Intuit Payment Solutions Module for WebsiteBaker

In July, 2011, I wrote a PHP module to use Intuit Payment Solutions (IPS Hosted PayPage) within WebsiteBaker. I plan to release the module soon because it started with Christoph Marti's GPL code, and thus my code will be GPL.

I'm going to start with pointers for creating an IPS test environment and pointing the Hosted PayPage (HPP) return link to the right place. (There's a reason I'm starting with this.)

The Code

Here is the code, v0.3.0.

2016 Update

Most of the original Intuit developer links are broken. I'm going to very quickly try to get close to the current ones. I'll list the original links below. I may leave placeholders, too, rather than broken links.

Getting a Test Connection Ticket

See the IPS "Get Set Up" process needed to test an application. Note that when you "create an application" (step 2--this should more precisely be called "register your application"), you'll choose the "desktop model" to use my module and NOT the "Hosted Security Model (hosted / web app)." That verbiage is very confusing. The Hosted Security Model assumes that your server has HTTPS certificates verified by a certificate authority. (It probably also assumes one of the older, more expensive CA's.) Even though it seems for all the world that we can't be dealing with a "desktop" model, we are indeed using the desktop model on a web server.

The (encrypted text of the) Connection Ticket you get in Step 4 goes in the value_3 field of mod_bakery_payment_methods. (There is a GUI equivalent of this that I'll look up eventually.)

There are two Intuit accounts involved in creating a test app. One is the developer account and one is the simulated merchant account. Previously, you've used the dev account. To set up the Hosted PayPage and what I'm calling the "backlink" from HPP back to your app, log in as the simulated merchant. Once you log in, "Hosted PayPage" is under "Account" to the lower left, probably off your screen until you scroll. Under "Transaction Results Settings," choose "send the results to the web address below" which will be something like

http://example.com/bakerySite/modules/bakery/payment_methods/qbms/check_payment.php

From "modules" on, the path is fixed unless you've changed something within Bakery or Bakery Payment Methods. Click "Save Changes," of course.

Notes on the Code

mod_bakery_payment_methods fields

I use these fields a bit differently than Marti:

active	directory	value_1	value_2	value_3	value_4	value_5
1	qbms	base URL	App Name	(enc) Ticket	page id on success	page id on failure

Notes:

Active must be 1 if you want qbms to run
qbms or whatever you want to call it.
The base Intuit URL is
- for test - https://paymentservices.ptcfe.intuit.com/paypage
- for prod - https://paymentservices.intuit.com/paypage
The app name is something like intuitProcessing.onlineCandyStore.example.com as defined in Step 2: Create [Register] an Application [At a glance, I don't think this new link is quite the equivalent.]
The Connection Ticket, preferably encrypted. See more on this both above and below. Encryption is not required by my app, but is required by Intuit
The Bakery page ID for both success and failure

Previous Work

I based my code in part based on Add a new payment method plugin to Bakery (PDF), document version 0.4. This almost certainly isn't the latest document. I post it to give you some idea of what I was thinking.

My code is based on and partially integrates with Christoph Marti's 2010-dated "Bakery Payment Methods" sub-modules for a number of other payment systems. I'll try to elaborate on "partially."

My files are intended to "live in" <your WebsiteBaker-made site>/modules/bakery/payment_methods/qbms Some of my file names are based on Marti's code and the PDF above:

Main files, in order of execution:
1. processor.php - Name required by the Bakery Payment Methods (BPM) structure. This runs first. It sets up the payment with QBMS and then routes the user to the HPP.
2. check_payment.php - Runs after the user submits the HPP on Intuit's site. While this is a standard BPM name, only the Intuit account holder's HPP setting "forces" the user back here.
3. report.php - Included by check_payment.php and runs before the rest of the logic in check_payment. This is a standard BPM name, but is only forced to run by check_payment.
Accessories
- geturl.php
- mkdec - a PHP script meant to run at the command line - see more below.
- decrypt.php - created by mkdec
- languages/EN.php - a blank file. For my purposes, only needed to keep the GUI from complaining.

mkdec Script

The mkdec PHP script takes the Connection Ticket as a command line argument within single quotes ('): e.g.
$ ./mkdec 'TGT-67-xvjrJ5ngwHLmxB3pDYmh4g'

The single quotes are needed because some tickets have a $ in them. This will be interpreted by PHP as a variable without the single quotes. (And there are other special characters that could cause problems, too.)

The script will give you the SQL needed to put the encrypted ticket in the database and will create the decrypt.php with the necessary key. The ticket should be encrypted per Intuit Security Guidelines.

Database Changes

I created a table to do a security check between the first two calls to Intuit and the return confirmation. Here is the definition:

CREATE TABLE IF NOT EXISTS mod_bakery_order_security ( OpId VARCHAR(60) UNIQUE NOT NULL, order_id INT(6) NOT NULL, order_total DECIMAL(9,2) NOT NULL, secret VARCHAR(32) NOT NULL, timestamp TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Relevant Intuit API Links

For processor.php - Initiate Payment ("create" URL)
processor.php - HPP API, including "Optional Paramters" that I use.
processor.php call 2: Render PayPage / HPP [not finding current link]
Testing Info, including test credit card numbers.

A Note on What the Payment System is Called

During the project, I was referring to the Intuit Payment System as the QuickBooks Merchant Services (QBMS) payment system. Intuit's naming seems a bit inconsistent. I do see references to "qbms" in some places on Intuit's site. That's how my folder got the name "qbms." Perhaps it should be called "IntuitHPP," but I think I'll leave it at qbms.

Code Versions

As of August 11, 2011, before any GPL changes, I list my code as version 0.2.0 on my client's test database. That code should probably be at least 0.2.1 because I made the security modifications after that, as I recall. I'll probably call my first GPL release 0.3.0, in any event.

In report.php: // KB 2011/07/12 3:22am - probably v0.2.0 - with extra security checks

In geturl.php: // KB 2011/07/11 6:40am - baseURL error_log entry removed; calling this v0.1.2

Copying this Documentation

This is documentation to GPL code, so please copy it, re-post it, edit it, and package it with the code as needed. Give me credit, and refer back to this page if it still exists. If you modify this, say so. If you totally rewrite this, give me credit for writing the code.

Original 2011 links

IPS "Get Set Up" - https://ipp.developer.intuit.com/sdk/qbms/Get_Set_Up
Step 2: Create [Register] an Application - https://ipp.developer.intuit.com/0085_QuickBooks_Windows_SDK/qbms/0030_Get_Set_Up/2._Create_an_Application
Intuit Security Guidelines - https://ipp.developer.intuit.com/0085_QuickBooks_Windows_SDK/qbms/0040_Get_Building/Security_Guidelines
Initiate Payment ("create" URL) - https://ipp.developer.intuit.com/sdk/qbms/Hosted_PayPage/Quick_Start_Guide#Initiate_Payment
processor.php - HPP API, including "Optional Paramters" that I use. - https://ipp.developer.intuit.com/sdk/qbms/Hosted_PayPage/Hosted_PayPage_API
processor.php call 2 - Render PayPage / HPP - https://ipp.developer.intuit.com/sdk/qbms/Hosted_PayPage/Quick_Start_Guide#Render_PayPage
Testing Info, including test credit card numbers - https://ipp.developer.intuit.com/sdk/qbms/Documentation/Testing

Page History

2016/12/05 10:52pm - fixing links

Page started August 11, 2011 ca. 3:30pm EDT (15:30, USA, GMT -4). Posted perhaps 08/12 1:15am. I plan to release the code later tonight.