PayPal Express Checkout IPN for osCommerce

PayPal Express Checkout IPN

for osCommerce 2.2 MS2

by AlexStudio
Based on PayPal Pro Direct Payments & Express Checkout v0.8.2 by Brian Burton (dynamoeffects)
and osCommerce PayPal IPN Module v2.0 For 2.2MS2 by osCommerce Team & Terra

Make a Donation!

Many hours have been spent writing and supporting this module. If it helped you out (and is making you money), donations are a great way of saying "Thanks!"

Introduction

This Payment Module combined the PayPal SOAP API and IPN feature into one, designed for store owners who have a Premier or Business account at PayPal, including following features:

Express Checkout API is an SOAP API provided by PayPal. By introducing this API, transactions no longer pass through user's internet browsers or agents. All connections are established directly between your host and PayPal servers, there for a much higher security level is provided.

Payers must sign-up with PayPal. Customer without PayPal account must create one before paying. (required for PayPal Express Checkout API)

Pass through customers' personal info to PayPal so they don't need to fill-in account sign-up form at PayPal, all filled up automatically.

Review order payment in store (instead of PayPal site) before transaction, there for no need to create pre-mature order records in database.

Update order status immediately if the payment transaction result is completed, no need to wait for IPN responses.

Built in IPN feature for updating order status automatically once if pending payments (eCheck) are cleared, and payments refunded as well.

Capable of declining unverified PayPal accounts. (Optional - setup through admin)

Capable of complete dumping transaction/IPN detail in debug email, including sent out requests and recieved responses, and optional dumping email for successful transactions as well. (This is for PayPal 3005 error without triggering debug emails)

Customers can select verified shipping address from PayPal file, and alter the shipping address set in checkout shipping page. (Express Checkout API built-in feature - This makes seller protection fully eligible possible)

Showing per item details in both osCommerce and PayPal receipt, including tax, shipping, low order fee (shown as handling in PayPal receipt).

16 Supported currencies including USD, AUD, CAD, CHF, CZK, DKK, EUR, GBP, HKD, HUF, JPY, NOK, NZD, PLN, SEK, SGD.

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

How It Works

PayPal Express Checkout payment module first send out a token request when the Express Checkout Button hit or the customer reaches the checkout confirmation page. The order total and the shipping address are included in this initial request. PayPal responds to this request with an unique token string. This is done through SOAP API, directly between your host and PayPal's server, there for the customer has no chance to intercept the transmission. This payment module picks up the token string, and sends the customer to PayPal along with this token string, for the customer to authorize this payment request.

If the customer didn't have a PayPal account, he needs to sign-up one with address fields pre-populated (by the shipping address sent with the initial request). The customer can choose an alternate address, which could possibly be a confirmed shipping address in the PayPal file of his account. Then PayPal sends the customer back to your store with the token string, so this payment module can send the transaction request later with this token, for PayPal to identify that the payment with this token has been autorized. No transaction has been made yet at this point.

This payment module will send a second request to PayPal to fetch the customer's address info selected at PayPal. If the customer didn't change the address, the original address will be sent back. Then it alters the order with the new address if changed, and adds a new record in address book if the address doesn't exist. Also if a different shipping address sent back, it sends the customer to checkout shipping page to update the shipping cost. Along with this payment module a new review payment page, the customer can review his order and make necessary changes if he wants to, and then hit the PAY button right in your store.

At this point, the payment has been confirmed by the customer, it takes the customer to checkout process and sends out the transaction request, with the updated order info if the customer changed anything. If the response from PayPal is a successful transaction result, it logs the order in database and update the order status with the payment result, Completed or Pending.

The built-in IPN (Instant Payment Notification) feature will update the order status automatically when the payment status have been updated, eg. from Pending to Completed, or failed...etc.

Installation Instructions

Do a complete backup of your store and database before installing this!

STEP #1 - Get your API Certificate and username/password

Log in to your PayPal Premier or Business account.
Click the Profile subtab located in the top navigation area.
Click the API Access link under the Account Information header.
Click the Request API Credentials link in API Set-up page.
Select API SSL Client-side certificate in Request API Credentials page. Read the API license agreement and check I agree and then click Submit.
Write down the values for API Username and Password.
Click the Download Certificate button. You are prompted to download a file called cert_key_pem.txt. This file is your live API Certificate. Rename this file to something more familiar, such as paypal_live_cert.pem. This helps you differentiate your Sandbox certificate from your live certificate. It is not necessary to keep the .txt file extension. Be sure to remember where you save the file.

You also need a PayPal Developer account if you want to test this module with PayPal Sandbox. Details about how to access PayPal Sandbox, please visit PayPal Developer website or download the SandBox User Guide. You also need to repeat the above steps in Sandbox to obtain the API access in Sandbox.

STEP #2 - Copy all files and directories in new files/catalog over

/catalog/ec_shipping.php
/catalog/express_checkout.php
/catalog/ext/modules/payment/paypal_ec/ipn.php
/catalog/includes/ec_xml/diagnostics.xml
/catalog/includes/ec_xml/doExpressCheckout.xml
/catalog/includes/ec_xml/getExpressCheckoutDetails.xml
/catalog/includes/ec_xml/setExpressCheckout.xml
/catalog/includes/languages/english/images/buttons/button_ec_pay.gif
/catalog/includes/languages/english/modules/payment/paypal_ec.php
/catalog/includes/modules/payment/paypal_ec.php

STEP #3 - Modify existing files
BACKUP THESE FILES NOW!

catalog/checkout_payment.php
catalog/checkout_shipping.php
catalog/includes/filenames.php

Modified files are in modified files folder of this package.

- Required - Plaese use file comparing tool like WinMerge to make modifications to

catalog/checkout_payment.php
catalog/checkout_shipping.php

If you didn't modify these 2 files before, you can upload them and overwrite the existing files.

- Required - And then add new definitions to catalog/includes/filenames.php

STEP #4 - API certificate

Upload your PayPal API Certificate to your host, your FILE ROOT path (the parent directory of your HTTP ROOT) is recommended. Make sure it is not accessable through internet browsers or other agents.

STEP #5 - Setup PayPal Express Checkout IPN payment module

Please refer to the configuration section.

Upgrading Instructions

Follow these instructions carefully or you might leave old values in your database!

Go into your administrative section -> Modules -> Payment and copy down all of the settings for this module.

Click on "Remove" and uninstall this module.

Modify updated files list below.
Notice: Upgrading from earlier versions not listed here, please do file comparing manually to upgrade.
Upgrade from v0.4x to v0.4.1
- STEP 1 - Please use file comparing tool to modify catalog/checkout_payment.php with changes in
modified files/catalog/checkout_payment.php came with this package.
You can replace with this file if you didn't have any other modification applied.

- STEP 2 - Drop-in ALL files in new files/catalog folder of this package.
If you modified any of those files, you need to do file comparing and modify them manually. Updated files list below:
- catalog/ec_shipping.php
- catalog/ext/modules/payment/paypal_ec/ipn.php
- catalog/includes/languages/english/modules/payment/paypal_ec.php
- catalog/includes/modules/payment/paypal_ec.php
And one new file added:
- catalog/includes/ec_xml/diagnostics.xml
Upgrade from v0.3x to v0.4.1
- STEP 1 - Please restore the original catalog/checkout_shipping.php, and then use file comparing tool to modify it manually, with the file
modified files/catalog/checkout_shipping.php came with this package. You can replace this file if you didn't have any other modification applied.

- STEP 2 - Modify catalog/includes/filenames.php by comparing it with
modified files/catalog/includes/filenames.php (one new definition added) in this package.

- STEP 3 - Drop-in ALL files in new files/catalog folder of this package.

Go into your administrative section -> Modules -> Payment and install the "PayPal Direct Payment" module updating the settings with what you wrote down in step 1. And then refer to the configuration section for the new setting options.

Configuration Setup PayPal Express Checkout IPN payment module

Enable PayPal Express Checkout IPN Module?
This option defaults to False, which allows you to install it in a live store. You must switch it to True to enable this payment module.

Live or Sandbox API:
This option defaults to use Sandbox for testing. The "Sandbox" is for testing your store setup. You'll need to create an account at http://developer.paypal.com and download a sandbox certificate to use this function.

"Live" is for when you're ready for live transactions. Note that the certificate for live and sandbox transactions are different!

Utilize Express Checkout Button?
This option defaults to Yes. The Express Checkout Button is required to be shown in the first step of checkout process, and it should not be displayed with other payment method. If you want to be eligible for the Express Checkout Promotion, you must set this option to Yes. If set to no, the button will not be shown.

If set this to Yes, the first page shown in the checkout steps will be a checkout flow selection page with only 2 buttons. One for the Express Checkout Button flow and the other for normal checkout flow.

Skip Confirmation Page?
This option defaults to No. Set this to Yes if you want to skip the 'first' confirmation page. Customers might get confused with the checkout confirmation and the review payment page which looked almost the same, and they might skip the PAY button because they thought the order has already been confirmed.

Accept Verified Accounts Only?
This option enables you to decline customers without a verified PayPal account.

Allow Edit Shipping Address at PayPal?
This option defaults to Yes, to allow customers to select an address from existing PayPal file. If set to No, customers cannot edit shipping address at PayPal, and PayPal will also reject invalid address on the initial request.

The better chance for payments to be eligible for PayPal's Seller Protection is to allow customers to select address from file, which can possibly be a confirmed address. Recommended: Yes.

Note: For a payment to be eligible for the Seller Protection, the shipping address needs to be confirmed.

Require Confirmed Shipping Address?
This option defaults to Yes. If the shipping address is unconfirmed, it could be rejected at PayPal page. Set this to No if you ship world wide. Addresses from most countries are unconfirmed.

Skip Shipping Address?
This option defaults to No. PayPal doesn't allow shipping to a different country other than the payer's country registered. Set this to yes if you want to accept shipping to different countries, no shipping address will be sent to PayPal.

Notice: Skipping shipping address will make all your payments not eligible for the seller protection.

API Username/API password:
Fill in your PayPal API access username and password here. This is NOT the same as your paypal login username/password.

API Certificate:
The ABSOLUTE path to your API certificate downloaded from PayPal API access page.

Payment Zone:
Defaults to NONE. If a zone is selected, only enable this payment module for that zone.

Transaction Currency:
The currency for PayPal to use for the transaction. Selected Currency allows multiple currencies to be accepted, where the customer chosen currency is used for the transaction. If you use this option then you must have enabled acceptance of those currencies in your PayPal account settings. If a specific currency is selected (i.e. only EUR, only USD, ...) and the customer has selected another currency during the checkout procedure, the transaction will be forced to the currency defined in this setting.

Set Cancelled Order Status:
Pending payments like eChecks could be failed by customers at PayPal. Set this order status for IPN to update cancelled orders, and keep them from mixing up with other Pending orders. Cancelled orders are still in database, and you need to delete them manually, to restore the stock quantity.

Set Completed Order Status:
Once the transaction response with a completed result received, this payment module will log the order in databse with this order status. Pending results (eCheck) will set order status to 1, which is Pending by default osCommerce setup.

Note: If the transaction failed with no reponse, there will not be any order recorded in database. Usually those failed transactions are not paid, however this scenario has not been tested thoroughly. If your customers complained about their failed transactions, you need to check your PayPal account to see if the payment exist.

Page Style
Defaults to PayPal. If you have setup a customized PayPal Payment Page Style in your account profile, you can set it here.

Debug E-Mail Address
If you want to receive debug emails, fill in your email address here. DO NOT set this to a false email which you have in Sandbox. This email address must be a real one.

Send Every Transaction Dumping Email?
Enable this option ONLY if you want to receive EVERY transaction's dumping in email. Sometimes PayPal threw error messages like 3005 error without triggering Debug Emails. Enable this option will send every transaction dumping including successful ones. (For advanced user only)

Proxy Address
If cURL transactions need to go through a proxy, type the address here. Otherwise, leave it blank. Users of GoDaddy hosting services will need to fill this in, which is currently the address: http://64.202.165.130:3128

Sort order of display
MUST set to 1. PayPal requires to display this payment module as the first choice in the list.

Changelog

Release v0.4.1 on 2007-02-17 by AlexStudio

Bug Fixed - In v0.4 if more than 1 record found in address book matched the street address sent back by PayPal, a new address record would be added because the address matching code couldn't tell which record it should be. Re-wrote the address checking code to pick an address from matched records and not to create any new entry.
Bug Fixed - In v0.4 if EC button disabled, the error message for the cancel url couldn't be shown when shipping is skipped (virtual orders). Changed the cancel url to checkout payment page when order content type is virtual and EC button not enabled.
Added a new configuration key to skip sending shipping address to paypal.
Added a new configuration key to skip the confirmation page before sending customers to PayPal.
Minor bug fixed in the language level file, the cURL not exiting error message was not modified from WPP module, now amendeded to EC IPN module.
Added in ipn.php to handle the customer's selected language to be used with order comments (IPN message logging).
Modified in ipn.php not to show address status if shipping address not present (skipped or virtual orders).
Bug fixed in ipn.php to work around osCommerce rounding issue with different decimal points settings.
Bug fixed in ipn.php to handle all possible cancelled order statuses.

Release v0.4 on 2007-01-29 by AlexStudio

Bug Fixed - The shipping address fix in v0.3.1 still didn't work well. PayPal tended to send back different address Names and capitalized state code, which caused the address checking fail in some cases. Re-wrote the address checking code and now if the address found in database, it will use the name in databse rather than the one PayPal sent back.
Added a new file catalog/ec_shipping.php to cut down modifications in checkout_shipping.php to minimum. Now the Express Checkout Button flow changed to show only the EC button and a continue button (normal checkout flow) prior to shipping method selection.
Changed express_checkout.php to pick up the order and shipping conditions prior to enable EC IPN module, for condition checkings to work properly.
Added to reject shipping to a country different than the one registered in payer's PayPal account.
Added multi-language support for IPN to load the customer's language file to be used with the notification email. (IPN bug fixed by Terra)
All 16 'supported' currencies now enabled in the code.

Release v0.3.1 on 2007-01-25 by AlexStudio

Bug Fixed - The shipping address query from databse didn't work well and cuased in some cases an endless loop between checkout shipping and express checkout. Rewrote the shipping address checking and the endless loop problem fixed.
Minor Improvement - Added extra checking in checkout shipping to decide to enable EC IPN or not. Now you can add condition checkings in function update_status().
Added to Known Issues section regarding the extra condition checkings.
PayPal live server behavior changed and when the payment exceeds the maximum amount allowed, PayPal will reject the payment and send the payer back to store. There for it has been removed from the known issues section in this guide.

Release v0.3a on 2007-01-23 by AlexStudio

Minor Bug Fixed - If set Utilize Express Checkout Button option to NO, the checkout shipping page was not redirecting intangible orders to checkout payment page. Now fixed with an additional Utilize Express Checkout Button option value checking in checkout shipping page. When not showing the Express Checkout Button, virtual orders will follow the original checkout flow and be redirected to checkout payment page.

Release v0.3 on 2007-01-22 by AlexStudio

Changed installation requirement. Modifications to checkout_shipping.php is now required.
Bug Fixed - When checkout via button with an invalid shipping address, customers were sent back to checkout shipping page without any error message. Now an Address Error message added to inform customers to provide a valid address.
Bug Fixed - If the HTTPS_SERVER and DIR_WS_HTTPS_CATALOG was not defined in catalog/includes/configure.php, PayPal would throw back an error saying CancelURL is invalid. Now utilized tep_href_link() function in the core file to define CancelURL.
Re-organized the core file to handle shipping address changed at PayPal in a better way.
Modified setting options in admin page to reflect the live server's behavior.
Modified setting option descriptions in install guide to reflect the live server's behavior.

Release v0.2a on 2007-01-20 by AlexStudio

Removed redundant code in function process_button().
Added a notice in install.html for upgrading from previous versions.

Release v0.2 on 2007-01-20 by AlexStudio

Rewrote the core file, cleaned up redundant code and improved the debug email dumping function.
Modified the core file to support the Express Checkout Button process flow.
Added Express Checkout Button in checkout_shipping.php and made it eligible for Express Checkout Promotion.
Replaced Pending Unconfirmed Shipping Address option in admin with the Require Confirmed Shipping Address option. Unconfirmed shipping address now could be rejected at PayPal page.
Added Allow New Shipping Address at PayPal option in admin.

Release v0.1a beta on 2007-01-12 by AlexStudio

The IPN records in order comment always shown as "PayPal IPN Verified", no matter if it was a verified or invalid response, fixed.
cURL not working with ipn.php if it requires to go through a proxy server, fixed.
Irregular state name in the shipping address sent to PayPal was showing as PAYPAL_STATE, fixed.
Virtual order didn't send address to PayPal, so the sign-up form address fields were not pre-populated, fixed.
After testing with PayPal live server, customers are sent back to store after they signed up, so this issue has been taken out from the Known Issues section in the install guide.

Release v0.1 beta on 2007-01-11 by AlexStudio

Initial Release

Known Issues

Notice: PayPal does not allow adding taxes to shipping/handling. Either include taxes in the shipping/handling(Low Order Fee) cost, or just don't add taxes to them. Otherwise there will be some warnings in the transaction reponses, and the PayPal receipt will not show detail items up. However, the transaction can still be made successfully.

Notice: If the shipping address selected at PayPal page was not in the customer's address book, a new record will be created. However, PayPal only sends back a full name along with the shipping address rather than firstname lastname. if there are more than 2 words in the name, there is no way to decide which part is firstname or lastname. So it simply grabs the first word as firstname, and the rest as lastname.

Notice: When set Allow Edit Shipping Address at PayPal to Yes, if an invalid shipping address sent to PayPal, PayPal will not reject it. Instead, the shipping address will be replaced with one in the customer's file. No warning shown at PayPal page to notify the customer that the shipping address been changed. However, an error message will be shown in checkout shipping page (ec_shipping.php) when the customer returns, notifying that the shipping address has been changed at PayPal.

Notice: If you want to only enable this payment module on certain conditions (minimum order amount, shipping weight/cost etc.) you can add those in function update_status(). However, the Express Checkout Button bypasses shipping calculations and there for ignors the shipping conditions. If you need the shipping conditions to decide to enable EC IPN module or not, you need to disable the Express Checkout Button, so EC IPN can pick up the shipping condition checkings.

Warning: Pending order status will allow customers to download their intangibale items. This is the original behavior of osCommerce, not a bug in this payment module. If you are selling downloadable goods, Super Download Shop contribution is recommended to secure the download access for pending payments.

THIS IS RELEASED WITH NO WARRANTY WHATSOEVER!
Use at your own risk!!

Before Adding This Contribution To Your Online Shop, You Should Back Up All Files Related To This Contribution and your database as well.

Use the forums for support.