Paypal IPN Handler: 400 Bad request

4 months ago
Hi guys, i am using Paypal Standard Plugin and Paypal PLUS plugin.

Receiving lots of logged errors
Error: Error 400. Bad request
IP-Adresse: 173.0.81.1 (the paypal ipn server)
Customer: [email protected]_engine_record.com

URL
https://mydomain.de/Plugins/PaymentPayPalStandard/IPNHandler

Paypal is sending in emails where they say: please fix errors on
https://mydomain.de/Plugins/PaymentPayPalStandard/IPNHandler
otherwise we have to close your account.

Cannot guess why. Any hints for that?
4 months ago
Someome else had same problem recently.
https://www.nopcommerce.com/en/boards/topic/84673/paypal-bad-request-http-400
4 months ago
What version of nopCommerce are  you using?
Has it worked before?  (I.e. does it always fail, or is it intermittent?)
Is your SSL working properly?  (do you see a lock icon next to browser's address bar?)
4 months ago
Hello and thank you so far.

nopcommerce 4.3

Has it worked before?  (I.e. does it always fail, or is it intermittent?)
Have received some payments earlier, yes. But had those errors all the time.

SSL is ok (valid certificate)

BTW: Could these errors be raised if there is a problem with "paypal business account"?
4 months ago
Do you have the plugin's source code and are you familiar with Visual Studio?

This needs to be added to the beginning of the IPNHandler method in the controller (before it tries to verify the Ipn URL with PayPal's servers):


            if (_workContext.CurrentCustomer.IsSearchEngineAccount())
                return Content(string.Empty);


but you will need to test with their IPN simulator to see what a real request from PayPal looks like (how nopCommerce identifies the PayPal "customer")

may also be associated: https://github.com/nopSolutions/nopCommerce/issues/4870
4 months ago
thank you for your replies!

I have VS2019, yes. Playing around with your suggestion ended up in "plugin cannot be installed" error when uploading modified plugin and trying to install. Ups.

Besides of my mediocre VS capabilities one thing is not clear to me:
Turned off ipn notification in paypal account. Paypal IPN Server still sends does requests.
So, StandardPaypalPayment Plugin overrides manual settings and forces paypal to fire lots of faulty requests.

So sorry, but still don't get what is going wrong.
4 months ago
If you modify the source code for the plugin you should only need to rebuild it and upload the recompiled DLL files to the server (then restart the nopCommerce App) for the change to take place.

Disabling the IPN notification from PayPal's side will not have effect in this situation because the pings are not originating from PayPal's server.   It is a bad search engine that is pinging the URL endpoint on your server, which then triggers a bad request to PayPal's server because it does not include the data that PayPal would have sent in a legitimate request.  

In a legitimate IPN notification there is a "handshake" that repeats the legitimate message back to PayPal (which this bad search engine cannot do):


The IPN message authentication protocol consists of four steps:

    PayPal HTTPS POSTs an IPN message to your listener that notifies it of an event.
    Your listener returns an empty HTTP 200 response to PayPal.
    Your listener HTTPS POSTs the complete, unaltered message back to PayPal; the message must contain the same fields (in the same order) as the original message and be encoded in the same way as the original message.
    PayPal sends a single word back - either VERIFIED (if the message matches the original) or INVALID (if the message does not match the original).
4 months ago
Hi,

compiled it again and the magic happened. Looks good now.

I owe you one!
4 months ago
Hm. Still errors and errors.
4 months ago
You could try to set a break point in the PayPal controller, then see what the request looks like from a search engine: https://support.google.com/webmasters/answer/9012289?hl=en

Did you test it from PayPal's IPN simulator?  We basically need to whitelist a legitimate call from PayPal and dispose of all others before the VerifyIpn method runs.  

I do not have that plugin installed or setup so it would take me some time to test.