diff --git a/Api/Kevin.php b/Api/Kevin.php index ed328e1..ab991d1 100644 --- a/Api/Kevin.php +++ b/Api/Kevin.php @@ -3,6 +3,7 @@ namespace Kevin\Payment\Api; use Kevin\Client; +use Kevin\SecurityManager; /** * Class Kevin @@ -10,6 +11,11 @@ */ class Kevin { + /** + * Signature verify timeout in milliseconds + */ + const SIGNATURE_VERIFY_TIMEOUT = 300000; + /** * @var \Kevin\Payment\Gateway\Config\Config */ @@ -228,4 +234,23 @@ public function getRefunds($paymentId){ throw new \Exception($exception->getMessage()); } } + + /** + * @param $endpointSecret + * @param $requestBody + * @param $headers + * @param $webhookUrl + * @return mixed + * @throws \Exception + */ + public function verifySignature($endpointSecret, $requestBody, $headers, $webhookUrl){ + try { + $timestampTimeout = self::SIGNATURE_VERIFY_TIMEOUT; + $isValid = SecurityManager::verifySignature($endpointSecret, $requestBody, $headers, $webhookUrl, $timestampTimeout); + + return $isValid; + } catch (\Exception $exception) { + throw new \Exception($exception->getMessage()); + } + } } \ No newline at end of file diff --git a/Controller/Payment/Notify.php b/Controller/Payment/Notify.php index d36fea8..e9c7f2e 100644 --- a/Controller/Payment/Notify.php +++ b/Controller/Payment/Notify.php @@ -138,26 +138,11 @@ public function __construct( public function execute() { $body = $this->getRequest()->getContent(); - if($body) { $response = Json::decode($body, true); if (!empty($response)) { $this->logger->info('Callback Body: '.$body); - $timestamp = $this->getRequest()->getHeader('X-Kevin-Timestamp'); - $kevinSignature = $this->getRequest()->getHeader('X-Kevin-Signature'); - $method = $this->getRequest()->getMethod(); - $url = $this->getRequest()->getUriString(); - //$signature = $this->config->getSignature(); - - $this->logger->info('Callback Body: '.$body); - $this->logger->info($timestamp); - $this->logger->info($kevinSignature); - $this->logger->info($method); - $this->logger->info($url); - - $signData = $method.$url.$timestamp.$body; - if ($response['id']) { $paymentId = $response['id']; @@ -171,9 +156,10 @@ public function execute() \Magento\Store\Model\ScopeInterface::SCOPE_STORE, $order->getStoreId() ); - //echo $signature; die('aaa'); - $generateSign = hash_hmac('sha256', $signData, $signature); - if($generateSign == $kevinSignature) { + $headers = getallheaders(); + $webhookUrl = $this->getRequest()->getUriString(); + $isValid = $this->api->verifySignature($signature, $body, $headers, $webhookUrl); + if($isValid) { //emulate environment to get specific store config data $this->emulation->startEnvironmentEmulation($order->getStoreId()); @@ -228,7 +214,7 @@ public function execute() } } elseif ($response['statusGroup'] == \Kevin\Payment\Model\Adapter::PAYMENT_STATUS_GROUP_SUCCESS) { try { - if ($order->canInvoice()) { + if ($order->canInvoice()) { //Save bank if not saved before $payment = $order->getPayment(); if (!$payment->getAdditionalInformation('bank_code') || !$payment->getAdditionalInformation('bank_name')) { @@ -283,7 +269,7 @@ public function execute() $this->invoiceSender->send($invoice); $this->getResponse()->setBody('Signatures match.'); - } + } } catch (\Exception $exc) { $this->getResponse()->setHttpResponseCode(400); $this->getResponse()->setBody($exc->getMessage()); diff --git a/etc/module.xml b/etc/module.xml index 1d89adf..d0edfb2 100644 --- a/etc/module.xml +++ b/etc/module.xml @@ -1,6 +1,6 @@ - +