Closed judgej closed 8 years ago
judgej
commented
8 years ago Where the check needs to be, I'm not sure. A hunch says it should be in the server request message, with a method to confirm (isValid()). Raising exceptions like some gateways do can make responding and logging the received details (valid or not) a lot more difficult.
judgej
commented
8 years ago Hash check implemented and documented.
You can only sent the TSOK response to the transaction status request if the hash verifies. This makes the portalKey mandatory when accepting a notification (see docs).
judgej
commented
8 years ago Having said that, on the test instance we get the same hash sent to us every time, regardless of the contents of the status message. That does not actually make the status message tamper-proof at all - it is more like including a password.
The transaction status notification message includes a hash that can be used to check if the received data is genuine or has been altered en-route. This hash is not checked at this time.
Details of how the has works can be found here:
https://github.com/fjbender/simple-php-integration#waiting-for-payment-confirmation