Comparing the Response and the Hash

You are here

2 posts / 0 new
Last post
SDKSupport
Comparing the Response and the Hash

The idea is that we return a Hash value in the response of the transaction. This is part of the raw response. A developer should:

  1. Take the raw response and json decode it to retrieve the "Response" and the "Hash".
  2. Take the "Response" and calculate the SHA512 HMAC.
  3. Take the resulting value and Base64 encode it.
  4. Then compare the final value with the original "Hash" that was sent in the response.
  5. If they are equal, then you have received a valid response. Otherwise the response is not the same as sent by the API.

Here is a php code snippet that performs this funtion (Response String is not valid, sample code will not work without a valid response string and Developer Key/Client Secret):

<?php

echo '<pre>';

$respString = '{"Response":{"status":"Approved","reference":"r3f3r3nc3","message":"APPROVED 000001                 ","code":"000001","cvvResult":"M","avsResult":" ","riskCode":"00","networkId":"10","isPurchaseCard":false,"vaultResponse":{"status":1,"data":"d4t4d4t4d4t4d4t4d4t4"},"orderNumber":"Invoice110","transactionId":"tr4n54ct10n1d","timestamp":

"2016-09-09T14:28:20.5631387-04:00"},"Hash":"2fYH9fcK95F1iyAWOC7yeiVy3EzP5UniLQB/LdlH8y7xewpHk0rozGyi9nZrLsk6nzpltoq4mD/fsP1qxjl42B=="}';

$respObj = json_decode($respString);

$resp = json_encode($respObj->Response);

$hash = $respObj->Hash;

echo 'Raw Response: ' . $respString;

echo '<br>';

echo 'Response: ' . $resp;

echo '<br>';

echo 'Hash: ' . $hash;

echo '<br>';

$calcHash = base64_encode(hash_hmac('sha512', $resp, '[INSERT CLIENT SECRET]', true));

echo 'Calc Hash: ' . $calcHash;

echo '<br>';

echo 'Hashes match: ' . ($hash === $calcHash ? "true" : "false");

echo '<br>';

echo '</pre>';

?>

thomash
Re: Comparing the Response and the Hash

This is an update to the process that affects users of PaymentsJS 1.0.1 and 1.0.2. The response string changed in these releases of PaymentsJS. Previously an integrator could use .getGatewayResponse() to retrieve the response string. However, that response string is now missing a few extra elements necessary for the hash. Instead it is necessary to utilize .getResponseHash() and parse out the response and hash into their individual pieces. This will provide response JSON that will properly hash. 

 

Example of .getGatewayResponse():

{"status":"Approved","reference":"FBFH9me8C0","message":"APPROVED 000001","code":"000001","cvvResult":"M","avsResult":" ","riskCode":"00","networkId":"10","isPurchaseCard":false,"orderNumber":"Invoice43","transactionId":

"YzYzZWYxOTc3MjU3MzAwZTY2ZWZlMTlkMDU2YjFlNDI","timestamp":"2017-11-15T09:47:39.5481191-05:00"}

 

Example of the parsed response from .getResponseHash():

{"requestId":"Invoice43","gatewayResponse":{"status":"Approved","reference":"FBFH9me8C0","message":"APPROVED 000001","code":"000001","cvvResult":"M","avsResult":" ","riskCode":"00","networkId":"10","isPurchaseCard":false,"orderNumber":"Invoice43","transactionId":

"YzYzZWYxOTc3MjU3MzAwZTY2ZWZlMTlkMDU2YjFlNDI","timestamp":"2017-11-15T09:47:39.5481191-05:00"}}

 

Important Note: We have had a number of integrators report difficutly creating a calculated hash that matches the parsed hash from the response. We found that the integrators were using JSON.stringify to write the parsed response to a string in order to pass it to a php script and perform the hash function. We determined that the JSON.stringify function added extra quotes to the response causing the calculated hash to be incorrect. In our sample you will see that our developer overcame this by writing the parsed response to a DIV in order to store it without alteration. If you have any questions please feel free to write to us at [email protected]. We're happy to help.

 

I have updated the example below. There is a much more detailed example within the "response" sample on our GitHub repository here.

<?php

echo '<pre>';

$respString = '{"response":{"requestId":"Invoice43","gatewayResponse":{"status":"Approved","reference":"FBFH9me8C0","message":"APPROVED 000001","code":"000001","cvvResult":"M","avsResult":" ","riskCode":"00","networkId":"10","isPurchaseCard":false,"orderNumber":"Invoice43","transactionId":

"YzYzZWYxOTc3MjU3MzAwZTY2ZWZlMTlkMDU2YjFlNDI","timestamp":"2017-11-15T09:47:39.5481191-05:00"}},

"hash":"6B2xDuYS0yEk246UKDr1ELvgKjeneI5cWEs3EFFTAtb4uKgRZGM2XjU/Os/RZPr90o5n8xORph+4QQw50RT33A=="}';



$respObj = json_decode($respString);

$resp = json_encode($respObj->response);



$hash = $respObj->hash;

echo 'Raw Response: ' . $respString;



echo '<br>';

echo 'Response: ' . $resp;



echo '<br>';

echo 'Hash: ' . $hash;



echo '<br>';

$calcHash = base64_encode(hash_hmac('sha512', $resp, '[INSERT CLIENT SECRET]', true));



echo 'Calc Hash: ' . $calcHash;



echo '<br>';

echo 'Hashes match: ' . ($hash === $calcHash ? "true" : "false");



echo '<br>';

echo '</pre>';

?>

Log in or register to post comments