Signature validation for return URL via InLine checkout
Overview
To start, you need to generate the InLine checkout content using the TwoCoInlineCart client.
At this step, you must add a product to your cart, set the return method, and set a previously generated cart payload signature.
TwoCoInlineCart.cart.setCurrency('USD');
TwoCoInlineCart.products.add({
code : 'TEST_PROD',
quantity: 1,
price : 29
});
TwoCoInlineCart.cart.setReturnMethod({
type: 'redirect',
url : 'https:\/\/yourbackend.com\/'
});
TwoCoInlineCart.cart.setSignature('314cfb1f277ef89f9f3735517...........1c62abee466c9d1774bf1e4655f0');
After triggering TwoCoInlineCart.cart.checkout(); the InLine checkout will initialize in the new iframe.
In case of a valid signature, the cart will boot and the shopper can complete the order. Otherwise, he will see an empty cart page.
In case of a valid signature and successful order placing, the shopper is redirected to the page you have defined in the return parameters. The return URL is appended with some return parameters which are refno, total, total-currency, all of them are signed and their signature should be present in the query parameters.
In the backend, you need to gather all these parameters and validate the parameters' hash you generate with the new signature appended to the return-URL.
To generate the hash and validate the return URL, follow the steps below.
Build the InLine Checkout Signature
To sign an InLine checkout buy-link, you need to follow these steps:
- Sort the parameters that require a signature alphabetically.
- Serialize the parameters and append to them the length of their values.
- Concatenate the resulting values.
- The serialized value is then encrypted with your Buy-Link Secret Word using the HMAC method (algorithm sha256).
- The resulting value is added to the buy-link under the signature parameter.
In order to generate a valid InLine checkout signature, you should include all the parameters from the return URL, except the signature.
Example
When encrypting the values to generate the signature, for the return-url parameter, use an URL with the following structure: https://..... Do not use an encoded URL.
1. Let's consider the following parameters:
- refno = 11606896
- total = 29
- total-currency = USD
The regular return link will have the following structure:
https://www.yourbackend.com/?refno=11606896&total=29&total-currency=USD&signature=08448c91bbb314cfb1f277ef89f9f37355171c62abee466c9d1774bf1e4655f0
2. Sort the parameters alphabetically: refno, total, total-currency.
3. Serialize the values. To serialize a value, you need to append before it the number of letters or digits a value has. For example, the return-type parameter has the 'redirect' value that will be serialized as '8redirect'', where 8 is the number of characters that make up the value.
- refno - 811606896
- total - 229
- total-currency - 3USD
4. Concatenate the values: 118116068962293USD
5. Encrypt using your Secret Word
The serialized value is then encrypted using the HMAC method.
- the algorithm used is sha256
- the key used when encrypting is the merchant secret word (in this example, the secret word is 'vendor-secret-key')
This outputs a 64 character string:
08448c91bbb314cfb1f277ef89f9f37355171c62abee466c9d1774bf1e4655f0
Also, you can use HashValidationTool:
<?php
class HashValidationTool
{
const SHA_256 = 'sha256';
private $params;
private $signature;
private $key;
/**
* HashValidationTool constructor.
*
* @param string $key
*/
public function __construct(string $key)
{
$this->key = $key;
}
/**
* @return string
*/
private function encrypt(): string
{
$serialized = $this->serializeParameters($this->params);
if (strlen($serialized) > 0) {
echo 'Success: serialized params - ' . $serialized . PHP_EOL;
return bin2hex(hash_hmac(self::SHA_256, $serialized, $this->key, true));
} else {
echo 'Error: serialization parameters are empty' . PHP_EOL;
return '';
}
}
/**
* @param string $url
*
* @return bool
*/
public function validate(string $url): bool
{
$this->setUrl($url);
return $this->encrypt() === $this->signature;
}
/**
* @param array $array
*
* @return string
*/
private function serializeParameters(array $array): string
{
ksort($array);
$serializedString = '';
foreach ($array as $value) {
if (is_array($value)) {
$serializedString .= $this->serializeParameters($value);
} else {
$serializedString .= strlen($value) . $value;
}
}
return $serializedString;
}
/**
* @param string $url
*/
private function setUrl(string $url): void
{
$urlParts = parse_url($url);
parse_str($urlParts['query'], $this->params);
$this->signature = $this->params['signature'];
unset($this->params['signature']);
}
}
$hashValidationTool = new HashValidationTool('vendor-secret-key');
if ($hashValidationTool->validate('https://www.yourbackend.com/?merchant=YOUR_VENDOR_CODE¤cy=USD&return-url=https://yourbackend.com/&return-type=redirect&tpl=default&prod=TEST_PROD&price=29&qty=1&refno=11606896&total=29&total-currency=USD&signature=95052ee0c558b53040e97d7d81add2e0f1400ca0936a558910c68ddc8301fc63')) {
echo 'valid';
} else {
echo 'invalid';
}
The successful order placement flow with a valid signature for the InLine checkout is described in the following diagram.