OneEagle

  •  ·  Premium
  • 34 friends
  • S

    41 followers
  • 2725 views
  • 1 votes
  • More
Add new...
 
 
·
Added a discussion

Hello dear @Anton L

After successfully processing a payment on the Stripe checkout page, I am getting a 403 Forbidden error when Stripe tries to send a user back to my site in order to confirm the subscription or the purchase and update the membership in UNA.

Forbidden
You don't have permission to access this resource.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

In my stripe account (dashboard), everything looks great. The Payment was processed with success and the subscription was successfully created too. The only error I can see from the Stripe Webhooks tad is: The Webhook delivery failure for the event: invoice.payment_succeeded 

I am using Stripe 3D Secure integration. My Stripe account is set correctly: Products/subscriptions are created and the webhook is added. Same with UNA, I have entered the Public and Secret key correctly. I am in the test mode. UNA 13.1.0-Stable on a dedicated server (Apache).

After payment Stripe checkout return the following url with the 403 Forbidden error:

https://www.xxxxx.com/m/payment/subscribe_json/?seller_id=xx&seller_provider=stripe_v3&module_id=xx&item_id=x&item_count=1&item_addons=xxxxxxxxxxxxxxxxxxxxxxx=&redirect=&custom=xxxxxxxx&session_id=cs_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

After checking my server log, it looks like the 'session_id' parameter in that url is triggering my server Mod_security system. The Stripe webhook endpoint request is blocked and Stripe doesn't send back the purchase information to update the UNA system/database.

Below is my server log::

[Mon May 20 14:46:05.239706 2024] [security2:error] [pidxxxxx:tid xxxxxxxxxxxxxx] [client xxx.xx.xxx.xxx:xxxxx] [client xxx.xx.xxx.xxx] ModSecurity: Warning. Operator GEmatched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "xxxxxx"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): PossibleSession Fixation Attack: SessionID Parameter Name with Off-Domain Referer"] [tag "event-correlation"] [hostname "www.xxxxx.com"] [uri "/m/payment/initialize_checkout/single/"] [unique_id "xxxxxxxxxxxxxxxxxxxxxxxxxxx"], referer: https://checkout.stripe.com/

[Mon May 20 14:46:46.630701 2024] [security2:error] [pidxxxxx:tid xxxxxxxxxxxxxx] [client xxx.xxx.xx.xx:xxxxx] [client xxx.xxx.xx.xx] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "303"] [id "xxxxxx"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"][tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "xxx.xxxxx.com"] [uri "/"] [unique_id "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]

How to fix this problem? Please help!

Thanks

  • 150
  • 1
·
Added a discussion

Hello dear @Anton L

I am setting up Stripe for a new project I am working on. I have few questions:

1. After creating paid levels in UNA and when setting up Stripe, do we still need to create the same subscription plans in our Stripe account? I don't remember where exactly (I might be confused), but I once read somewhere in the forum that from UNA version 12 or 13 we don't need to do so anymore. Is that true? Please confirm.

2. The 'Configuring Stripe' doc (Wiki: Payments) says: 

'If you plan to sell subscriptions in Market and/or Paid Levels modules then don't forget that you need to create Plans for each subscription. It can be done in your Strip account -> Plans section. Creating a plan you need to use the same price, time frames and trial parameters which you've used during the creation of associated Market product or Paid level in UNA script.'

Problem: There is not any 'Plan' section in Stripe. By 'Plan', do you mean 'Product'? which can be found here:

https://dashboard.stripe.com/products/create

3. The Plan ID (Paid Level Name) is auto-generated in UNA and sometimes with some random numbers. e.g: Premium-Yearly-8742.

Should we copy it to the Product Name field in Stripe exactly as it is in UNA (e.g: Premium-Yearly-8742)?

Because it will be visible to users on the Stripe checkout page, can't we have a more professional and eye-catching Paid Level name like 'Premium Yearly' instead of Premium-Yearly' or 'Premium-Yearly-8742'? 

Stripe account allows you to create a product name with space. e.g 'Monthly Premium Plan', 'Premium Yearly' etc while UNA (Paid Level) doesn't. It doesn't allow spaces and adds random number.

4. In case of a monthly and yearly subscriptions of the same level but with different prices. e.g: 'Premium-Monthly (1-month): $5' and 'Premium-Yearly (1-Year): $50', how do we set them in Stripe?

Do we create two separate Products (Subscriptions) in Stripe? One for 'Premium-Monthly (1-month): $5' and another for 'Premium-Yearly (1-year): $50'?

or can we just create a single product called: 'Premium' but with two different prices and billing periods (Monthly and Yearly)? Stripe allows to add another price for the same product.

5. Where do we add the free trial period on the Stripe Product/Subscription creation page?

There is this "Additional options' > 'add free trial' field, but it says: 

'Legacy: Setting a default trial period per price is no longer recommended and is incompatible with Checkout and quotes. Free trials can be set per subscription or quote instead.'

As you can see, the 'free trial' is no longer been supported on this page and it doesn't work if entered from this field. Any workaround?

6. Are we also required to create a product in Stripe (One-time payment) if we also sell Credits and any other products or services in UNA from a third-party module that accepts payments?

Thanks in advance for helping.

Regards

  • 192
  • 1
·
Added a discussion

Hello UNA Team,

It has been a week or two since the Discussion board (forum) here on unacms.com is getting bombarded with continuous spam. Some new spammer accounts/profiles are creating hundreds of discussion posts. They are all spam and most of them have the same timestamp. 

Please investigate this issue and implement effective anti-spam measures.

How do they even manage to add hundreds of discussions at once? Are they humains creating an account/profile, then spamming the discussions or robots/bots using some sort of automated scripts?

If there is a vulnerability in UNA being exploited by spammers/hackers to spam the discussions module, then we (users running UNA websites) are all screwed till you guys find the problem and provide us with a fix.

I am really concerned.😕

  • 335
  • 2
·
Added a discussion

Hello,

In the Permissions App > Timeline module, there is this 'Send' Permission.

Please can anyone explain to me what is it for and how does it work? I don't see any 'Send' button on the timeline.

Is it used to send files to the timeline? or maybe to send your timeline url to another user?

Thanks

  • 316
  • 1
·
Added a discussion

Hello UNA Team,

I would like to create some custom fields to be displayed on user profiles eg: Website, social network etc.

I would like them to be visible to anyone but to be available to Premium and other paid membership levels only as a value-added feature to their membership. Only those paid levels will be allowed to use them.

How to set permissions to a custom field based on membership levels?

I can't figure out how to do that.

Please help.

Thanks

  • 376
  • 1
·
Added a discussion

Hello UNA Team.

@Alex T⚜️ @Roman L I would like to inform you that the very same problems I once reported with 2FA and Twilio (500 Internal Server Error), which were fixed, are still there in UNA 13.1.0-Final/Stable.

Issue #1: 2FA not working in UNA 13-B3

https://unacms.com/d/2fa-not-working-in-una-13-b3

Issue #2: Phone Confirmation page (/confirm-phone) not working. Twilio not working with UNA 13-B3 

https://unacms.com/cmts-view/1fzrj26?sys=bx_forum&cmt_id=42143

Those problems were fixed here:

2FA issue #4081 (UNA 13.0.0-RC1)

https://github.com/unacms/una/issues/4081

Twilio bug #4046 (UNA 13.0.0-B4)

https://github.com/unacms/una/issues/4046

Unfortunately, it seems to me that those fixes were not carried over to the Final (stable) version of UNA 13.1.0.

Please could you provide us with the fix for UNA 13.1.0-Final and above?

Thanks

  • 344
·
Added a discussion

Hello UNA Team,

The 'Set Operator Role' is missing since I've updated to UNA 13.1.0-Stable. I used to have it. Have you moved it to somewhere else? @Alex T⚜️ @LeonidS

I'am logged in with my top admin account. Now, when I go to: Frontend > Dashboard > Accounts > Gear Wheel > There is no more 'Set Operator Role'. I only have:

  • Edit Email
  • Resend Confirmation
  • Reset Password
  • Resend Reset Password

Same applies when I go to Studio > Account > Manage

Is this a bug or am I looking at the wrong place?

Anyone else having the same problem?

Thanks.

  • 388
·
Added a discussion

Hello UNA Team,

UNA can also be used as a marketplace. Please could you add the 'Last Seen' status/field (how long it's been since the user logged in) in the profile page's info block with the option for the profile owner to control its visibility through the privacy settings? @Andrey Yasko @Alex T⚜️

Thanks in advance.

  • 365
·
Added a discussion

Hello UNA Team,

In the custom page settings, there is no way to edit the 'link'. The field is not editable. Can I safely edit it from the database?

Thanks

  • 348
  • 1
OneEagle Discussions
Stripe Webhook Error
Questions about Stripe Settings
Has UNA Website been spammed/hacked?
How does the send feature work on the Timeline?
How to set permissions to custom fields based on membership levels?
2FA and Twilio bugs in UNA 13.1.0-Final