Dotnetnuke Braintree - XMLHttpRequest cannot load transparent redirect - dotnetnuke

I'm trying to develop a braintree payment gateway (transparent redirect) on my dotnetnuke website and while I was developing on development site with http development everything worked. When i put my code in the production website with https, i have this error on my chrome console and not works!
After some search i put this on my web.config:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
And my payment still works and a receive the transparent url:
<--urlbase-->?http_status=200&id=xxx&kind=create_transaction&hash=xxx
But when execute:
Result<Transaction> chargeResult = this.BraintreeGateway().TransparentRedirect.ConfirmTransaction(this.Request.Url.Query);
Nothing happens! I don't have errors in the event viewer!

Related

Microsoft Edge Issue - The requested resource requires user authentication

I have a website and api hosted on IIS 8.5 and lately users of the site are getting the following console error when attempting to POST data to the api when using Microsoft Edge:
HTTP401: DENIED - The requested resource requires user authentication.
(XHR)OPTIONS - http://my-local-address/api/customers/approval/post
Note: Users are authenticated by using Windows Authentication.
This occurs spontaneously and to get around the issue the users are forced to do a hard refresh (Ctrl + F5) on MS Edge and then they can continue with their process. Could there be a setting on IIS that's releasing the user authentication after a period of time?
I've listed my attempts to resolve the issue below:
I've got my organisation to add in a trusted policy for my local web address.
Changed the providers of the API. Moved NTLM above Negotiate.
Removed Negotiate based on this stackoverflow post Windows authentication failing in IIS 7.5.
Try and catch the error from the POST request but I'm returning null every time.
Configured CORS to allow for cross origin.
NB: I'm using angularjs for my front end and ASP.NET Web API 2 for the API.
The following code snippet details how the Web Api is configured:
WebApiConfig.cs
var cors = new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true };
config.EnableCors(cors);
Web.config
<system.web>
<identity impersonate="true" />
<compilation debug="true" targetFramework="4.5.1">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.2" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="TRACEVerbHandler" />
<remove name="OPTIONSVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Angular module config using $httpProvider to supply $http requests with credentials
$httpProvider.defaults.withCredentials = true;

401 Unauthorized error when accessing webapi from angular

I need to capture a user's domain\username when they access my webapi app. On my dev machine I have my webapi at localhost:10570 and my angularjs website which makes calls to the webservice at localhost:34575.
If I make a call directly to my webapi app everything works fine. I can see the users domain and username and the service returns the requested data as JSON. But if I access my angularjs site and angular makes the call to webapi then I get 401 unauthorized for every call against the service.
In my WebApi app's web.config I have:
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost:34575" />
<add name="Access-Control-Allow-Methods" value="POST, PUT, DELETE, GET, OPTIONS" />
<add name="Access-Control-Allow-Headers" value="content-Type, accept, origin, X-Requested-With, Authorization, name" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</system.webServer>
I have this in IIS Express for Visual Studio 2015's applicationhost.config file:
<location path="MyNamespace.WebAPI">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
My angularjs site is part of the same solution at "MyNamespace.Client".
Why does accessing the web service directly work fine, but accessing it via the angular app fail?
I didn't realize you have to tell Angular to send your credentials to the server. I just had to change my API calls from:
$http.get(url);
to
$http.get(url, { withCredentials: true });

Response to Preflight responded with 405 Error code : Angular JS

I am using an API call in cross domain where In chrome I am getting this response . I have all the headers included in my REST API in other domain .
<add name="Access-Control-Allow-Origin" value="*"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-XSS-Protection" value="1;"/>
<remove name="X-Powered-By"/>
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept"/>
<add name="Access-Control-Allow-Methods" value="POST,GET"/>
And this is my API Call from angular .
$scope.XYZ=customURLWithoutArray.save({
controller:"XYZController",
actionName:"ABCACTIONNAME",
UserId: "VC"
},
function($success){
return $success;
},function($error){
return $error;
});
It is able to hit the controller but data is null.
As you might already know, a preflight request sends a HTTP OPTIONS request.
In your configuration (I assume its some IIS server?) you have this:
<add name="Access-Control-Allow-Methods" value="POST,GET"/>
Which means you're not allowing OPTIONS.
So try modifying it to this:
<add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS/>
More information on configuring IIS for CORS:
https://stackoverflow.com/a/31084417/6139050

How to serve static files (for CORS / OPTION request) in IIS?

I have an AngularJS application that I am trying to use an AJAX request to pull in a static file from a ASP.NET WebApi2 application running on IIS 8.5. Similar to the example below-
ng-include="http://server/Content/icon.svg"
If I navigate to that URL in the browser, IIS happily serves that file as a static file. However, when I use an AJAX request, Angular attempts an OPTIONS request first, since it is CORS request, and IIS throws a 405 Method Not Allowed.
I have tried adding these headers to the static Content folder in the web site-
However this made no difference. Also, the IIS server does not have WebDAV installed, which is a thing I have seen around as something that could cause issues.
I had an IIS site with a virtual directory from which I serve my static files.
In order to do CORS from the browser, what I did was configuring the "En tetes de réponses HTTP" of the site, which in english should be something like "HTTP Response Headers".
There I added a new header named "Access-Control-Allow-Origin" with value "*".
From this moment, I can use static files in XHR.
My actual problem was serving OpenStreetMap tiles to a file:///c/xxx/index.html and the error in chrome was
Image from origin 'http://myhost' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
This works for me for accessing .png files in a subdirectory under forms authentication. You should be able to change the extension.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".*" mimeType="image/png" />
</staticContent>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
</handlers>
</system.webServer>
</configuration>
What if you add the OPTIONS as a verb for the Access-Control-Allow-Methods As answered in this question.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
</httpProtocol>
</system.webServer>
If you want to serve static files to the public internet without any authorization you can set your CORS polity to:
Allow GET request
From any Origin
Allow all request Headers
Allow the OPTIONS reply to be cached for 24h
Internet Information Server this can be configured with the following IIS configuration for your site
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Methods" value="GET,OPTIONS" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="*" />
<add name="Access-Control-Max-Age" value="86400" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>

401 Unauthorized status code for cross-domain OPTIONS request

I use cross-domain requests for Angularjs + MVC WebAPI, in the case browser sends two requests first of them with OPTIONS type but i get 401 status code:
http://grab.by/vrsA
I added Access-Control-* attributes to WebApi web.config file:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By"/>
<remove name="X-AspNet-Version"/>
<add name="Access-Control-Allow-Origin" value="*"/>
<add name="Access-Control-Allow-Headers" value="content-type, accept, authorization, origin, referer, user-agent, x-token"/>
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS"/>
</customHeaders>
</httpProtocol>
so, can somebody explain my why?
The preflight (OPTIONS) request is sent without any security headers. You'll need to make sure that your webserver allows anonymous OPTIONS requests

Resources