Pay4All TWINT Ìtumọ̀ Yorùbá: – For WooCommerce & Pay4All Shop

Àpèjúwe

Pay4All for TWINT adds TWINT as a payment method to the free Pay4All Shop plugin (order-form-based checkouts).

TWINT is a trademark of TWINT AG (Switzerland). This plugin is an independent integration and is not affiliated with, endorsed by, or sponsored by TWINT AG.

Main features:

  • TWINT integration for the free Pay4All Shop plugin (order forms with TWINT payment).
  • Step-by-step setup wizard: TWINT credentials, certificate upload, connection test, status page.
  • Automatic conversion of the .p12 certificate delivered by TWINT to PEM format.
  • Cash register enrollment and connection test built into the wizard.
  • Localized payment instructions in French, German, Italian and English.

To use this plugin you need:

  • the free Pay4All Shop plugin installed and active.
  • a TWINT merchant account with a configured store and an active certificate (see https://portal.twint.ch).

There is no license fee, no subscription, no domain activation. Install, activate, run the wizard, done.

WooCommerce support

The WooCommerce payment-gateway integration (classic checkout, Checkout Blocks, HPOS, refunds, background monitoring) is not shipped inside this free plugin. It lives inside the paid companion « Pay4All Pro », distributed outside WordPress.org from https://pay4all.ch/. Install Pay4All Pro next to this plugin to enable the WooCommerce TWINT gateway.

External services

This plugin connects to the TWINT merchant SOAP API (operated by TWINT AG) to authorize, capture, refund and reconcile payments. Without a valid TWINT merchant account and certificate, the gateway cannot process payments.

What it is used for

  • Every TWINT payment initiated from a Pay4All Shop form is forwarded to the TWINT SOAP API for authorization and status polling (payment start, background status polling, refund, cancellation).
  • Nothing else is sent to any external service.

What data is sent, and when

  • On payment start: the order number, the amount, the currency, the store UID (from your TWINT merchant account), the cash-register ID and — depending on your TWINT setup — the customerÌtumọ̀ Yorùbá: ’s e-mail or phone number.
  • On status polling and reconciliation: only the TWINT transaction identifier returned by the previous call.
  • On refund: the TWINT transaction identifier plus the amount to refund.
  • No login credentials, no plugin telemetry, no site metadata are sent.

Where the data is sent

The plugin talks to one of three TWINT-owned endpoints depending on your T4A_ENVIRONMENT setting:

  • Production: https://service.twint.ch/merchant/service/TWINTMerchantServiceV8_4
  • Integration / staging: https://service-int.twint.ch/merchant/service/TWINTMerchantServiceV8_4
  • Pre-authorization test: https://service-pat.twint.ch/merchant/service/TWINTMerchantServiceV8_4

Terms of use and privacy policy for TWINT

  • TWINT terms of use: https://www.twint.ch/en/legal/
  • TWINT data protection: https://www.twint.ch/en/data-protection/

No other external service is contacted by this plugin.

Source code

The complete, non-minified source of this plugin is bundled inside the ZIP itself. Every PHP file is human-readable and directly editable. The JavaScript bundles under assets/js/ are shipped in a pretty-printed, non-minified form so you can read and modify them without a build step.

No compiler, transpiler or bundler is required to work on this plugin.

Àwọn àwòrán ìbòjú

Ìgbéwọlẹ̀

  1. Upload the pay4all-for-twint folder to /wp-content/plugins/ (or install the ZIP from Plugins > Add New).
  2. Activate “Pay4All for TWINT” from the WordPress Plugins screen.
  3. Install and activate the free “Pay4All Shop” plugin (required companion).
  4. Open the “Pay4All TWINT” menu in the admin and follow the wizard: TWINT credentials, certificate upload, status.

Server requirements:

  • PHP 7.4 or higher (8.x recommended).
  • PHP extensions: openssl, soap, curl.
  • WordPress 5.9 or higher.
  • Pay4All Shop plugin (required).

FAQ

Does the plugin work without Pay4All Shop?

No. Pay4All Shop is a required companion — the wizard shows a warning when the companion is missing. Install both plugins together.

Does the plugin work with WooCommerce?

Not directly. The WooCommerce TWINT gateway is packaged in the paid « Pay4All Pro » add-on, distributed from https://pay4all.ch/. That add-on installs on top of this free plugin and wires the WooCommerce checkout, Checkout Blocks, HPOS compatibility and background monitoring.

Where do I find my TWINT credentials?

Log in to https://portal.twint.ch, create a store and generate a certificate. The wizard asks for the store UID, certificate password, cash-register ID and the certificate file.

Do I need a Pay4All account or license?

No. This plugin is fully free and works standalone (with Pay4All Shop). You only need TWINT merchant credentials.

Is WordPress Multisite supported?

Not in this version. Activate the plugin site by site.

Àwọn àgbéyẹ̀wò

Kò sí àwọn àgbéyẹ̀wò fún plugin yìí.

Àwọn Olùkópa & Olùgbéejáde

“Pay4All TWINT Ìtumọ̀ Yorùbá: – For WooCommerce & Pay4All Shop” jẹ́ ètò ìṣàmúlò orísun ṣíṣí sílẹ̀. Àwọn ènìyàn wọ̀nyí ti ṣe ìkópa sí plugin yìí.

Àwọn Olùkópa

Àkọsílẹ̀ àwọn àyípadà

1.3.0

  • Security — merchant certificate no longer at a predictable URL. The TWINT PEM (private key + certificate) used to be written to wp-content/uploads/t4a_twint/twint.pem — a fixed, guessable path protected only by .htaccess deny from all. On nginx (which silently ignores .htaccess) or Apache with AllowOverride None, the file was directly downloadable. Each merchant now gets a random 48-hex filename minted per install (stored in t4a_twint_settings_certfile), the containing folder ships both an index.php and an .htaccess (belt-and-suspenders), and the file is chmodÌtumọ̀ Yorùbá: ’d to 0600. Certificate renewal via TWINT backoffice also mints a fresh name, so a previously exposed URL is invalidated.
  • Security — certificate password encrypted at rest. The password protecting the private key was stored in cleartext in wp_options and re-emitted in the wizard HTML + AJAX response + parsing error message. It is now stored encrypted via authenticated encryption (see below), never echoed back to the DOM (the field renders empty with a « laissez vide pour conserver » hint), and the « Failed to parse certificate » error no longer includes the provided password.
  • Security — authenticated encryption for stored secrets. Cipher was AES-256-CTR with a length-checked salt suffix — malleable, no MAC, key material was LOGGED_IN_KEY used raw. Replaced with sodium_crypto_secretbox (XChaCha20-Poly1305) with an openssl aes-256-gcm fallback, keyed via HKDF-SHA256 from LOGGED_IN_KEY + LOGGED_IN_SALT. Ciphertexts written by earlier versions keep decrypting (backward-compatible reader) so no data loss.
  • Security — TWINT return signature now expires. The signature on the redirect / cancel URL was computed with a fixed t=1, meaning it was replayable indefinitely. It now embeds the real timestamp and rejects any URL older than T4A_REDIRECT_SIGNATURE_EXPIRATION (bumped from 60 s to 30 min so realistic TWINT-app flows are not rejected).
  • Security — FileServer defense-in-depth. Internal basename() + type whitelist + realpath bounding are now enforced inside send_file() / display_pdf(), in addition to the callers’ existing sanitisation. Any request that escapes the allowed upload directory returns HTTP 404.
  • Security — nginx-proof folder protection. t4a_twint/, logs/, temp/, locks/ now systematically ship both .htaccess and an empty index.php so servers that ignore .htaccess still canÌtumọ̀ Yorùbá: ’t list or serve them.
  • Internal : EnvironmentConfig::get_certificate_file_path() is resolved LIVE (not from the T4A_CERTIFICATE_PATH constant frozen at boot) so a cert upload followed by a connection test in the same request reads the just-written file. Same for the certificate password — the SoapClient reads it via get_certificate_password() instead of stripcslashes(get_option(...)).

1.2.0

  • Wizard rework — new « Commande » tab. The setup wizard now has 4 steps (Préparation, Identifiants, Commande, État). The « Commande » tab merges the Pay4All Shop and WooCommerce post-payment order-status configuration into a single unified card, with matching labels (« Commande contenant… ») between both integrations and editable status pickers.
  • Standalone boot. The plugin no longer requires Pay4All Shop to be present at activation. When the companion is missing, a scoped admin notice explains whatÌtumọ̀ Yorùbá: ’s needed instead of blocking activation. WooCommerce-only merchants can install Pay4All Pro next to this plugin and skip Pay4All Shop entirely.
  • Pay4All Pro compatibility. The Commande tab detects when Pay4All Pro is active and offers a « Plus de réglages » shortcut to admin.php?page=pay4all-twint-woo, keeping advanced WooCommerce settings in a single place.
  • Localized tutorial link. The « Besoin dÌtumọ̀ Yorùbá: ’aide » block in the Préparation tab now points to https://pay4all.ch/p/twint-woocommerce#tutorials in FR/DE/IT/EN.
  • Internal : FormDomainEvents.mark_payment_paid delegates to a shared paid_status_for_p4all_form_order() helper so Pay4All Shop and WooCommerce share the same virtual/deferred/default logic.

1.1.0

  • SOAP client rewritten in non-WSDL mode. The full TWINT Merchant Service v8.4 WSDL/XSD contract (previously shipped as .xml schema files under src/Engine/Soap/schemas/v8_4/) has been removed from the plugin package per WordPress.orgÌtumọ̀ Yorùbá: ’s blanket file-type policy. Every SOAP request is now built as a hand-written XML envelope inside TwintSoapClient::dispatch(), transported by \SoapClient in non-WSDL mode (mTLS + gzip + timeouts unchanged), and the response is parsed by an in-house DOMDocument stdClass converter that mimics SoapClientÌtumọ̀ Yorùbá: ’s classic ->_ shape so every existing consumer ($response->Order->Status->Status->_, etc.) keeps working. Validated live against production TWINT on a small-amount payment + refund round-trip (StartOrder GetOrder polling ConfirmOrder REVERSAL).
  • Sensitive payloads no longer logged. The SOAP journal used to record the full $args request payload and $response object for every operation. On WordPress.orgÌtumọ̀ Yorùbá: ’s review request the plugin now only logs the operation name + message id, never the payload. Applies to TwintSoapClient, TransactionService, BackofficeTransactionService and AdminAjax::check_successful_order_statuses. Debug-only print_r( $this->client ) block removed.
  • Internal : set_headers(), send_soap_request(), get_default_params() retired ; replaced by dispatch() + build_envelope() + merchant_information_xml() helpers.

1.0.0

  • Initial release on WordPress.org.
  • TWINT integration for the free Pay4All Shop plugin.
  • Setup wizard, certificate handling, cash-register enrollment.
  • French, German, Italian and English translations bundled.