paytrail / api-documentation

Paytrail Payment API documentation
MIT License
6 stars 11 forks source link

More detailed HMAC examples to use in other languages #26

Closed niklaswulff closed 2 years ago

niklaswulff commented 2 years ago

I would like a concise example of calculating HMAC signature, with step by step instructions and partial results.

I'm using C#, so the examples are not 100% usable to me. I would like to see more detailed steps to be able to figure out where the calculation I perform isn't producing the same HMAC as in the example

For instance: return crypto.createHmac('sha256', secret).update(hmacPayload).digest('hex');

I would like to find the exact C# equivalent, so using a very simple hmacPayload, what would the output be?

const hmacPayload = 'asdf';
const result = crypto.createHmac('sha256', secret).update(hmacPayload);
result = '????'

and what does the "digest(hex)" do?

result.digest('hex') = '????'

Kepe123 commented 2 years ago

Just got it work with C# today

var requestHeaders = new Dictionary<string, string>() { { "checkout-account", "375917" }, { "checkout-algorithm", "sha256" }, { "checkout-method", "POST" }, { "checkout-nonce", "564635208570146" }, { "checkout-timestamp", "2022-04-08T10:01:31.904Z" } };

var secretKey = "SAIPPUAKAUPPIAS"; string getHMACPayLoad(Dictionary<string, string> headers, string body) { var headerPart = ""; foreach (var item in (headers.OrderBy(x => x.Key).ToDictionary(y => y.Key, y => y.Value))) { headerPart += $"{item.Key}:{item.Value}\n"; } //Minimize body json var bodyPart = JsonConvert.SerializeObject(JsonConvert.DeserializeObject(body)); return headerPart + bodyPart; }

static string getHMac256String(string secretKey, string message) { var encoding = new UTF8Encoding(); var hash = new HMACSHA256(encoding.GetBytes(secretKey)); var hmac = hash.ComputeHash(encoding.GetBytes(message)); return BitConverter.ToString(hmac).Replace("-", "").ToLower(); }

//Get Signature For Header var payLoad = getHMACPayLoad(requestHeaders, requestBody); Console.WriteLine(getHMac256String(secretKey, payLoad));

niklaswulff commented 2 years ago

Great, thanks @Kepe123 !

The Json handling of body content was my weak part, the rest I had exactly as you. I'm still unsure on how to properly unit test this, as the examples in the documentation is a bit unclear on the exact body content. Do you have any good data that I can use to verify?

mikkorantalainen commented 2 years ago

I think the specification should also define the collation order for "alphabetic order" needed for the checksum calculation. I would assume the spec actually means ASCII ordering but it should be defined explicitly.

Kepe123 commented 2 years ago

Great, thanks @Kepe123 !

The Json handling of body content was my weak part, the rest I had exactly as you. I'm still unsure on how to properly unit test this, as the examples in the documentation is a bit unclear on the exact body content. Do you have any good data that I can use to verify?

I first tested with an empty body and then with only the "stamp" field in body json until the error in response was something else than "signature mismatch". Then used the same json as in their examples section to successfully fetch the full results (Stamp propably should change between requests or there was "stamp already used" etc. error).

var requestBody = @"{ ""stamp"": ""29858472953"", ""reference"": ""9187445"", ""amount"": 1590, ""currency"": ""EUR"", ""language"": ""FI"", ""items"": [ { ""unitPrice"": 1590, ""units"": 1, ""vatPercentage"": 24, ""productCode"": ""#927502759"", ""deliveryDate"": ""2018-03-07"", ""description"": ""Cat ladder"", ""category"": ""Pet supplies"" } ], ""customer"": { ""email"": ""erja.esimerkki@example.org"", ""firstName"": ""Erja"", ""lastName"": ""Esimerkki"", ""phone"": ""+358501234567"", ""vatId"": ""FI12345671"" }, ""deliveryAddress"": { ""streetAddress"": ""Hämeenkatu 6 B"", ""postalCode"": ""33100"", ""city"": ""Tampere"", ""county"": ""Pirkanmaa"", ""country"": ""FI"" }, ""invoicingAddress"": { ""streetAddress"": ""Testikatu 1"", ""postalCode"": ""00510"", ""city"": ""Helsinki"", ""county"": ""Uusimaa"", ""country"": ""FI"" }, ""redirectUrls"": { ""success"": ""https://ecom.example.org/success"", ""cancel"": ""https://ecom.example.org/cancel"" }, ""callbackUrls"": { ""success"": ""https://ecom.example.org/success"", ""cancel"": ""https://ecom.example.org/cancel"" } }";

niklaswulff commented 2 years ago

Sounds like a smart approach, I will use the same. :-)

I haven't seen any detailed error messages though, only 401, gotta look harder.

niklaswulff commented 2 years ago

@Kepe123 , I'm really not getting the signature correct...

With the headers that you sent on 28/4 8:17 PM, and an empty body - what HMAC should I expect? It's so frustrating to simply get "signature mismatch", and not having better test data.

niklaswulff commented 2 years ago

@Kepe123 I have now finally managed to recreate the example HMACS.

But I get "signature mismatch" when calling Paytrail, even when I'm using their example payloads, which is kind of strange. This is my C# code for doing the HTTP Post, is there something wrong here?

    var httpRequestMessage = new HttpRequestMessage
    {
        Method = HttpMethod.Post,
        RequestUri = new Uri(CreatePaymentUrl),
        Headers = {
            { HttpRequestHeader.ContentType.ToString(), "application/json; charset=utf-8" },
            { HttpRequestHeader.Accept.ToString(), "application/json" },
            { "signature", signature },
        },
        Content = new StringContent(requestBody)
    };

     createPaymentNewPayTrail = new CreatePaymentNewPayTrail
        {
            Secret = "SAIPPUAKAUPPIAS",
            AccountId = "375917",
            Nonce = "564635208570151",
            TimeStamp = "2018-07-06T10:01:31.904Z",
    // Sample data from Paytrail...
        };

        foreach (var header in createPaymentNewPayTrail.Headers)
        {
            httpRequestMessage.Headers.Add(header.Key, header.Value);
        }

       var response = await client.SendAsync(httpRequestMessage);
supernallin commented 2 years ago

@niklaswulff Did you ever get this sorted out? I'm having trouble as well. I think I have the HMAC created finally as I am not getting the signature mismatch error anymore, but now I'm getting a 'bad request' error when doing a API call through the httpclient.

mikkorantalainen commented 2 years ago

{ "signature", signature },

How do you compute the signature? That part was missing from your example. Note that the header names must start with literal string checkout- to be included in the signature.

johannwalder commented 2 years ago

I was able to get it working with the code above for requests that have an empty body, i.e. getting payment methods, but for this to work the following line needs to be changed

var bodyPart = JsonConvert.SerializeObject(JsonConvert.DeserializeObject(body));

as otherwise the bodyPart will contain "null" instead of "" which creates an invalid signature.

jfrojd-paytrail commented 2 years ago

Great to see that a solution was found. Adding examples to more languages is a thing we are currently looking at and hope to provide more examples in the future.