Add method for callback validation

daniel-zahariev · daniel-zahariev · commit d52941dee0b9 · 2021-11-07T10:36:47.000+02:00
diff --git a/src/SettleApiClient.php b/src/SettleApiClient.php
@@ -2,8 +2,6 @@
 
 namespace Danielz\SettleApi;
 
-use Exception;
-
 class SettleApiClient
 {
     protected string $merchantId;
@@ -15,10 +13,12 @@ class SettleApiClient
     const BASE_URL_PRODUCTION = 'https://api.settle.eu/merchant/v1/';
     const BASE_URL_SANDBOX = 'https://api.sandbox.settle.eu/merchant/v1/';
 
+    const PUBLIC_KEY_PRODUCTION = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9iglTBPG1poCw3qFPlxT0MSHO\nt6kgRmpVrLBY9Fx8Zn+zAoY89ZeFhwwnRR8IDQcj4yEAjsoXCxtH3bbh/OdvlFG6\nxdSsAeph6/MSk9YAVKWRWU5ber9cgoQ89KJ14goLUnhhegynUjnz+hdgAET5k9Uc\nsxnmfU7XeT78FP02JQIDAQAB\n-----END PUBLIC KEY-----";
+    const PUBLIC_KEY_SANDBOX = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS92fCQmAPDpmcgraqPRXgz4Nd\nd/biPxIH5aG1dAQ8dMMcEjGCn7Sm5VcX1iV8L5oW+MlcnHFaZdVyy1Lcqed/8+r0\nQM9cFqQWif35C+eOr/s7/CCY/WXMApqO6YihtHvP+jgjrXltw0LHrUwMWO718udN\nhlg22QkpjhG90kvf3QIDAQAB\n-----END PUBLIC KEY-----";
 
     const SETTLE_LINK = 'https://settle.eu';
-    const PAYMENT_LINK = 'https://settle.eu/p/:payment_request_id/';
-    const PAYMENT_LINK_MOBILE = 'https://settle.eu/p/:payment_request_id/';
+    const PAYMENT_LINK = 'http://settle.eu/p/:payment_request_id/';
+    const PAYMENT_LINK_MOBILE = 'http://settle.eu/p/:payment_request_id/';
     const PAYMENT_LINK_MOBILE_SANDBOX = 'https://settledemo.page.link/?apn=eu.settle.app.sandbox&ibi=eu.settle.app.sandbox&isi=1453180781&ius=eu.settle.app.firebaselink&link=https://settle-demo://qr/http://settle.eu/p/:payment_request_id/';
 
     /**
@@ -46,6 +46,14 @@ public function getIsSandbox()
         return $this->isSandbox;
     }
 
+    /**
+     * @return string
+     */
+    public function getSettlePublicKey()
+    {
+        return $this->isSandbox ? self::PUBLIC_KEY_SANDBOX : self::PUBLIC_KEY_PRODUCTION;
+    }
+
     /**
      * @param $isSandbox
      */
@@ -151,6 +159,74 @@ protected function getHeaders(string $method, string $url, array $postFields): a
         return $headers;
     }
 
+
+    /**
+     * @param string $callbackUrl
+     * @param string $method
+     * @return false|mixed
+     * @throws SettleApiException
+     */
+    public function getCallbackData($callbackUrl = '', $method = 'POST')
+    {
+        $body = file_get_contents('php://input');
+        if (empty($callbackUrl)) {
+            $callbackUrl = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+        }
+
+        $is_valid_request = $this->isValidCallback($callbackUrl, $body, $_SERVER, $method);
+
+        return $is_valid_request ? json_decode($body, true) : false;
+    }
+
+    /**
+     * @param string $callbackUrl
+     * @param string|array $body
+     * @param array $headers
+     * @param string $method
+     * @return bool
+     * @throws SettleApiException
+     */
+    public function isValidCallback($callbackUrl, $body, $headers, $method = 'POST')
+    {
+        $data = is_string($body) ? $body : json_encode($body);
+        $content_digest = base64_encode(hash('sha256', $data, true));
+
+        $expected_signature = false;
+        $expected_content_digest = false;
+        $settle_headers = [];
+        foreach($headers as $header => $value) {
+            $normalized_header = str_replace(['http_', '_'], ['', '-'], strtolower($header));
+            switch($normalized_header) {
+                case 'authorization':
+                    list($algo, $authorization) = explode(' ', $value, 2);
+                    if ($algo == 'RSA-SHA256') {
+                        $expected_signature = base64_decode($authorization);
+                    }
+                    break;
+                case 'x-settle-timestamp':
+                    $settle_headers[] = 'X-SETTLE-TIMESTAMP=' . $value;
+                    break;
+                case 'x-settle-content-digest':
+                    list($algo, $digest) = explode('=', $value, 2);
+                    if ($algo == 'SHA256') {
+                        $settle_headers[] = 'X-SETTLE-CONTENT-DIGEST=' . $value;
+                        $expected_content_digest = $digest;
+                    }
+                    break;
+            }
+        }
+        sort($settle_headers);
+
+        if (!$expected_signature) {
+            throw new SettleApiException("Authorization header is missing.");
+        }
+
+        $fingerprint = join('|', [strtoupper($method), $callbackUrl, join('&', $settle_headers)]);
+        $valid_signature = openssl_verify($fingerprint, $expected_signature, $this->getSettlePublicKey(), OPENSSL_ALGO_SHA256);
+
+        return ($expected_content_digest == $content_digest) && $valid_signature;
+    }
+
     public function createLink($template, array $data = [])
     {
         switch($template) {
diff --git a/tests/ApiTest.php b/tests/ApiTest.php
@@ -186,7 +186,7 @@
     $api_client->setIsSandbox($isSandbox);
 
     $api = $merchant_api->payment_requests;
-    expect($api->getPaymentLink('pcqghkrpztq1'))->toBe('https://settle.eu/p/pcqghkrpztq1/');
+    expect($api->getPaymentLink('pcqghkrpztq1'))->toBe('http://settle.eu/p/pcqghkrpztq1/');
     expect($api->getMobilePaymentLink('pcqghkrpztq1'))->toBe('https://settledemo.page.link/?apn=eu.settle.app.sandbox&ibi=eu.settle.app.sandbox&isi=1453180781&ius=eu.settle.app.firebaselink&link=https://settle-demo://qr/http://settle.eu/p/pcqghkrpztq1/');
 });
 
@@ -201,3 +201,18 @@
         expect($e->getCode())->toBe(404);
     }
 });
+
+test('Callback validation', function () {
+   global $api_client;
+
+    $body = '{"meta": {"seqno": 0, "labels": ["timeline"], "uri": "https://api-dot-settle-core-demo.appspot.com/merchant/v1/payment_request/phkan3yvn4ex/outcome/", "id": "daMUL1Q1R9yP9K_EQrVnDQ", "context": "ctx:daMUL1Q1R9yP9K_EQrVnDQ", "timestamp": "2021-11-07 07:20:59", "event": "payment_aborted_by_customer"}, "object": {"status": "fail", "customer": "token:5703313655857152", "refunds": [], "auth_amount": 0, "auth_additional_amount": 0, "credit": false, "captures": [], "pos_id": "pos123", "date_modified": "2021-11-07 07:20:42", "date_expires": "2021-11-07 13:20:42", "currency": "NOK", "amount": 2900, "interchange_fee": 0, "status_code": 5006, "tid": "phkan3yvn4ex", "attachment_uri": "https://settle-core-demo.appspot.com/_ah/upload/AMmfu6a49Ta2AXX8NEgjcDCCmlfTwjiPOZ6OBK4uQ0LRwFbU-hR1JU6clKjAhFvaWjL6u6JvqLxRISX1CtXW4yp7yNqNY8-ZNVNFFhkajid8QeqnHNBIXVmtg4p7KJAVm3ElYqXPuGG9_qsxF7mf3rpmrbuYjzp2fT1iQaOwzVe--LV30upHVcxkDVy0lpJMxyKh86RKswuqlcVRM4JHpwlCW-aONlM4roY2mF14Al3fEebjTPg8n8oSlvdcwfFcbIvDTBTlpLCOOgZGGipOl5zkd4eIH8zHP6kpSwy_V5pKQqhjN1Odb6hdUuKNpJGspXrgXw3JVCz3kiRokRgy7rshbIAKLvuK2Xnn9gNR3JfTCI8AwnAcXws/ALBNUaYAAAAAYYeAs9Shob9n0EBUTaZnj-jRHCTZp1vr/", "pos_tid": "6i6tEp46pERGGi6ZbxkyV3", "permissions": null, "transaction_fee": 0, "additional_amount": 0}}';
+    $headers = [
+        'HTTP_AUTHORIZATION' => 'RSA-SHA256 p8bHuIN3I41lof3zEQYlEyGfj0N+uyZW2wY2xR+x7oAbfwZtRjaX8wI3QVaF23wS+d2fgJiJ0ZJqumz0rqwBcGlKy1sqhNGiA1QXfJs0o79vptex/+CGfVm7cdtCPhv2fougwHFGx6uAlYozYUpQGcIPHD4DmRFZpPpOEn7Vc9I=',
+        'HTTP_X_SETTLE_TIMESTAMP' => '2021-11-07 07:21:00',
+        'CONTENT_TYPE' => 'application/vnd.mcash.api.merchant.v1+json',
+        'HTTP_X_SETTLE_CONTENT_DIGEST' => 'SHA256=qnm7VZVajBcZ+p506yfEhm7tC4hTA0q7F5YXyxd1WUA=',
+    ];
+    $callbackUrl = 'https://daniel-zahariev.info/requestbin/settle.php';
+
+    expect($api_client->isValidCallback($callbackUrl, $body, $headers))->toBeTrue();
+});
