Incorrect signature generation for optional clientIp parameter of oneclick/init

[rootpd]

The library is trying to sign this payload:

{
    "merchantId": "M1MIPS1234",
    "origPayId": "**REDACTED**",
    "orderNo": "2243658000",
    "dttm": "20221128104945",
    "clientIp": null,
    "totalAmount": 33000,
    "currency": "CZK",
    "closePayment": false,
    "returnUrl": "http:\/\/crm.press:8080\/payments\/return\/gateway\/csob_one_click?VS=2243658000",
    "returnMethod": "POST",
    "customer": {
        "name": "Example User",
        "email": "user@example.com",
        "account": {
            "createdAt": "2018-09-07T09:24:00+02:00",
            "changedAt": "2022-02-28T08:15:58+01:00",
            "orderHistory": 0,
            "paymentsDay": 0,
            "paymentsYear": 0,
            "oneclickAdds": 0,
            "suspicious": false
        }
    },
    "clientInitiated": false,
    "merchantData": "",
}

This generates a signature base that includes empty clientIp (at the 5th position):

M1MIPS4264|54e89721af1ceDI|2243658000|20221128104945||33000|CZK|false|http://crm.press:8080/payments/return/gateway/csob_one_click?VS=2243658000|POST|Example User|user@example.com|2018-09-07T09:24:00+02:00|2022-02-28T08:15:58+01:00|0|0|0|0|false|false|

Based on the debug headers from CSOB, the actual base for signature was supposed to be:

M1MIPS4264|54e89721af1ceDI|2243658000|20221128104945|33000|CZK|false|http://crm.press:8080/payments/return/gateway/csob_one_click?VS=2243658000|POST|Example User|user@example.com|2018-09-07T09:24:00+02:00|2022-02-28T08:15:58+01:00|0|0|0|0|false|false|

[ondrakoupil]

It seems that bank expects clientIp to appear in the signature base if it is empty string and not to appear there if it is null. Client->paymentOneClickInit() method expected the $clientIp parameter to be string, but didn't check it or enforce it anyhow. I'll update it so that it won't matter.