Support for CSOB eAPI 1.9

[andreasferber]

In April CSOB released a new version of the eAPI and recently they announced that they're going to stop supporting certain features (eg. Click to Pay) through older API versions later this year. Are you planning to update the library for the new API version, and if so, do you have a rough ETA?

[ondrakoupil]

Thanks for noticing, I'll update the library to support new API version. Hopefully, I'll find some time to do that in few weeks time.

[skrty]

Hi, do you have an estimate when this will be done?

[ondrakoupil]

There is a branch called dev-api-1.9 that supports API 1.9 and covers most of the changes that were made to the API. Please can you give it a try, test it in your app or e-shop and let me know if anything goes wrong? If everything works, I'll release it publicly.

[vzikmund]

Hello, i tried the branch on our e-shop. Payment with card works as expected. We are implementing Google Pay via CSOB so i tried that. Method googlepay/echo works perfectly and all necessary data are retrieved from Google. Next method which needs to be called is googlepay/init.

Payload sent to the endpoint is processed successfully and API response is retrieved in following format:

{"payId":"05555d4ab6ce@HI","resultCode":0,"resultMessage":"OK","paymentStatus":1,"dttm":"20220915163446","signature":"bWya1/gdFx7hIcw8dzDrf67cn5APXWzFRK7LVqKSr8fMVUoDX2Uw0OO64h6UI2bnT95dYMt4Tt5BwGNONKdrNy+xEugApaIJ8AdvuI6eIKB9GEyMmIZKwlYKAT0mpIwaobWeZcOsCY7jcgUuAFaSF8Wyy6qnsYqKQt1PTnQ3LwUfHysE3teS5PIl1+s5OpSZP0i4LdRcM6gTNtsx5I/tVxEz9egROOVLvyRMV7qMg3MfYAFg3juurTg0+2KtHDhIo6/gAJDFHPq/inRqaHbAFD2JCaYs4fZfa2FgIwT4MeJXvWStsflxSucy5qx+F+iOuhlKXrKhc2NVJfC7cAecOg==","actions": {"fingerprint": {"browserInit":{"url":"https://iplatebnibrana.csob.cz/pay/herni-kupony.cz/58b46d43-dae7-4295-8cb2-fe6a81f18409/3ds/method","method":"GET","vars":{}}}}}

After response is retrieved, signature validation starts... but it fails:

String for verifying signature: "05555d4ab6ce@HI|0|OK|1|20220915163446|https://iplatebnibrana.csob.cz/pay/herni-kupony.cz/58b46d43-dae7-4295-8cb2-fe6a81f18409/3ds/method|GET", using key /path_to_app_dir/csob/keys/brana_test/mips_iplatebnibrana.csob.cz.pub
Failed: signature is incorrect.

I am not sure if I configurated the request correctly or if there is different problem. I tried to define $expectedOutputFields but without any luck.

My request:

$response = $this->client->customRequest(
            'googlepay/init',
            [
                "merchantId" => "",
                "orderNo" => (string)$idOrder,
                "dttm" => "",
                "clientIp" => getIP(),
                "totalAmount" => $priceCents,
                "currency" => strtoupper($currency),
                "closePayment" => true,
                "payload" => base64_encode(Json::encode($token)),
                "returnUrl" => 'htts://www.myweb.cz/return/csob',
            ]
        );

[ondrakoupil]

Hi @vzikmund, I tried various combinations of positions of the fields that goes into the signature verification, but with no success either.

Did it work with API 1.8? If you change in Config constructor $bankApiUrl to GatewayUrl::TEST_1_8 but keep everything else the same (while using the new branch), will it work?

Can you send me (ondra@ondrakoupil.cz) complete log of one example communication to both googlepay echo and init? I'll try some more tests and if it doesn't help, we'll ask CSOB directly. It might be something on their side, there is already an issue on similar manner (https://github.com/csob/paymentgateway/issues/634)

Until it is permanently solved, you can call customRequest() with $ignoreInvalidReturnSignature = true, so that it won't throw exception and return values retrieved from API even if the validation doesn't pass. The response signature validation is not mandatory.

[vzikmund]

Google Pay is new in API 1.9 therefore endpoints googlepay/* doesn't exist in API 1.8 and CSOB returns 404 error.

I sent you complete log on your e-mail.

Thank you!

[janbrasna]

The actions.fingerprint.* construct is new in the API so you probably don't have any routines handling this addition… but generally the digest to compare the signature seems legit AFAIK, can't tell why it should fail. The order seems correct. There are/were some woes in fields, keys, their order and digests… but most report it's working as intended since summer:

• https://github.com/csob/platebnibrana/issues/17

• https://github.com/csob/platebnibrana/issues/6

• https://github.com/csob/platebnibrana/issues/7

• https://github.com/csob/platebnibrana/issues/8

@vzikmund There's been an pilot GPay rollout at v1.8 with select merchants so the operations were there, it's just the merchant doesn't have them enabled hence the 404s. All those pilot integrations will be phased out anyways, so the only way to integrate now is through this authenticated flow with v1.9…

[ondrakoupil]

@vzikmund So, in the end, it is quite simple. The problem is in order of fields in response.

In bank's response, fields goes like this: payId, resultCode, resultMessage, paymentStatus, dttm etc. However their expected order according to docs is payId, dttm, resultCode, resultMessage etc. The field "dttm" is supposed to go on second position, but in response, it is on fifth.

Library's customRequest doesn't know the expected field order to create the signature base string, so it just joins them in the order they came in - or you need to supply the $responseFieldsOrder argument. In the case of googlepay/echo, the order in response was the same as the expected one, so it got validated, but it was basically only a coincidence.

This should work:

$client->customRequest(
  "googlepay/init",
  $inputPayload,
  array(
    'payId',
    'dttm',
    'resultCode',
    'resultMessage',
    '?paymentStatus',
    '?statusDetail',
    'actions'
  )
)

[vzikmund]

@ondrakoupil Thank you for the code snippet. I can confirm, that it is indeed working. Now I am able to complete payments even with Google Pay.

Thank you for your time and help :)

[vzikmund]

@ondrakoupil I have encountered one more issue. I created PR for it. May i ask you for checking it? https://github.com/ondrakoupil/csob/pull/40

[ondrakoupil]

@vzikmund Thanks for contribution. I added the changes also to base Client.php for those who install the library via composer. Changes are in 97469a3.

[vzikmund]

@ondrakoupil Thanks for the update. But i have one problem with the solution you pushed. There is a problem at line Client.php:1509 https://github.com/ondrakoupil/csob/blob/97469a3ffaaf7ee8dab711d92965a03e278e83ba/src/Client.php#L1509

This condition will generate notice Undefined index: merchantData because $_GET doesn't contain merchantData parameter at all. Therefore I used following in my PR:

if(array_key_exists("merchantData", $input)){

If we want to log merchantData only when parameter has value, the condition can be modified like this:

if(array_key_exists("merchantData", $input) && $input["merchantData"]){

[ondrakoupil]

@vzikmund Of course. I copied one part of your PR and forgot the other one. My mistake. Try b565a4b.

[vzikmund]

@ondrakoupil Thank you for the updates. It seems to be working now. I can confirm, that Google Pay payments are processed smoothly. Apple Pay payment will be probably also without any problem. But there is an issue on CSOB side which needs to be solved by them. https://github.com/csob/platebnibrana/issues/18

I very appreciate your contributions. Thank you once more 😊

[ondrakoupil]

@vzikmund Sure, updated library is available as v1.9.1 on Packagist. I am closing this issue now since its main topic is already solved. For new bugs or problems with particular methods, we'll open new issues.