sites so I'm not re-applying them and hosing the sites again.

 

 

 

 

Meetanshi
M2 Certified

Directly download the pre-patched files from Github to easily install the patch in your Magento 1 or Magento 2. For the detailed and stepwise guide, follow the tutorial to Update Authorize.Net Direct Post from MD5 to SHA-512 in Magento

gismagento2
New Contributor

Using the pre-patched files still throws the same error.  Just tried it on yet another Magento 1 site, this one version 1.9.1.0

 

And do you have to enter the Merchant MD5 value in the configuration to make the payment module work?

Just_Andy
New Contributor

Does this MD5 phase out affect the "Authorize.net" payment method that's inside Mage_Paygate?  

et_rolmos
Occasional Contributor

@Just_Andy 

It should only affect the stock "Direct Post Method" payment method.

 

The stock "Authorize.Net" code doesn't have any MD5 hash verification that I could find.

gismagento2
New Contributor

do you have to enter the Merchant MD5 value in the configuration to make the payment module work?

carla_mckenzie
Occasional Visitor

Is it the patch thats the problem or the instructions....I can't tell....is it both?

 

Note:

Try these instructions. Use GitHub patch if you can: https://support.magento.com/hc/en-us/articles/360005484154-Create-a-patch-for-a-Magento-2-Composer-i...

germslearn
New Contributor

So just confirming, if we're on M1 1.9.2.4 and we're using the stock Authorize.net payment method (NON Direct Post), are we affected by this change?

 

 

Pronko
Magento Master

For the Authorize.NET Security Key update we have built a new Authorize.NET extension for Magento 2. You may consider moving to a brand new version of the integration which is built using Payment Gateway API and follows the service isolation approach.

 

Check it out and let me know if you have questions.

New Authorize.NET Payment Method Extension Release for Magento 2

 

lkrell
New Contributor

Some updates to help out!

 

Which Authorize.Net modules are affected? Only the Direct Post. This patch is a short term aid to replace the MD5 Field with a Signature Key field. You will need to follow the KB article to get that new key and update your config. In 2.3.1, we will have a new Authorize.Net option available on install/upgrade with Authorize.Net Direct Post updated with (Deprecated) in the UI and these patch changes to help those transitioning. 

 

Abosolute date may change. Thanks @et_rolmos for the heads up! We've seen it change a couple times. Applying the patch now can help until and through the deprecation. 

 

What should I see on the downloads page?

Here are a couple screen shots with notes.

 

Example Magento 1 download link:

auth-m1.png

 

Example Magento 2 download link:

auth-m2.png

 

Rich1000
New Contributor

I'm having trouble getting this patch installed via composer. This is my first run at installing a patch in M2 (2.2.7), but from what I understand I need to do the following:

- Download the Auth.net.md5.composer-2019-02-27-11-51-12.patch

- Remove ALL references to: vendor/magento/module-authorizenet/ paths in that file, so for instance it's just "Model/Directpost.php" ... does this include ALL references including the "Index:" referenced paths?

- Upload the patch file to my magento root under "patches/composer/"

- Update composer.json in my magento root at the end of file to the following:

 

    "extra": {
        "magento-force": "override",
        "composer-exit-on-patch-failure": true,
        "patches": {
            "magento/module-authorizenet": {
                "MAGETWO-AuthNetDPM: Authorize.Net Direct Post Method SHA2 verification.": "patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch"
            }
        }
    }

- As my magento system user, run: composer update

 

** I would expect to see a note that the Auth.net patch is found and applied, or at least something to indicate it's reading the file to update? I get nothing... just:

 

Loading composer repositories with package information
Updating dependencies (including require-dev)
Nothing to install or update
Package phpunit/phpunit-mock-objects is abandoned, you should avoid using it. No replacement was suggested.
Writing lock file
Generating autoload files

- I run: bin/magento setup:upgrade

 

*** Again, I'd expect to see something related to the Auth.net module getting an update. But I just see the list of existing modules and at the end: Nothing to import.

 

I've cleared cache, restarted varnish, checked the acutal Auth.net files it's supposed to be updating with the diff (nothing has changed in those files), and checked the backend payment module to see if the SHA2 hash entry is there for me to use it.

 

What am I doing wrong where composer is not finding my extra block and trying to run it? Like I said, this is my first attempt at a patch. Other than running composer update in the past, which updates existing modules that need new versions, I've not figured this patch out.

 

Thanks

dorzech7
Contributor

Hi @Rich1000 

 

Try running composer -v install instead and then run composer update --lock. Below is an excerpt from a post from the Magento Help Center

 

Apply the patch. Use the -v option only if you want to see debugging information.

composer -v install

Update the composer.lock file. The lock file tracks which patches have been applied to each Composer package in an object.

composer update --lock

This is the full post which helped me a ton:

https://support.magento.com/hc/en-us/articles/360005484154-Create-a-patch-for-a-Magento-2-Composer-i.... Even though it shows  how to create a patch from github a lot of the same rules apply. Thanks to  @et_rolmos for the link.

dorzech7
Contributor

Before that though, make sure you've added cweagans/composer-patches plugin to the composer.json file.

ravi_nagpal
Senior Member

how to install Authorize.Net Direct Post Patch for magento 2.0 ? Above comments shows results for M2 2.1x, 2.2x and 2.3x.

albumenvy
Senior Member

Wow what a Cluster@#$%

First their instructions didn't work. Every link they said to look for after following the link in the email did not exist. I had to find the content with the patch manually. I finally found the patch and downloaded it and the instructions were for magento cloud. I initially sought to manually implement the patch just to test it. It seemed to work but, despite my downloading the version that said it was for v2.2.4, the patch entries for the file Model/DirectPost.php were offset by 12 lines.
The patch worked manually, but to avoid further difficulties, I modified the patch to reflect the 12 line offset difference. I then went to implement it with cweagans plugin so composer could handle applying the patch. It is a standard patch and not compatible with github patch files.  You have to go into all the file references and add "a/" to be beginning of the original file references and "b/" to the beginning of all the modified file references. Then it will work with cweagans plugin via composer.

After applying the patch, I tried it out on the sandbox server. It produced an error in the cart and threw an exception with the error: "The transaction was declined because the response hash validation failed"

I contacted authorize support and they said to remove the value in the MD5 field and the transaction key fields. I tried it again and got the same error. They suggested opening a support ticket so I did. In the meantime, I went through and double checked all the values re-entering the app ID, creating a new sandbox signature and double checking the urls.

Now I get the error: " Please enter a transaction ID to authorize this payment."

lkrell
New Contributor

DATE MOVED: Authorize.Net moved the date to June 28, 2019. For more information, see this post.

gymstar
New Contributor

 

 

 

daschenbrener
Occasional Contributor

@Meetanshi Thank you for doing this. This is how good support is done

et_rolmos
Occasional Contributor

From the github thread there's a couple things to check if you're having issues:

 

1. Maintenance mode is not enabled, otherwise Authorize.Net can't connect to your Magento site

 

2. The Signature Key from Authorize.Net includes a carriage return at the beginning for some reason that the "Copy to Clipboard" button also copies. That carriage return is not part of the Signature Key.

 

https://github.com/magento/community-features/issues/127

smartsites
Senior Member

Where is 2.1.x CE patch? On the downloads section I see only 2.2.x patch and it doesn't work for the 2.1.x because module-authorizenet/Model/Directpost.php file is different.

alessandro_tiso
New Contributor

The download section is empty how can I apply this patch?!

albumenvy
Senior Member

Someone pointed out something in another thread ( https://github.com/magento/magento2/issues/21696 )

The authorize console shows the payment as approved, but the error is occuring in magento and thus the checkout doesn't complete. So I don't think it's a problem with keys having carriage returns.

Sheshukov Ivan
M1 Certified

This patch related only for Authorize.net DP (non Authorize.net) . Am I wrong?

albumenvy
Senior Member

The patch is for the CE/EE built in DirectPost in Magento itself. I've been playing with the authorize.net plugin but having some other issues with that.

chris_gridley
New Member

Anyone have a patch link for 2.0.x versions of Magento, that is not in the selection dropdown of the downloads sections.

Ryan Hoerr
M2 Certified

@chris_gridley Magento 2.0 support ended a year ago, in March 2018. It's end-of-life and no longer receives fixes or security updates. You need to upgrade, preferably to 2.3 (latest).

 

See https://community.magento.com/t5/Magento-DevBlog/DevDocs-for-Magento-2-0-is-EOL/ba-p/103591

makkal
Senior Member

Hey Team,

Any update here? Still there's an issue of checkout failed due to the error "The transaction was declined because the response hash validation failed", but the transaction was successful in Authorize.Net.

 

Thanks,

Mak

abbasalibutt
Senior Member

Hello,

 

I am also trying to apply this patch. My Magento version is EE 2.1.4. But while applying getting the error

 

patch -p0 < Auth.net.md5.composer-2019-02-27-11-51-12.patch
patching file vendor/magento/module-authorizenet/Model/Directpost.php
Hunk #1 FAILED at 543.
1 out of 1 hunk FAILED -- saving rejects to file vendor/magento/module-authorizenet/Model/Directpost.php.rej
patching file vendor/magento/module-authorizenet/Model/Directpost/Request.php
patching file vendor/magento/module-authorizenet/Model/Directpost/Response.php
patching file vendor/magento/module-authorizenet/etc/adminhtml/system.xml
patching file vendor/magento/module-authorizenet/etc/config.xml

 

Can you please let me know why and how can I fix it?

 

Thank You!

Abbas

scott_wood1
Occasional Visitor

 

See my comments above on the patch. It's offset by 12 lines. You can either lower your patch scrutiny (doing so varies upon what tools you are using - some patch tools may not support it) or correct for the offset. (what I eventually did)

fjorgedigital
New Contributor

@albumenvy @scott_wood1 

For the 12 line offset issue, which 12 lines did you edit to make the patch install work?

fjorgedigital
New Contributor

Also, I have been getting the error message when trying to install:

Could not apply patch! Skipping. The error was: Cannot apply patch patches/composer/Auth.net.md5.composer-2019-02-27-11-51-12.patch

When I run "composer -v install" I also see a lot of error messages like for every single patch block.

can't find file to patch at input line 6
Perhaps you used the wrong -p or --strip option?

 

Lastly, and possibly the weirdest of them all. Even though I have yet to install the patch successfully in any way, when I go to the dashboard I see the new field for "Signature Key" within the DPM section. I do not feel confident pushing these changes to production at all at this point, but would like to know how the patch is seemingly applied even though I've gotten error after error while trying to install. Thanks!

scott_wood1
Occasional Visitor

@fjorgedigital No, I mean the line-number references in the patch for the DirectPost.php are all off by a factor of 12. I think it was +12 but you would have to check. i.e. the patch files include lines above and lines below the part actually replaced. The offset may vary on your own version. Check your own DirectPost.php and see what line number the above/below lines fall upon then adjust the numeric line references accordingly. (e.g. if it says line 320 and yours is on 308, then you need to subtract 12 from all references. If yours is on line 332 then you need to add 12)

andrews_lane
Visitor

thank you for providing the information

sequii2017
Occasional Contributor

freaken magento ......

 

https://community.magento.com/t5/Merchant-Chat/Magento-2-3-0-Authorize-Net-MD5-Hash-to-SHA-256/m-p/1...

 

after successfullly applying the patch im getting

Type Error occurred when creating object: Magento\Authorizenet\Model\Directpost\Request

Proto6
Senior Member

Hello,

 

we just upgraded to Mage 2.3.4 CE.

 

Is this Auth.net Direct Post update already integrated in 2.3.4 or do we need to apply this patch ?

 

I tried to run the patch on 2.3.4 on a local sandbox but get FAILED CHUNK for all of the updates... and all of our Auth.net requests do not reach Auth.net anymore...

 

Thanks.