Card expiry dates do not honour empty dates

[judgej]

If an expiry date is not set in the card, then Omnipay\Common\CreditCard::getExpiryDate() will return "1299" as the date.

The setExpiryMonth() - but strangly not the setExpiryYear() - casts the value provided to an integer, which comes out as 0 (zero) for null and "".

The date string by default, then becomes:

gmdate($format, gmmktime(0, 0, 0, $this->getExpiryMonth(), 1, $this->getExpiryYear()));
gmdate("my", gmmktime(0, 0, 0, 0, 1, 0));
or
gmdate("my", gmmktime(0, 0, 0, 0, 1, null));

or "1299".

This causes a problem with the silent redirect type of gateways. With these gateways, you pre-populate the AuthorizeRequest object with what information is already know. This tends to be the billing and possibly the shipping person details, and maybe the cart details too. The AuthorizeRequest->send() will give you a AuthorizeResponse object that is used to populate the form. AuthorizeResponse->getData() gives you the data that goes into this form, with keys appropriately named for the remote gateway (remember - this is a silent POST, so the form on the merchant's site will POST direct to the gateway site).

So, this form starts with no credit card, and no CVV details, but an expiration date (and I assume start date) of "'1299".

[judgej]

Just as a first thought, here is what I propose:

• First CreditCard::setExpiryMonth() does not cast the value to an int.
• CreditCard::getExpiryDate() does not blindly provide a formatted date. It should check that the month and year have been supplied as valid values before trying to use them, and return an empty string if not.
• CreditCard::validate() will thrown an exception if the expiry date is before today. I'm not sure when this is called, but it should probably skip that check if there is no expiry date (this ticket is about there never not being an expiry date, since it always comes out as 9912 or 199912).
• The Helper::validateLuhn() I think, just happens to allow a blank card as valid implicitly, and probably not by design. I would personally make that more explicit, so "" is not considered invalid.

Any thoughts on this, before I start putting a fork together? If the CreditCard object were one of those things the gateway driver could override, then I could fix it in the driver where it is having an effect. But since the CreditCard is created directly from the scaffolding, an alternative override cannot be slipped in by the driver.

For now, in my form template, I will be looking for "1299" in the expiry date field and cleaning it out.

[judgej]

Okay, the tl;dr version:

The CreditCard expiry date (and start date) defaults to "1299". Trying to blank out the expiry month and year also results in the default "1299". The "silent post" method of authorising a transaction almost certainly needs the expiry date to be blank. Other authorisation methods should not be given "1299" just because the user did not complete the expiry date (putting aside whether the front end validation supports or prevents that).

Sample code:

<?php
use Omnipay\Common\CreditCard;
require 'vendor/autoload.php';

$card = new CreditCard([
    'number' => '',
    'expiryMonth' => '',
    'expiryYear' => '',
    'cvv' => '',
]);

echo $card->getExpiryDate('my');
// 1299
echo $card->getExpiryMonth();
// 0
echo $card->getExpiryYear();
// ""

All three results should be "" because no expiry date has been set. So much for tl;dr.

This CreditCard object is used to populate the silient-post form, because that object translates fields from the standard OmniPay names to the field names required to be posted to the remote gateway. That is what getPostData() gives us.

[judgej]

Setting the start or expiry year to null will store them as a null. Setting the start or expiry month to a null will store them as an integer 0.

It should be possible to set any of the date components to null, and have them stay null. Any attempt to retrieve a formatted date should then also return null.

The reasoning is that some gateways accept a card token as the card number. One way for a gateway driver to tell if if has been passed a credit card or a token, would be to check if the expiry date is null. But since the expiry date can never be set to null due to the (int) casting on the months, and the later assumption that the year is always set to a number, it becomes a little more difficult to indicate whether the card number is a full credit card number or a tokenised credit card.

Workaround (until I get a PR in) is to check just the expiry year for null to tell if an expiry date has been set.

[hugohenrique]

Any news? Already can be closed?