search

academe / Omnipay-Wirecard

Wirecard payment gateway driver for the Omnipay
GNU Lesser General Public License v3.0
1 stars 0 forks source link

Support additional completePurchase checking #12

Open judgej opened 5 years ago

judgej commented 5 years ago

The Checkout Page complete function validates the signature of the inbound response brought back from the gateway with the user. This ensures the response has not been tampered with by the user.

An additional check needs to be made to ensure the response is for the correct payment, i.e. the correct transactionId. The application would normally do this, but an enhancement here forces this check on the application for a little enhanced security.

To do this, the Omnipay\Wirecard\Message\Checkout\Page\Complete class is split into Omnipay\Wirecard\Message\Checkout\Page\CompleteRequest and Omnipay\Wirecard\Message\Checkout\Page\Response.

This allows the transactionId to be set for the completePurchase()/completeAuthorize() methods. That ID will be the original transactionId the user was redirected to the gateway with. The response to this will always return false for isSuccessful() if the transactionId returned from the gateway is not the same as the one expected.

The response will still be generated, whether the signature is invalid or the transactionId is incorrect, so the results can still be logged. They just will never be marked as successful.