Would be handy to have something similar to the login URL generator API, but sends the user to the “chromeless” Online Payment page (the one you see if you go to pay from admin … &opp=true ), so that in an external client app, I could use a Bootstrap modal to iframe that page in.
Feel free to shoot it down, but it’d be a nice feature - that, or to understand the trickery behind the hadh in the URL, and then I can at least force a redirect to the page via the login URL (to gen the cookies/sessions).
Also, do you guys have a donations page? Awesome software like this deserves a regular donation.
The login URL generator within the API only works for the end user client control panel. There are increased security consideration when generating logins for primary QF account holders. We originally had a method in the API that could do this and it would also allow you to specify the landing page. We later withdrew this as we couldn’t be sure users were posting their credentials over a secure connection. We also need additional controls to prevent any sort of brute force attack on the password. It would be nice to bring this feature back but I think we need to spend some time fully auditing it from a security point of view first.
Just to be clear, I’m only suggesting that clients can login straight to the payment page, but to allow that payment page to not have the header/sidebar, much like when you use it as an admin.
I do, however, appreciate the security concern, and assume that the hash in the URL for the payment page would act to sing the user in, so you can’t give a method to build the URL without logging in.
The only problem I see with this is the requirement to access an administration area of the system. No API method we have can create an admin session on an account. Creating an admin session over the API has quite few security consideration, particularly around enforcing HTTPs and handling those accounts with 2-factor authentication enabled.
Creating a client session would be much easier, then we could probably add an extra filter to hide the footers and side-bar, not sure if that would work?
This has now been implemented. If you login as the end user client and go to the payment screen then remove the query string name value pair q=#### and then add wl=true it will show a white labelled version of the payment screen that is automatically configured to show all outstanding invoices.
Edit
My error (again). Was using the ‘client login’ function, not system log in!
Edit 2
One thing I have noticed, now I’ve got this work is that is still gives me the option to remove the Payment option even though I’m logged in as the client. Not a biggie, but I’m guessing it shouldn’t be there?
Mmm I see this, it’s showing these options, but will throw an error if you try clicking on them. It’s a very minor fix so I’ll try to get that corrected today or tomorrow am.