Secure Your Payments: Public & Secret Keys In Odoo

by Square 51 views
Iklan Headers

Hey guys! Ever wondered how to keep your online transactions super secure in Odoo? Well, one of the key ways to do that is by using public and secret keys with your payment providers. In this article, we're going to dive deep into setting up these keys, specifically focusing on Pagar.me and how to ensure your payment integrations are rock-solid. So, buckle up and let's get started!

Why Public and Secret Keys Matter

Before we jump into the nitty-gritty, let’s quickly chat about why these keys are so important. Think of public and secret keys as the digital equivalent of a lock and key. The public key is like the lock—you can share it with anyone. It’s used to encrypt information. The secret key, on the other hand, is like the key to that lock. It’s super sensitive and should be kept safe and sound. It's used to decrypt information.

In the context of payment providers like Pagar.me, these keys are crucial for securing transactions. The public key is used on the client-side (like your website) to encrypt payment information before it's sent to the server. The secret key is used on the server-side to decrypt that information and process the payment. If you expose your secret key, it’s like handing over the keys to your bank vault—definitely not something you want to do!

Using these keys ensures that sensitive data, such as credit card numbers, is protected during transmission. This is especially important in today’s world, where data breaches are becoming increasingly common. By implementing public and secret keys, you’re adding an extra layer of security that can help protect your customers and your business. Moreover, it helps you comply with various security standards and regulations, such as PCI DSS. So, security first, always!

Adding Public and Secret Key Fields to Pagar.me in Odoo

Okay, let's get technical! Our mission is to add two new fields—pagarme_public_key and pagarme_secret_key—to the payment provider configuration in Odoo for Pagar.me. This will allow us to securely store the keys needed for Pagar.me integration.

First things first, you’ll need to dive into your Odoo module’s code. If you’re familiar with Odoo development, you know we're going to be tweaking some Python and XML files. If you're new to this, don't worry, we'll walk through it step by step.

In your payment provider module (let's assume it’s named payment_pagarme), you'll need to modify the model that represents the payment provider. This is typically done in a Python file (e.g., models/payment_provider.py). You'll add the new fields as follows:

from odoo import fields, models

class PaymentProvider(models.Model):
 _inherit = 'payment.provider'

 pagarme_public_key = fields.Char(string='Pagar.me Public Key', required_if_provider='pagarme')
 pagarme_secret_key = fields.Char(string='Pagar.me Secret Key', required_if_provider='pagarme')

Here, we’re inheriting the payment.provider model and adding two new Char fields: pagarme_public_key and pagarme_secret_key. The required_if_provider='pagarme' attribute ensures that these fields are mandatory when the payment provider is set to Pagar.me. This helps ensure that the necessary keys are always provided when configuring Pagar.me as a payment option.

Next up, you need to make these fields visible in the Odoo user interface. This is where XML views come in. You'll need to modify the payment provider form view to include these new fields. This is usually done in an XML file (e.g., views/payment_provider_views.xml):

<odoo>
 <record id="payment_provider_form" model="ir.ui.view">
 <field name="name">payment.provider.form.inherit</field>
 <field name="model">payment.provider</field>
 <field name="inherit_id" ref="payment.payment_provider_form"/>
 <field name="arch" type="xml">
 <xpath expr="//group[@name='provider_credentials']" position="inside">
 <field name="pagarme_public_key" attrs="{'invisible': [('provider', '!=', 'pagarme')]}"/>
 <field name="pagarme_secret_key" attrs="{'invisible': [('provider', '!=', 'pagarme')]}"/>
 </xpath>
 </field>
 </record>
</odoo>

In this XML snippet, we're inheriting the existing payment_provider_form view and adding the new fields inside the provider_credentials group. The attrs attribute ensures that these fields are only visible when the provider is set to Pagar.me. This keeps the form clean and relevant, only displaying the necessary fields for the selected payment provider.

With these changes in place, you’ll now have two new fields in your payment provider configuration for Pagar.me. Easy peasy!

Adding a Connection Check Button

Now that we have the key fields set up, it's a great idea to add a button to check the connection with Pagar.me. This allows you to verify that your keys are correct and that Odoo can communicate with the Pagar.me API. This will save you from headaches down the road by allowing you to quickly identify and fix connection issues.

To add this button, we'll need to add a new method to our PaymentProvider model and then create a button in the view that triggers this method. Let’s start with the Python code:

from odoo import fields, models, api
from odoo.exceptions import UserError
import requests

class PaymentProvider(models.Model):
 _inherit = 'payment.provider'

 pagarme_public_key = fields.Char(string='Pagar.me Public Key', required_if_provider='pagarme')
 pagarme_secret_key = fields.Char(string='Pagar.me Secret Key', required_if_provider='pagarme')

 @api.model
 def _get_pagarme_api_url(self):
 if self.state == 'test':
 return 'https://api.pagar.me/1/'
 else:
 return 'https://api.pagar.me/1/' # Or the production URL

 def action_check_pagarme_connection(self):
 self.ensure_one()
 try:
 url = self._get_pagarme_api_url() + 'ping'
 headers = {'Authorization': 'Basic ' + self.pagarme_secret_key}
 response = requests.get(url, headers=headers, timeout=5)
 response.raise_for_status() # Raise HTTPError for bad responses (4xx or 5xx)
 result = response.json()
 if result.get('status') == 'ok':
 return {
 'type': 'ir.actions.client',
 'tag': 'display_notification',
 'params': {
 'title': ('Connection Successful'),
 'message': 'Successfully connected to Pagar.me!',
 'type': 'success',
 'sticky': False,
 }
 }
 else:
 raise UserError('Connection failed: %s' % result.get('message', 'Unknown error'))
 except requests.exceptions.RequestException as e:
 raise UserError('Connection failed: %s' % e)

In this code, we've added two key components. First, there's the _get_pagarme_api_url method, which dynamically returns the correct API URL based on whether Odoo is in test mode or production mode. This is crucial because Pagar.me (and most payment providers) have separate APIs for testing and live transactions. Then, we have the action_check_pagarme_connection method, which performs the actual connection check. It sends a GET request to the Pagar.me API's ping endpoint, including the secret key in the headers for authentication. If the connection is successful, it displays a success notification. If not, it raises a UserError with a descriptive error message. This ensures that you get immediate feedback on whether your connection is working correctly.

Now, let's add the button to the view. Modify your XML view file (views/payment_provider_views.xml) like this:

<odoo>
 <record id="payment_provider_form" model="ir.ui.view">
 <field name="name">payment.provider.form.inherit</field>
 <field name="model">payment.provider</field>
 <field name="inherit_id" ref="payment.payment_provider_form"/>
 <field name="arch" type="xml">
 <xpath expr="//header" position="inside">
 <button name="action_check_pagarme_connection" string="Check Connection" type="object" class="oe_highlight" attrs="{'invisible': [('provider', '!=', 'pagarme')]}"/>
 </xpath>
 <xpath expr="//group[@name='provider_credentials']" position="inside">
 <field name="pagarme_public_key" attrs="{'invisible': [('provider', '!=', 'pagarme')]}"/>
 <field name="pagarme_secret_key" attrs="{'invisible': [('provider', '!=', 'pagarme')]}"/>
 </xpath>
 </field>
 </record>
</odoo>

Here, we’ve added a new button within the <header> section of the form view. This button is linked to the action_check_pagarme_connection method we just created. The oe_highlight class gives it a nice visual highlight, making it easy to spot. And, just like the key fields, the attrs attribute ensures that the button is only visible when the provider is set to Pagar.me. This keeps the interface clean and focused.

With this button in place, you can now easily check your connection to Pagar.me directly from the Odoo interface. This makes troubleshooting a breeze and ensures that your payment integration is always up and running smoothly.

Implementing Key Validation Constraints

To further enhance security, it's crucial to add a constraint that checks the format of the secret key based on the mode (test or production). Pagar.me, like Stripe and other payment providers, uses a prefix to differentiate between test and live keys. Test keys typically start with sk_test_, while live keys start with sk_. By enforcing this constraint, we can prevent accidental use of test keys in production and vice versa, which could lead to serious issues.

Let’s add a constraint to our PaymentProvider model in Python (models/payment_provider.py):

from odoo import fields, models, api
from odoo.exceptions import ValidationError
import requests

class PaymentProvider(models.Model):
 _inherit = 'payment.provider'

 pagarme_public_key = fields.Char(string='Pagar.me Public Key', required_if_provider='pagarme')
 pagarme_secret_key = fields.Char(string='Pagar.me Secret Key', required_if_provider='pagarme')

 @api.constrains('state', 'pagarme_secret_key')
 def _check_pagarme_secret_key(self):
 for provider in self:
 if provider.provider == 'pagarme' and provider.pagarme_secret_key:
 if provider.state == 'test' and not provider.pagarme_secret_key.startswith('sk_test_'):
 raise ValidationError("Pagar.me Secret Key for Test Mode should start with 'sk_test_'.")
 elif provider.state == 'enabled' and not provider.pagarme_secret_key.startswith('sk_'):
 raise ValidationError("Pagar.me Secret Key for Production Mode should start with 'sk_'.")

 @api.model
 def _get_pagarme_api_url(self):
 if self.state == 'test':
 return 'https://api.pagar.me/1/'
 else:
 return 'https://api.pagar.me/1/' # Or the production URL

 def action_check_pagarme_connection(self):
 self.ensure_one()
 try:
 url = self._get_pagarme_api_url() + 'ping'
 headers = {'Authorization': 'Basic ' + self.pagarme_secret_key}
 response = requests.get(url, headers=headers, timeout=5)
 response.raise_for_status() # Raise HTTPError for bad responses (4xx or 5xx)
 result = response.json()
 if result.get('status') == 'ok':
 return {
 'type': 'ir.actions.client',
 'tag': 'display_notification',
 'params': {
 'title': ('Connection Successful'),
 'message': 'Successfully connected to Pagar.me!',
 'type': 'success',
 'sticky': False,
 }
 }
 else:
 raise UserError('Connection failed: %s' % result.get('message', 'Unknown error'))
 except requests.exceptions.RequestException as e:
 raise UserError('Connection failed: %s' % e)

In this code, we've added a new method called _check_pagarme_secret_key decorated with @api.constrains. This decorator tells Odoo to run this method whenever the state or pagarme_secret_key fields are changed. Inside the method, we check if the provider is Pagar.me and if a secret key is provided. Then, based on the state (test or production), we check if the key starts with the correct prefix. If it doesn't, we raise a ValidationError with a clear message, preventing the user from saving the configuration with an invalid key. This simple check can save you from major headaches down the line, ensuring that your keys are always used in the correct environment.

Stripe Module as a Template

You might have noticed that the task description mentions using the Stripe module as a template. This is a fantastic idea! The Stripe module in Odoo is a well-structured example of how to handle payment provider integrations, especially when it comes to managing keys and connections. By looking at how Stripe handles public and secret keys, you can get valuable insights into best practices and implementation details. The provided link to tripe_publishable_key in the Odoo codebase is a great starting point.

For example, the Stripe module likely includes similar checks for key formats and connection testing mechanisms. By examining this module, you can ensure that your Pagar.me integration follows industry standards and leverages proven techniques. It’s like having a blueprint for success! Plus, it can save you time and effort by giving you a solid foundation to build upon. So, don’t hesitate to explore the Stripe module and borrow ideas from it. That's what templates are for, right?

Best Practices for Handling Keys

Before we wrap up, let’s touch on some best practices for handling public and secret keys. These keys are the guardians of your payment security, so it's essential to treat them with the utmost care. Here are a few key guidelines to keep in mind:

  1. Keep Secret Keys Secret: This one might seem obvious, but it’s worth repeating. Never, ever expose your secret key in client-side code or share it with unauthorized individuals. Treat it like a password and keep it under lock and key. Store it securely on your server and ensure that only authorized personnel have access.
  2. Use Environment Variables: Instead of hardcoding your keys in your code, use environment variables. This allows you to easily switch between different keys for different environments (e.g., test and production) without modifying your code. It also prevents keys from being accidentally committed to your version control system.
  3. Regularly Rotate Keys: Periodically changing your keys is a good security practice. This limits the potential damage if a key is compromised. Most payment providers allow you to generate new keys without disrupting your service. Make it a habit to rotate your keys every few months.
  4. Monitor Key Usage: Keep an eye on your API usage and look for any unusual activity. If you notice something suspicious, it could be a sign that your keys have been compromised. Most payment providers offer monitoring tools and notifications to help you stay informed.
  5. Use Test Keys in Development: Always use test keys when developing and testing your payment integration. This prevents you from accidentally processing real transactions and allows you to thoroughly test your code without any financial risk. Test keys behave like real keys but don’t actually charge any money. They’re your best friends during development!

By following these best practices, you can significantly reduce the risk of key compromise and ensure the security of your payment processing system.

We've successfully added the necessary fields, implemented a connection check button, and enforced key validation constraints. By following the Stripe module as a template and adhering to best practices for key management, you’re well on your way to creating a secure and reliable payment integration for Pagar.me in Odoo.