-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: HMAC verification on IPN callback for security #561
base: develop
Are you sure you want to change the base?
feat: HMAC verification on IPN callback for security #561
Conversation
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
$this->paymentValidation->checkSignature(self::PAYMENT_ID, self::API_KEY, self::WRONG_SIGNATURE); | ||
} | ||
|
||
/** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no throws on this test - if you remove true in method, juste test no exception thrown
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Francois-Gomis I'm not sure to understand
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In your comment you have a throws decorator
*/ | ||
public function checkSignature($paymentId, $apiKey, $signature) | ||
{ | ||
if (!$paymentId) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think this test is necessary only for log, isHmacValidated test if params are string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Francois-Gomis Do you want I replace throw by log ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, need, if an error occur, you have exception log. If no error no logs
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
/** | ||
* @return array[] | ||
*/ | ||
public function checkSignatureWrongParamsDataProvider() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure, api is always a string '' not null ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Francois-Gomis I added the test with null
$this->paymentValidation->checkSignature(self::PAYMENT_ID, self::API_KEY, self::WRONG_SIGNATURE); | ||
} | ||
|
||
/** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In your comment you have a throws decorator
⏳E2E tests are currently running. |
Quality Gate passedIssues Measures |
❌ E2E tests have failed. |
Reason for change
Linear task
Code changes
We add the call function to
isHmacValidated
in php client to check is the IPN callback is signed by Alma before to validate the order by IPNHow to test
As a reviewer, you are encouraged to test the PR locally.
Make an order, close the page before the return validation payment
Call the ipn callback with some other browser or API Client to check if the IPN need the Alma signature
Checklist for authors and reviewers
Non applicable