Urgent: PayPal IPN Warning from Events+

I received an email from PayPal this afternoon threatening to disable IPNs for my account. They sent this URL as an example problem: http://www.mydomain.org/wp-admin/admin-ajax.php?action=eab_paypal_ipnhttp%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=224http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=230http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=236http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=237

What's weird as that those are all legitimate purchases from different customers. Any idea how this could happen?

Thanks!

  • Adam Czajczyk

    Hello JessycaFrederick,

    I hope you're well today and thank you for your question!

    The Events+ plugin worked so far and does work for you, right? Did they wrote anything more in their message?

    I suppose that this is related to the changes they are implementing that now mean that SSL will be a requirement. As of June 2017 all the IPN calls must be over HTTPS connection and that means that you site must be SSL protected, otherwise IPN calls will be disabled.

    Best regards,
    Adam

  • JessycaFrederick

    Okay, I switched to SSL last night, but I'm still getting emails from PayPal...

    Please check your server that handles PayPal Instant Payment Notifications (IPN). IPNs sent to the following URL(s) are failing:

    http://www.mydomain.org/wp-admin/admin-ajax.php?action=eab_paypal_ipn&blog_id=1&booking_id=224http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=230http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=236http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=237http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=246http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=258http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=305http%3A%2F%2Fwww.mydomain.org%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Deab_paypal_ipn&blog_id=1&booking_id=329

    If you do not recognize this URL, you may be using a service provider that is using IPN on your behalf. Please contact your service provider with the above information. If this problem continues, IPNs may be disabled for your account.

    Given that the first several booking_ids are the same as the ones from the first email, it almost seems like some sort of caching issue?

  • Adam Czajczyk

    Hello JessycaFrederick!

    Okay, I switched to SSL last night, but I'm still getting emails from PayPal...

    You would need to do this eventually since soon PayPal will disable IPN calls over http connections anyway. I wasn't however entirely sure if this is the reason in this case, that's why I asked if there was any additional info in that message that you got from them. I guess though there was none :slight_smile:

    There's a couple more things related though. The first thing is still about SSL. As PayPal is going to block non-SSL IPN calls it's important to get it sorted. Events+ plugin is passing IPN URL as PayPal API's "notify_url" variable each time and builds that URL upon your site's settings. Therefore you need to make sure that once SSL is implemented, the site is also set to use "https://" prefix in Site URL and WordPress URL setting (on Settings -> General) page.

    The Event+ plugin will then pass "https://" IPN URLs to PayPal so that will prevent potential issues in future (since June 2017, when they disable insecure calls) and might fix some of the current IPN calls.

    The second part are those IPN URL's that are repeated in next email. The booking/payment workflow is that:

    - a booking is made
    - payment form is called
    - payment is made
    - paypal calls IPN URL that it's been send by the plugin in order to notify the plugin that the payment has been made.

    The last step is crucial here. PayPal not always does it immediately and sometimes there might be a slight delay, even up to a few minutes. Then, if that call fails (there may be various reasons for this: a booking - transaction - has been removed, site was down, there's been some connection "glitch" on a way etc), PayPal tries again and again for some time.

    If it fails, it sends that message. Furthermore, even if you implement SSL meanwhile it will still use an URL that's been initially given. So SSL won't solve that. I wasn't aware that these URLs will keep repeating in e-mails but thanks to this we know that in this case it's not SSL that was causing it.

    Further investigation revealed that there seem to be no event of an ID of 224 (I focused on that one) and that would explain why these calls fail. That would mean that most likely that booking was removed manually, was it? Removing booking means using "Delete attendance" option for a user on event's edit page for a paid event.

    If it was removed that would perfectly explain the case and also those IPN calls would be eventually disabled but that doesn't mean disabling an account or any feature of it but just that the PayPal would eventually stop calling that URLs. Any other, proper, bookings would still issue valid "notify_url" URLs and those would be used for future IPN calls for future bookings.

    Best regards,
    Adam

  • JessycaFrederick

    That's a lot of info to work with... thanks, Adam!

    SSL-related stuff: I was planning to update to SSL AFTER this big event, but now it's out of the way. When I updated to SSL, I defined the home/site URLs in the wp-config file in addition to the site Settings. It seems everything else on the site is being converted properly and I don't see any hard-coded URLs that call the IPN.

    While I sometimes add bookings and booking meta manually to the database, I always delete them through the Admin tool (it's easier that way).

    Debugging of the URL string. It's not event_id 224, it's booking_id 224, which is an existing record.

    I can only hope that the issue is just a leftover from yesterday, but most of the booking_ids in that URL string have already completed...

    Any more terrific thoughts?

  • Adam Czajczyk

    Hello JessycaFrederick!

    SSL-related stuff: I was planning to update to SSL AFTER this big event, but now it's out of the way. When I updated to SSL, I defined the home/site URLs in the wp-config file in addition to the site Settings. It seems everything else on the site is being converted properly and I don't see any hard-coded URLs that call the IPN.

    It seems I sort of "forced" you to do this earlier. The only consolation for me, as I caused some additional work for you, is that you would need to do this anyway soon :slight_smile: On the other hand though, that was the first thing to be checked in order to make sure whether it does or does not cause the issue :slight_smile:

    While I sometimes add bookings and booking meta manually to the database, I always delete them through the Admin tool (it's easier that way).

    That is fine. That's however what I was referring to - a possibly deleted booking.

    Debugging of the URL string. It's not event_id 224, it's booking_id 224, which is an existing record.

    Yes, that's what I meant. I just noticed that I wrote "event" in my previous response instead of "booking" but I meant booking. I actually messed up my answer a bit, I guess I went for a bit too much of a "shortcut". I'm sorry for that, let me explain this again :slight_smile:

    There's a booking of an ID 224. IPN URL includes that booking ID. When called, plugin reads booking data (identified by that ID) and fetches event information, including event ID. Then it checks the event and if it can't find it, it returns "Fake event id" message which is what I meant by "there's no event of an ID of 224". I hope that makes more sense now :slight_smile:

    The PayPal will call that IPN ("notify_url") URL probably a few times more and eventually stop doing that since there's no even related to that particular booking.

    Best regards,
    Adam

  • JessycaFrederick

    Hi Adam,

    Event 5138 (for booking_id 224) is for our main event, the Garden Tour, where members can buy tickets for guests. Event 1428 is our main event itself, the Garden Tour.

    Looking through the table, I see the last booking_id in the string never made it back to the database (#329). So I kept looking. And I found the problem!

    A) I didn't know about the processing delay... does it always batch transactions like that? They seem to hit the site almost immediately.

    B) The missing transaction was a transaction I made to test the SSL was working with PayPal. I cancelled the attendance and refunded it at PayPal as soon as I saw the booking hit the database. It's possible I did things too quickly, but see A.

    Is there something you can build into the plug-in to prevent bookings being deleted if PayPal hasn't returned the IPN data yet?

  • Adam Czajczyk

    Hello JessycaFrederick!

    A) I didn't know about the processing delay... does it always batch transactions like that? They seem to hit the site almost immediately.

    Usually there's none. PayPal/Stripe and other gateways tend to "respond" immediately, in real time, but sometimes such delay may occur and there's nothing we could do about because it's on gateway's side.

    B) The missing transaction was a transaction I made to test the SSL was working with PayPal. I cancelled the attendance and refunded it at PayPal as soon as I saw the booking hit the database. It's possible I did things too quickly, but see A.

    Is there something you can build into the plug-in to prevent bookings being deleted if PayPal hasn't returned the IPN data yet?

    I admit I'm not sure but that sounds like a great idea to investigate. I've suggested that to Events+ lead developer. I'm not able to predict/promise anything or give you ETA but I'm sure he'll give it a spin and think about how this could be addressed.

    Thank you for suggesting it!

    Best regards,
    Adam

  • JessycaFrederick

    Alright, most of the errors have now cleared, except the offending original transaction which was deleted using the "Cancel Attendance Entirely" link.

    Please check your server that handles PayPal Instant Payment Notifications (IPN). IPNs sent to the following URL(s) are failing:

    http://www.mywebsite.org/wp-admin/admin-ajax.php?action=eab_paypal_ipn&blog_id=1&booking_id=329

    So... at this point I think it's a bug in Events+ that needs better handling around PayPal's response to bookings that have gone away.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.