Skip to content

v3.1.0

Choose a tag to compare

View all tags
@digitaldev-lx digitaldev-lx released this 01 Jun 14:02
· 2 commits to master since this release
v3.1.0
8738b43

Security hardening of the payment callback (the trust boundary that confirms payments). The consumer-facing API (MB, MBWay, CreditCard classes, traits, events) is unchanged.

Upgrade note: this release adds a migration. After updating, run php artisan migrate (publish migrations first if you publish them).

Security

  • Redact the API key and customer PII from logs (was logging the full URL + payload in clear text).
  • Strip the API key from the CallbackReceived event payload.
  • Confirm payments atomically (DB transaction + lockForUpdate) to prevent duplicate "paid" events under concurrent callbacks.
  • Constant-time API key comparison (hash_equals) and per-IP rate limiting (throttle:60,1).
  • Optional callback IP allowlist via EUPAGO_ALLOWED_IPS, off by default.

Changed

  • Unknown payment methods now return HTTP 422 instead of raising a ValueError (500).
  • Callback input is type-validated; validation failures return a generic 422 (previously a 302 redirect).
  • Callback route no longer registered in the web middleware group.

Fixed

  • Store MB Way amounts as decimal(10,2) instead of float (new migration).

Full changelog: https://github.com/digitaldev-lx/laravel-eupago/blob/master/CHANGELOG.md

Assets 2
Loading