Payment Response
Code samples to generate and verify signature hash for the data received as query parameters in redirection after payment completion.
- Golang
- PHP
- NodeJS
- C#
- Java
- Python
import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
)
type PaymentResponse struct {
OrderRef string
ChannelOrderRef string
MerchantOrderRef string
Status string
Signature string
}
func VerifySignature(paymentResponse PaymentResponse, secretKey string) bool {
params := make(url.Values)
params.Add("order_ref", paymentResponse.OrderRef)
params.Add("channel_order_ref", paymentResponse.ChannelOrderRef)
params.Add("merchant_order_ref", paymentResponse.MerchantOrderRef)
params.Add("status", paymentResponse.Status)
data = params.Encode()
secret := []byte(secretKey)
message := []byte(data)
hash := hmac.New(sha256.New, secret)
hash.Write(message)
hash_value := base64.StdEncoding.EncodeToString(hash.Sum(nil))
// compare this hash_value to one received in payment response
if hash_value != paymentResponse.Signature {
println("Hash verification failed, not from valid source")
return false
} else {
println("Hash verification succeded")
return true
}
}
<?php
function VerifySignature($responseObj, $secretKey) {
$signature_hash = $responseObj['signature_hash'];
$data = array(
'order_ref' => $responseObj['order_ref'],
'merchant_order_ref' => $responseObj['merchant_order_ref'],
'channel_order_ref' => $responseObj['channel_order_ref'],
'status' => $responseObj['status'],
);
}
ksort($data);
$message = http_build_query($data);
$hash_value = base64_encode(hash_hmac('sha256', $message, $secretKey, true));
if ($hash_value !== $signature_hash) {
echo "Hash verification failed, not from valid source";
return false;
} else {
echo "Hash verification succeeded";
return true;
}
}
?>
var url = require('url');
var crypto = require('crypto');
function VerifySignature(responseObj, secretKey) {
const params = new URLSearchParams();
params.append('order_ref', responseObj.order_ref);
params.append('channel_order_ref', responseObj.channel_order_ref);
params.append('merchant_order_ref', responseObj.merchant_order_ref);
params.append('status', responseObj.status);
params.sort();
var message = params.toString()
var hash_value = crypto.createHmac('sha256', secretKey).update(message).hash.digest('base64');
if(hash_value !== responseObj.signature_hash){
console.log("Hash verification failed, not from valid source")
return false;
} else{
console.log("Hash verification succeded")
return true;
}
}
using System;
using System.Security.Cryptography;
using System.Collections.Specialized;
class PaymentResponse {
string OrderRef,
string ChannelOrderRef,
string MerchantOrderRef,
string Status,
string Signature,
}
namespace Signature {
public class Signature {
private bool VerifySignature(PaymentResponse paymentResponse, string secret) {
NameValueCollection myCollection = System.Web.HttpUtility.ParseQueryString(string.Empty);
myCollection.Add("order_ref", paymentResponse.OrderRef);
myCollection.Add("channel_order_ref", paymentResponse.ChannelOrderRef);
myCollection.Add("merchant_order_ref", paymentResponse.MerchantOrderRef);
myCollection.Add("status", paymentResponse.Status);
string message = myCollection.ToString();
var encoding = new System.Text.ASCIIEncoding();
byte[] keyByte = encoding.GetBytes(secret);
byte[] messageBytes = encoding.GetBytes(message);
var hmacsha256 = new HMACSHA256(keyByte);
byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
string hash_value = Convert.ToBase64String(hashmessage);
if (hash_value !== paymentResponse.Signature) {
Console.WriteLine("Hash verification failed, not from valid source")
return false;
} else {
Console.WriteLine("Hash verification succeded")
return true;
}
}
}
}
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
class PaymentResponse {
string OrderRef,
string ChannelOrderRef,
string MerchantOrderRef,
string Status,
string Signature,
}
public class ApiSecurityExample {
public static String mapToString(PaymentResponse paymentResponse, String secret) {
StringBuilder stringBuilder = new StringBuilder();
Map < String, String > map;
map["order_ref"] = paymentResponse.OrderRef;
map["channel_order_ref"] = paymentResponse.ChannelOrderRef;
map["merchant_order_ref"] = paymentResponse.MerchantOrderRef;
map["status"] = paymentResponse.Status;
for (String key: map.keySet()) {
if (stringBuilder.length() > 0) {
stringBuilder.append("&");
}
String value = map.get(key);
try {
stringBuilder.append((key != null ? URLEncoder.encode(key, "UTF-8") : ""));
stringBuilder.append("=");
stringBuilder.append(value != null ? URLEncoder.encode(value, "UTF-8") : "");
} catch (UnsupportedEncodingException e) {
throw new RuntimeException("This method requires UTF-8 encoding support", e);
}
}
String message = stringBuilder.toString();
Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
sha256_HMAC.init(secret_key);
String hash_value = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));
if (hash_value !== paymentResponse.Signature) {
System.out.println("Hash verification failed, not from valid source")
return false;
} else {
System.out.println("Hash verification succeded")
return true;
}
}
}
#!/usr/bin/python
# -*- coding: utf-8 -*-
import urllib
import hashlib
import hmac
import base64
class responseObj:
def __init__(self, OrderRef, ChannelOrderRef, MerchantOrderRef, Status, Signature):
# Instance Variable
self.OrderRef = OrderRef
self.ChannelOrderRef = ChannelOrderRef
self.MerchantOrderRef = MerchantOrderRef
self.Status = Status
self.Signature = Signature
def GenerateSignature(responseObj, secretKey):
f = {
'order_ref': responseObj.OrderRef,
'channel_order_ref': responseObj.ChannelOrderRef,
'merchant_order_ref': responseObj.MerchantOrderRef,
'status': responseObj.Status,
}
message1 = urllib.urlencode(f)
message = bytes(message1).encode('utf-8')
secret = bytes(secretKey).encode('utf-8')
signature = base64.b64encode(hmac.new(secret, message, digestmod=hashlib.sha256).digest())
if (signature !== responseObj.Signature) {
Print("Hash verification failed, not from valid source")
return false;
} else {
Print("Hash verification succeded")
return true;
}