Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support additional completePurchase checking #12

Open
judgej opened this issue Feb 16, 2019 · 0 comments
Open

Support additional completePurchase checking #12

judgej opened this issue Feb 16, 2019 · 0 comments
Assignees
@judgej
Labels
enhancement

Comments

@judgej
Copy link
Member

judgej commented Feb 16, 2019

The Checkout Page complete function validates the signature of the inbound response brought back from the gateway with the user. This ensures the response has not been tampered with by the user.

An additional check needs to be made to ensure the response is for the correct payment, i.e. the correct transactionId. The application would normally do this, but an enhancement here forces this check on the application for a little enhanced security.

To do this, the Omnipay\Wirecard\Message\Checkout\Page\Complete class is split into Omnipay\Wirecard\Message\Checkout\Page\CompleteRequest and Omnipay\Wirecard\Message\Checkout\Page\Response.

This allows the transactionId to be set for the completePurchase()/completeAuthorize() methods. That ID will be the original transactionId the user was redirected to the gateway with. The response to this will always return false for isSuccessful() if the transactionId returned from the gateway is not the same as the one expected.

The response will still be generated, whether the signature is invalid or the transactionId is incorrect, so the results can still be logged. They just will never be marked as successful.
@judgej judgej self-assigned this Feb 16, 2019
judgej added a commit that referenced this issue Feb 16, 2019
@judgej
Issue #12 changes
db8b136
judgej added a commit that referenced this issue Feb 16, 2019
@judgej
Issue #12 support getTransactionId in notification
0be233f
judgej added a commit that referenced this issue Feb 21, 2019
@judgej
Merge pull request #13 from academe/issue12
7453e74 
See Issue #12 

Changes to `completeAuthorize()` and `completePurchase()` to ensure the results of the transaction the user returns with is the transaction the application was expecting. The authorization will not show as successful unless the `transactionId` matches.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@judgej judgej

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@judgej