User Manager/User payments
Supported payment methods
Authorize.Net (since version 2.9.40 or 3.0beta5) and PayPal (since version 2.9.41 or 3.0beta6) payments are supported.
Authorize.Net
Authorize.Net requirements
To allow Authorize.Net payments for users the following requirements must be met:
- User Manager v3.0 (or v2.9.x, >= 2.9.40) package installed on the router. See: Getting started;
- User Manager subscriber created (See: Getting started);
- Subscriber must have merchant account in Authorize.Net gateway;
- Web server on the router must be configured to support secure SSL connections (See HTTPS connection enabling);
- HotSpot router should contain entries in 'walled-garden to User Manager router and Authorize.net webpage,
/ ip hotspot walled-garden ip add dst-address=x.x.x.x action=accept
where x.x.x.x is address of User-Manager server,
/ ip hotspot walled-garden add dst-host=:^secure\\.authorize\\.net dst-port=443 action=allow
These entry is used to allow access to Authorize.net
Authorize.Net setup
Authorize.Net merchant account configuration
Relay URL
Relay URL list must either be empty or contain URL to the User Manager router. For example, if you are using userman.mt.lv as User Manager router, then Relay URL list must contain URL https://userman.mt.lv/ (works with and without trailing slash). Relay URL list can be configured in Authorize.Net merchant gateway under Account > Settings > Response/Receipt URLs
API Login ID
API Login ID is shown in Authorize.Net merchant gateway under Account > Settings > API Login ID and Transaction Key.
Transaction Key
Transaction Key can be obtained in Authorize.Net merchant gateway under Account > Settings > Obtain Transaction Key.
MD5-Hash value
MD5-Hash value can be set in Authorize.Net merchant gateway under Account > Settings > MD5-Hash.
Payment Form
Payment Form configuration can be found in Authorize.Net merchant gateway under Account > Settings > Payment Form. The look of this form is customizable here. While the only required fields for processing transaction are credit card number and expiration date, another fields are allowed to be shown in the form. Form customization is up to merchant.
Authorize.Net subscriber configuration
Subscriber attribute values can be edited using customer detail form in customer page.
Subscriber Authorize.Net attributes
Subscribers have a set of specific Authorize.Net attributes which must be configured properly to allow Authorize.Net payments:
- Only subscribers have Authorize.Net attributes, other customers don't;
- Attribute values can be changed only in customer web page, not in console. There is only possibility to change values, not to see them. As these attributes contain sensitive data, their values are encrypted on the router;
- Customer web page must be opened using secure SSL connection (https) to change attribute values;
All the attributes can be found in Authorize.Net attribute group: Authorize.Net attribute group
- "Allow Payments" must be checked to allow this payment method;
- Login ID, Transaction Key and MD5 Value must have same values as set in Authorize.Net merchant gateway.
Other subscriber requirements
- Subscriber must have at least one credit with price other than zero. Credit price will be used as transaction amount for the payment;
- Correct currency must be specified for subscriber. If USD is accepted by Authorize.Net merchant, currency attribute can be left unchanged for subscriber:
- If users access User Manager page through a local IP address, public host attribute must be specified. It must contain a public address of User Manager router which is acceptable as Relay URL for Authorize.Net gateway (See: Authorize.Net Merchant account configuration). Domain name or IP address can be used. Only the address must be specified, not URL (for example, userman.mt.lv, not https://userman.mt.lv/ and not https://userman.mt.lv/userman):
Authorize.Net usage
- Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://router_IP/user (https instead of http).
- Payment section is available on main menu only if subscriber has allowed any payment method.
- If https connection is not used for web session, a message with error and link to https site will be opened:
- Current balance is also shown:
- User chooses Authorize.Net as payment method:
- User is redirected to Authorize.Net gateway payment form, which should look similar to following:
- The actual look of this form can be configured in Authorize.Net merchant gateway
- User fills in credit card number and expiry date. Other fields are optional:
Authorize.Net Payment form filled
- User submits the form::
Authorize.Net Payment form submit
- The data is transmitted directly to Authorize.Net gateway via secure connection. Neither credit card number nor expiry date is submitted to User Manager router.
- Authorize.Net gateway processes the data and sends response to specified User Manager router. This response contains only data required to identify payment in User Manager and detect result status of transaction - was it successful or not. It does not contain any information about the user - credit card number, expiry date or other sensitive data.
- User Manager processes the response and updates payment record status;
- A message describing payment result is shown to user:
- Click on the button redirects the user back to User Manager page:
Payment finished, return button
PayPal
PayPal requirements
To allow PayPal payments for users the following requirements must be met:
- User Manager v3.0 (>= 3.0beta6) or v2.9.x (>= 2.9.41) package installed on the router. See: Getting started;
- User Manager subscriber created (See: Getting started);
- Subscriber must have merchant PayPal account;
- Web server on the router must be configured to support secure SSL connections (See HTTPS connection enabling);
- HotSpot router should contain entries in 'walled-garden to User Manager router and paypal webpage,
/ ip hotspot walled-garden ip add dst-address=x.x.x.x action=accept
where x.x.x.x is address of User-Manager server,
/ ip hotspot walled-garden add dst-host=:^www\\.paypal\\.com\$ dst-port=443 action=allow / ip hotspot walled-garden add add dst-host=:^content\\.paypalobjects\\.com\$ dst-port=443 action=allow
These two entries are used to allow access to Paypal system.
PayPal setup
PayPal merchant account configuration
Basically there is no specific PayPal account configuration that must be done. The only requirement is to have PayPal account which is allowed to receive money.
Warning! User Manager accepts payment as successful only when it receives status "Completed" from PayPal gateway. If the status is "Pending" and some manual operations must be done by merchant (or the merchant has not verified the account) to accept payment, the credit will be transfered to User Manager user account only when the payment will be accepted.
PayPal subscriber configuration
Subscriber attribute values can be edited using customer detail form in customer page.
Subscriber PayPal attributes
The only PayPal attribute subscribers have is business login. It is the login (usually an email address) merchants use to log on their account. Only subscribers have this business login, other customers don't;
All the attributes can be found in PayPal attribute group:
- "Allow Payments" must be checked to allow this payment method;
- Login (email) must be the PayPal merchant account login.
Other subscriber requirements
- Subscriber must have at least one credit with price other than zero. Credit price will be used as transaction amount for the payment;
- Correct currency must be specified for subscriber. If USD is accepted by PayPal merchant, currency attribute can be left unchanged for subscriber:
- If users access User Manager page through a local IP address, public host attribute must be specified. It must contain a public address of User Manager router which is acceptable as response URL for PayPal gateway (PayPal will send payment result to this address). Domain name or IP address can be used. Only the address must be specified, not complete URL (for example, userman.mt.lv, not https://userman.mt.lv/ and not https://userman.mt.lv/userman):
PayPal usage
- Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://router_IP/user (https instead of http).
- Payment section is available on main menu only if subscriber has allowed any payment method.
- If https connection is not used for web session, a message with error and link to https site will be opened:
- Current balance is also shown:
- User chooses PayPal as payment method:
- User is redirected to PayPal gateway payment form, which should look similar to following:
- User logs on to the account. Payment is now displayed with the Pay button:
PayPal Payment form, user logged in
- When user presses Pay button, PayPal starts to process data. On successful payment result page is displayed:
- This page contains button "Return to merchant" pressing which returns user to User Manager payment history page:
- The data is transmitted directly to PayPal gateway via secure connection. Neither credit card number nor expiry date is submitted to User Manager router.
- PayPal gateway processes the data and after that sends response to specified User Manager router. It may take time, usually not more than one minute. That means that payment may have status "Started" for a few seconds, the status is updated only when PayPal sends response to User Manager.
- PayPal response contains only data required to identify payment in User Manager and detect result status of transaction - was it successful or not. It does not contain any information about the user - credit card number, expiry date or other sensitive data.
- User Manager processes the response and updates payment record status;
PayPal chargeback
When a payment changes status from "Approved" to "Aborted" (For example, "Reversed") User Manager tries to remove credit bought for this money. This is however possible only if the two following requirements are met:
- The credit is not started yet;
- The credit is last for current user, i.e., no other credit is bought after this one.
Related activities
HTTPS connection enabling
Creating certificate
Trusted SSL Certificate can be bought from trusted authorities, for example, VeriSign. An unsigned certificate can be generated by hand, for example, using command apache2-ssl-certificate on a Linux box;
Importing certificate
Certificate file can be then uploaded to the router and imported with command
/certificate import file-name=...
The command should return
certificates-imported: 1 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
If it doesn't, could happen that the file contains private key and certificate sections in incorrect order. In this situation the output should be
certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 1
Just repeat the same command
/certificate import file-name=...
once again and the output should be this time
certificates-imported: 0 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
Now certificate is imported correctly and ready for use;
Enabling WWW SSL
SSL connections for WWW server can be enabled with command
/ip service set www-ssl disabled=no certificate=cert1
where cert1 must be replaced by a correct certificate name (from /certificate section)