zydronium/getnamingo-registry
1
0
Fork 0
mirror of https://github.com/getnamingo/registry.git synced 2025-07-22 10:36:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

Security updates for Adyen module

Browse source
This commit is contained in:
Pinga 2024-02-13 09:05:54 +02:00
parent 3884f480ad
commit 6ba1fe92d5
2 changed files with 23 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
cp/app/Controllers/FinancialsController.php
View file

@ -381,6 +381,25 @@ class FinancialsController extends Controller
{
$data = json_decode($request->getBody()->getContents(), true);
$db = $this->container->get('db');
// Basic auth credentials
$username = envi('ADYEN_BASIC_AUTH_USER');
$password = envi('ADYEN_BASIC_AUTH_PASS');
// Check for basic auth header
if (!isset($_SERVER['PHP_AUTH_USER'])) {
return $response->withStatus(401)->withHeader('WWW-Authenticate', 'Basic realm="MyRealm"');
}
// Validate username and password
if ($_SERVER['PHP_AUTH_USER'] != $username || $_SERVER['PHP_AUTH_PW'] != $password) {
$response = $response->withStatus(403)->withHeader('Content-Type', 'application/json');
$response->getBody()->write(json_encode(['forbidden' => true]));
return $response;
}
$hmac = new \Adyen\Util\HmacSignature();
$hmacKey = envi('ADYEN_HMAC_KEY');
foreach ($data['notificationItems'] as $item) {
$notificationRequestItem = $item['NotificationRequestItem'];
@ -389,7 +408,7 @@ class FinancialsController extends Controller
$merchantReference = $notificationRequestItem['merchantReference'] ?? null;
$paymentStatus = $notificationRequestItem['success'] ?? null;
if ($merchantReference && $paymentStatus) {
if ($merchantReference && $paymentStatus && $hmac->isValidNotificationHMAC($hmacKey, $notificationRequestItem)) {
try {
$amountPaid = $notificationRequestItem['amount']['value']; // Amount paid, in cents
$amount = $amountPaid / 100;