Having trouble auto logging in a user during redirect back into the application

Hey folks, I’m currently working on a payment gateway integration, and I’ve come to the point where the user successfully completes their payment on a third-party portal and is then redirected into the application, but my set up that is supposed to auto login the user so they aren’t presented with the default deep link login page isn’t working. Here are the things I’ve already set up: - Redirect to third-party payment portal with callback information specific to the current user - EventHandler in a java action that receives the callback request from the third-party payment portal and relevant user information → Code Snippet Here: public java.lang.Boolean executeAction() throws Exception { // BEGIN USER CODE Core.addRequestHandler("stripesuccess/", new RequestHandler() { @Override protected void processRequest(IMxRuntimeRequest request, IMxRuntimeResponse response, String path) throws Exception { // TODO Auto-generated method stub try { final IContext context = Core.createSystemContext(); LOGGER.info("Incoming request path: " + path); String sessionID = path; LOGGER.info("Session ID is: " + sessionID); StripeSession session = retrieveStripeSession(context, sessionID); LOGGER.info("Successfully retrieved session"); Account account = session.getStripeSession_Account(); if (account != null) { context.startTransaction(); login(context, request, response, account); String redirectURI = customer_portal.proxies.constants.Constants.getSiteURL_EU() + "/link/sendorder/" + sessionID; redirectUser(response, redirectURI); context.endTransaction(); } else { LOGGER.error("Error: No account was found. Stale link was used."); context.startTransaction(); String redirectURI = customer_portal.proxies.constants.Constants.getSiteURL_EU() + "/link/cancel"; redirectUser(response, redirectURI); context.endTransaction(); } } catch (Error e) { throw e; } } }); return true; // END USER CODE } /** * Returns a string representation of this action */ @java.lang.Override public java.lang.String toString() { return "StartStripe"; } // BEGIN EXTRA CODE private static final String SESSION_ID_COOKIE_NAME = Core.getConfiguration().getSessionIdCookieName(); private static final ILogNode LOGGER = Core.getLogger("START STRIPE"); private static void login(final IContext context, final IMxRuntimeRequest request, final IMxRuntimeResponse response, final Account account) throws CoreException { LOGGER.info("Initializing session for user " + account.getName() + " <START>"); final IUser user = Core.getUser(context, account.getName()); final String oldSessionId = request.getCookie(SESSION_ID_COOKIE_NAME); final ISession session = Core.initializeSession(user, oldSessionId); response.addCookie(SESSION_ID_COOKIE_NAME, session.getId().toString(), "/", "", -1, true); response.addCookie("XASID", "0." + Core.getXASId(), "/", "", -1, true); LOGGER.info("Initializing session for user " + account.getName() + " <END>"); } private static StripeSession retrieveStripeSession(IContext context, String sessionID) throws CoreException { String xPathString = "//StripeIntegration.StripeSession[MendixID='" + sessionID + "']"; List <IMendixObject> sessionObjectList = Core.retrieveXPathQuery(context, xPathString, 1); StripeSession retrievedSession = StripeSession.initialize(context, sessionObjectList.get(0)); return retrievedSession; } private static void redirectUser(final IMxRuntimeResponse response, final String redirectUri) { LOGGER.info("Redirecting user to: " + redirectUri); response.setStatus(HttpStatus.SC_SEE_OTHER); response.addHeader("location", redirectUri); } - The deep link used to route the user on successful auto login after a successful payment The problem I’m running into is that, despite my best efforts, on being rerouted back into the application and going through the above code snippet the session is still for an anonymous user and I’m receiving an error based on access rights. Currently the ‘sendorder’ deep link is configured to allow for guests, however anonymous users don’t have the necessary permissions to view the supporting helper objects on the subsequent loading page that is opened at the end of the deep link microflow. That is by design, most definitely, we don’t want just anyone to have access to the application, but currently not even users have access to the rest of the flow.   I relied heavily on the XSUAA and ForgotPassword modules for the auto login piece, but even still it looks like I missed something What’s most frustrating about this is that it works locally without any issue, but in the deployed environment I always come back with an anonymous session. Any chance any of you have some insights for me? Any pointers would be much appreciated.
1 answers

For anyone who runs into this, I was able to figure it out. The main issue with my set up above was that I was supplying the third-party payment gateway with the above custom event handler. This was a problem because when the user would be redirected into the application no old session ID was made available.

The fix here was to deeplink the user first back into the application and then send them to the custom event handler above. That way there was an existing anonymous session that could be used to initialize a user session for the retrieved account.

If someone comes across this in the future and you need help, just let me know! I’d be happy to help you in anyway I can.