commit c51acb9ccb74749c313740e81026bc2411ee9887
parent 8767a58082135c067d2e9b92142d32b59fb1bf5b
Author: NicholasFarrow <nicholas.w.farrow@gmail.com>
Date: Sat, 23 Jan 2021 01:12:21 +1100
trying to align webhook secrets
Diffstat:
2 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/gateways/woo_btcpyment.php b/gateways/woo_btcpyment.php
@@ -42,6 +42,7 @@ add_action( 'plugins_loaded', 'btcpyment_init_gateway_class' );
function btcpyment_init_gateway_class() {
class WC_Btcpyment_Gateway extends WC_Payment_Gateway {
+ public static $secret = 0;
/**
* Class constructor
*/
@@ -190,7 +191,7 @@ function btcpyment_init_gateway_class() {
$args = array(
'amount' => $order->get_total(),
'id' => $order->get_id(),
- 'w_url' => $order->callback_URL );
+ 'w_url' => $this->callback_URL );
// HASH??? FOR SECURE PAYMENTS?
// We calculate a secret seed for the order
@@ -200,13 +201,18 @@ function btcpyment_init_gateway_class() {
// This probably isn't unique... But will do for now.
write_log($args);
// https://stackoverflow.com/questions/3385685/
- $order_secret_seed = (int)$args['amount'] * 100.0 * $args['id'];
- // Calculate expected secret
- $order->secret = hash_hmac('sha256', $order_secret_seed, $order->BTCPyment_API_Key);
+ // $order_secret_seed = (int)$args['amount'] * 100.0 * $args['id'];
+ // write_log("Order secret seed:");
+ // write_log($order_secret_seed);
+ // Calculate expected secret
+ $key = hex2bin($this->BTCPyment_API_Key);
+ // self::$secret = hash_hmac('sha256', $order_secret_seed, $key);
+ // write_log("Secret");
+ // write_log(self::$secret);
$payment_url = add_query_arg(
$args,
- $order->btcpyment_server_url . "/pay"
+ $this->btcpyment_server_url . "/pay"
);
// Redirect to BTCPyment
@@ -227,16 +233,27 @@ function btcpyment_init_gateway_class() {
$now = time(); // current unix timestamp
$json = json_encode($_GET, JSON_FORCE_OBJECT);
- $key = hex2bin($order->BTCPyment_API_Key);
+ $key = hex2bin($this->BTCPyment_API_Key);
// Calculate expected signature
$valid_signature = hash_hmac('sha256', $_GET['time'] .'.'.$json, $key);
- write_log($order->secret);
- write_log(hex2bin($headers['X-Secret']));
+
+ // write_log("Secret within webhook:");
+ // write_log(self::$secret);
+ // write_log($headers['X-Secret']);
// Order secret must match to ensure inital payment url
// had not been tampered when leaving the gateway
- if (hex2bin($headers['X-Secret']) != $order->secret) {
+ // $secret = self::$secret;
+ $order_secret_seed = (int)$order->get_total() * 100.0 * $order->get_id();
+ $secret = hash_hmac('sha256', $order_secret_seed, $key);
+
+ write_log("Secret seed");
+ write_log($order_secret_seed);
+ write_log("Secret within webhook:");
+ write_log(bin2hex($secret));
+ write_log(bin2hex($headers['X-Secret']));
+ if (hex2bin($headers['X-Secret']) != $secret) {
header( 'HTTP/1.1 403 Forbidden' );
return 1;
}
diff --git a/gateways/woo_webhook.py b/gateways/woo_webhook.py
@@ -10,7 +10,9 @@ def hook(btcpyment_secret, payload, payment):
# Calculate a secret that is required to send back to the
# woocommerce gateway, proving we did not modify id nor amount.
- secret_seed = bytes(int(100*float(payload['amount'])) * int(payload['id']))
+ secret_seed = str(int(100*float(payload['amount'])) * int(payload['id'])).encode('utf-8')
+ print("Secret seed: {}".format(secret_seed))
+
secret = hmac.new(key, secret_seed, hashlib.sha256).hexdigest()
# The main signature which proves we have paid, and very recently!
