[API] Generate link to "chromeless" online payment page

Hello @Glenn,

Back with more suggestions, as always.

Would be handy to have something similar to the login URL generator API, but sends the user to the “chromeless” Online Payment page (the one you see if you go to pay from admin … &opp=true ), so that in an external client app, I could use a Bootstrap modal to iframe that page in.

Feel free to shoot it down, but it’d be a nice feature - that, or to understand the trickery behind the hadh in the URL, and then I can at least force a redirect to the page via the login URL (to gen the cookies/sessions).

Also, do you guys have a donations page? Awesome software like this deserves a regular donation.

Cheers,
Leyton

The login URL generator within the API only works for the end user client control panel. There are increased security consideration when generating logins for primary QF account holders. We originally had a method in the API that could do this and it would also allow you to specify the landing page. We later withdrew this as we couldn’t be sure users were posting their credentials over a secure connection. We also need additional controls to prevent any sort of brute force attack on the password. It would be nice to bring this feature back but I think we need to spend some time fully auditing it from a security point of view first.

Just to be clear, I’m only suggesting that clients can login straight to the payment page, but to allow that payment page to not have the header/sidebar, much like when you use it as an admin.

I do, however, appreciate the security concern, and assume that the hash in the URL for the payment page would act to sing the user in, so you can’t give a method to build the URL without logging in.

OK will have a chat with our API dev next week on this one. We’ve got a few other API enhancements queued so we can probably look at this after.

I’d like to add my vote to this too

The only problem I see with this is the requirement to access an administration area of the system. No API method we have can create an admin session on an account. Creating an admin session over the API has quite few security consideration, particularly around enforcing HTTPs and handling those accounts with 2-factor authentication enabled.

Creating a client session would be much easier, then we could probably add an extra filter to hide the footers and side-bar, not sure if that would work?

@Glenn, That was the idea - it’s for client side payment (just without all the additional styling), no admin access needed.

OK understood, in that case it shouldn’t be too much of an issue. I’ll log it in our planner for now and get back to you.

This has now been implemented. If you login as the end user client and go to the payment screen then remove the query string name value pair q=#### and then add wl=true it will show a white labelled version of the payment screen that is automatically configured to show all outstanding invoices.

Your URL should look something like this.

https://testcompany.quickfile.co.uk/secure/ca/payInvoices.aspx?acc=#########&wl=true

If you want to bootstrap this in your application you can then call the API method system_LogIn with the following body:

<Body>
    <LandingPage>
        <CustomPath><![CDATA[payInvoices.aspx?acc=613140####&wl=true]]></CustomPath>
    </LandingPage>
    <ClientID>12345</ClientID>
</Body>

This will return a time limited login URL that you can then embed into an iFrame.

If you have any questions, give me a shout.

That’s great news @Glenn!

Will hopefully play with this within the next week or so, and see how it goes

Just given this a go through the Sandbox tool.

It’s returning the following:

<Errors>
<Error>13The element ‘LandingPage’ in namespace ‘http://www.QuickFile.co.uk’ has invalid child element ‘CustomPath’ in namespace ‘http://www.QuickFile.co.uk’. List of possible elements expected: ‘http://www.QuickFile.co.uk:Dashboard http://www.QuickFile.co.uk:InvoiceView’. </Error>
</Errors>

Edit
My error (again). Was using the ‘client login’ function, not system log in!

Edit 2
One thing I have noticed, now I’ve got this work is that is still gives me the option to remove the Payment option even though I’m logged in as the client. Not a biggie, but I’m guessing it shouldn’t be there?

Mmm I see this, it’s showing these options, but will throw an error if you try clicking on them. It’s a very minor fix so I’ll try to get that corrected today or tomorrow am.

@Parker1090 just to let you know that fix has gone live.