fix: verification of hmac when completing purchase

aozisik · aozisik · commit e9c19083d6c5 · 2020-01-30T21:33:52.000+02:00
diff --git a/src/Messages/CompletePurchaseResponse.php b/src/Messages/CompletePurchaseResponse.php
@@ -9,7 +9,6 @@
 use Omnipay\EveryPay\Exceptions\MismatchException;
 use Omnipay\Common\Message\RedirectResponseInterface;
 use Omnipay\EveryPay\Exceptions\PaymentFailedException;
-use Omnipay\EveryPay\Support\SignedDataOptions;
 
 /**
  * Response
@@ -54,7 +53,7 @@ public function validateResponse()
             throw new MismatchException('Order reference returned by gateway does not match');
         }
 
-        if ($this->everyPayRequestHmac() !== $this->data['request']['hmac']) {
+        if (!$this->isAuthentic()) {
             throw new MismatchException('Invalid HMAC signature in the incoming request');
         }
 
@@ -75,21 +74,12 @@ public function getCardToken()
         return CardToken::make($this->data['request']);
     }
 
-    private function everyPayRequestHmac()
+    private function isAuthentic()
     {
-        $options = SignedDataOptions::gateway(
-            $this->request->getSecret()
-        )->dontInclude([
-            'utf8',
-            'hmac',
-            '_method',
-            'authenticity_token'
-        ]);
-
-        return SignedData::make(
+        return SignedData::verify(
             $this->data['request'],
-            $options
-        )['hmac'];
+            $this->request->getSecret()
+        );
     }
 
     public function getTransactionReference()
diff --git a/src/Support/SignedData.php b/src/Support/SignedData.php
@@ -24,6 +24,24 @@ public static function make(array $data, SignedDataOptions $options)
             ->toArray();
     }
 
+    public static function verify(array $data, $secret)
+    {
+        $candidateData = [];
+        $hmacFields = explode(',', $data['hmac_fields']);
+
+        foreach ($hmacFields as $field) {
+            $candidateData[] = $field . '=' . $data[$field];
+        }
+
+        $candidateHmac = hash_hmac(
+            'sha1',
+            implode('&', $candidateData),
+            $secret
+        );
+
+        return $data['hmac'] === $candidateHmac;
+    }
+
     public function sign()
     {
         $hmacPayload = [];
