Whenever setTestMode() method is used, the error "Security header is not valid" pops up.
But if I remove setTestMode() and just keep the setUsername(), setPassword(), and setSignature() methods, it goes through and redirects straight to PayPal (Live Paypal).
So AFAIK the problem should lie in how I'm using setTestMode and not about incorrect API creds as most "Security header is not valid" errors are about.
I am currently using Laravel 5.8 with Omnipay/PayPal using PayPal Express Checkout
Here are the files that were used
Paypal.php
public function gateway()
{
$gateway = Omnipay::create('PayPal_Express');
$gateway->setUsername(config('services.paypal.username'));
$gateway->setPassword(config('services.paypal.password'));
$gateway->setSignature(config('services.paypal.signature'));
$gateway->setTestMode(config('services.paypal.sandbox'));
// $gateway->setTestMode(true);
return $gateway;
}
public function purchase(array $parameters)
{
$response = $this->gateway()
->purchase($parameters)
->send();
return $response;
}
PaypalController.php
public function checkout($order_id)
{
$order = Order::findOrFail(decrypt($order_id));
$paypal = new PayPal;
$response = $paypal->purchase([
'amount' => $paypal->formatAmount($order->amount),
'transactionId' => $order->transaction_id,
'currency' => 'PHP',
'cancelUrl' => $paypal->getCancelUrl($order),
'returnUrl' => $paypal->getReturnUrl($order),
'notifyUrl' => $paypal->getNotifyUrl($order),
]);
if ($response->isRedirect()) {
$response->redirect();
}
return redirect()->back()->with([
'message' => $response->getMessage(),
]);
}
Here are the contents of the $response
ExpressAuthorizeResponse {#1098 ▼
#liveCheckoutEndpoint: "https://www.paypal.com/cgi-bin/webscr"
#testCheckoutEndpoint: "https://www.sandbox.paypal.com/cgi-bin/webscr"
#request: ExpressAuthorizeRequest {#1095 ▼
#liveEndpoint: "https://api-3t.paypal.com/nvp"
#testEndpoint: "https://api-3t.sandbox.paypal.com/nvp"
#negativeAmountAllowed: true
#parameters: ParameterBag {#1097 ▶}
#httpClient: Client {#1063 ▶}
#httpRequest: Request {#1086 ▶}
#response: ExpressAuthorizeResponse {#1098}
#currencies: ISOCurrencies {#1096}
#zeroAmountAllowed: true
}
#data: array:9 [▼
"TIMESTAMP" => "2020-02-03T11:04:45Z"
"CORRELATIONID" => "c8d066c9b5ccd"
"ACK" => "Failure"
"VERSION" => "119.0"
"BUILD" => "54118205"
"L_ERRORCODE0" => "10002"
"L_SHORTMESSAGE0" => "Security error"
"L_LONGMESSAGE0" => "Security header is not valid"
"L_SEVERITYCODE0" => "Error"
]
}
---EDIT---
Just made a new Sandbox Business Account and used that one's NVP API Creds and then it worked! The old account's problem was probably it's email that I edited because that was the only difference between the old and new one.