From 6ba1fe92d5db39319fa438571a9d3e617e32237b Mon Sep 17 00:00:00 2001
From: Pinga <121483313+getpinga@users.noreply.github.com>
Date: Tue, 13 Feb 2024 09:05:54 +0200
Subject: [PATCH] Security updates for Adyen module

---
 cp/app/Controllers/FinancialsController.php | 21 ++++++++++++++++++++-
 cp/env-sample                               |  3 +++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/cp/app/Controllers/FinancialsController.php b/cp/app/Controllers/FinancialsController.php
index 7798b8c..d88fa1a 100644
--- a/cp/app/Controllers/FinancialsController.php
+++ b/cp/app/Controllers/FinancialsController.php
@@ -381,6 +381,25 @@ class FinancialsController extends Controller
     {
         $data = json_decode($request->getBody()->getContents(), true);
         $db = $this->container->get('db');
+        
+        // Basic auth credentials
+        $username = envi('ADYEN_BASIC_AUTH_USER');
+        $password = envi('ADYEN_BASIC_AUTH_PASS');
+
+        // Check for basic auth header
+        if (!isset($_SERVER['PHP_AUTH_USER'])) {
+            return $response->withStatus(401)->withHeader('WWW-Authenticate', 'Basic realm="MyRealm"');
+        }
+
+        // Validate username and password
+        if ($_SERVER['PHP_AUTH_USER'] != $username || $_SERVER['PHP_AUTH_PW'] != $password) {
+            $response = $response->withStatus(403)->withHeader('Content-Type', 'application/json');
+            $response->getBody()->write(json_encode(['forbidden' => true]));
+            return $response;
+        }
+        
+        $hmac = new \Adyen\Util\HmacSignature();
+        $hmacKey = envi('ADYEN_HMAC_KEY');
 
         foreach ($data['notificationItems'] as $item) {
             $notificationRequestItem = $item['NotificationRequestItem'];
@@ -389,7 +408,7 @@ class FinancialsController extends Controller
                 $merchantReference = $notificationRequestItem['merchantReference'] ?? null;
                 $paymentStatus = $notificationRequestItem['success'] ?? null;
 
-                if ($merchantReference && $paymentStatus) {
+                if ($merchantReference && $paymentStatus && $hmac->isValidNotificationHMAC($hmacKey, $notificationRequestItem)) {
                     try {
                         $amountPaid = $notificationRequestItem['amount']['value']; // Amount paid, in cents
                         $amount = $amountPaid / 100;
diff --git a/cp/env-sample b/cp/env-sample
index 9f638ca..2a48c82 100644
--- a/cp/env-sample
+++ b/cp/env-sample
@@ -31,5 +31,8 @@ ADYEN_API_KEY='adyen-api-key'
 ADYEN_MERCHANT_ID='adyen-merchant-id'
 ADYEN_THEME_ID='adyen-theme-id'
 ADYEN_BASE_URI='https://checkout-test.adyen.com/v70/'
+ADYEN_BASIC_AUTH_USER='adyen-basic-auth-user'
+ADYEN_BASIC_AUTH_PASS='adyen-basic-auth-pass'
+ADYEN_HMAC_KEY='adyen-hmac-key'
 
 TEST_TLDS=.test,.com.test
\ No newline at end of file