signature validation fix

getkevin · Dec 14, 2021 · 4f9f508 · 4f9f508
1 parent a6622a7
commit 4f9f508
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 21 deletions.
diff --git a/Api/Kevin.php b/Api/Kevin.php
@@ -3,13 +3,19 @@
 namespace Kevin\Payment\Api;
 
 use Kevin\Client;
+use Kevin\SecurityManager;
 
 /**
  * Class Kevin
  * @package Kevin\Payment\Api
  */
 class Kevin
 {
+    /**
+     * Signature verify timeout in milliseconds
+     */
+    const SIGNATURE_VERIFY_TIMEOUT = 300000;
+
     /**
      * @var \Kevin\Payment\Gateway\Config\Config
      */
@@ -228,4 +234,23 @@ public function getRefunds($paymentId){
             throw new \Exception($exception->getMessage());
         }
     }
+
+    /**
+     * @param $endpointSecret
+     * @param $requestBody
+     * @param $headers
+     * @param $webhookUrl
+     * @return mixed
+     * @throws \Exception
+     */
+    public function verifySignature($endpointSecret, $requestBody, $headers, $webhookUrl){
+        try {
+            $timestampTimeout = self::SIGNATURE_VERIFY_TIMEOUT;
+            $isValid = SecurityManager::verifySignature($endpointSecret, $requestBody, $headers, $webhookUrl, $timestampTimeout);
+
+            return $isValid;
+        } catch (\Exception $exception) {
+            throw new \Exception($exception->getMessage());
+        }
+    }
 }
diff --git a/Controller/Payment/Notify.php b/Controller/Payment/Notify.php
@@ -138,26 +138,11 @@ public function __construct(
     public function execute()
     {
         $body = $this->getRequest()->getContent();
-
         if($body) {
             $response = Json::decode($body, true);
             if (!empty($response)) {
                 $this->logger->info('Callback Body: '.$body);
 
-                $timestamp = $this->getRequest()->getHeader('X-Kevin-Timestamp');
-                $kevinSignature = $this->getRequest()->getHeader('X-Kevin-Signature');
-                $method = $this->getRequest()->getMethod();
-                $url = $this->getRequest()->getUriString();
-                //$signature = $this->config->getSignature();
-
-                $this->logger->info('Callback Body: '.$body);
-                $this->logger->info($timestamp);
-                $this->logger->info($kevinSignature);
-                $this->logger->info($method);
-                $this->logger->info($url);
-
-                $signData = $method.$url.$timestamp.$body;
-
                 if ($response['id']) {
                     $paymentId = $response['id'];
 
@@ -171,9 +156,10 @@ public function execute()
                                 \Magento\Store\Model\ScopeInterface::SCOPE_STORE,
                                 $order->getStoreId()
                             );
-                            //echo $signature; die('aaa');
-                            $generateSign = hash_hmac('sha256', $signData, $signature);
-                            if($generateSign == $kevinSignature) {
+                            $headers = getallheaders();
+                            $webhookUrl = $this->getRequest()->getUriString();
+                            $isValid = $this->api->verifySignature($signature, $body, $headers, $webhookUrl);
+                            if($isValid) {
                                 //emulate environment to get specific store config data
                                 $this->emulation->startEnvironmentEmulation($order->getStoreId());
 
@@ -228,7 +214,7 @@ public function execute()
                                         }
                                     } elseif ($response['statusGroup'] == \Kevin\Payment\Model\Adapter::PAYMENT_STATUS_GROUP_SUCCESS) {
                                         try {
-                                           if ($order->canInvoice()) {
+                                            if ($order->canInvoice()) {
                                                 //Save bank if not saved before
                                                 $payment = $order->getPayment();
                                                 if (!$payment->getAdditionalInformation('bank_code') || !$payment->getAdditionalInformation('bank_name')) {
@@ -283,7 +269,7 @@ public function execute()
                                                 $this->invoiceSender->send($invoice);
 
                                                 $this->getResponse()->setBody('Signatures match.');
-                                           }
+                                            }
                                         } catch (\Exception $exc) {
                                             $this->getResponse()->setHttpResponseCode(400);
                                             $this->getResponse()->setBody($exc->getMessage());

diff --git a/etc/module.xml b/etc/module.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" ?>
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
-    <module name="Kevin_Payment" setup_version="1.1.0"/>
+    <module name="Kevin_Payment" setup_version="1.1.1"/>
     <sequence>
         <module name="Magento_Sales"/>
         <module name="Magento_Payment"/>