Why Validation Is Important
Validating incoming requests from PayPlus is a critical security measure. It ensures that the data you receive hasn't been tampered with and that it genuinely originated from PayPlus.
By verifying the hash
and user-agent
headers using your API secret key, you protect your system from:
- Spoofed Requests: Prevent attackers from sending fake data that appears to come from PayPlus.
- Data Integrity Issues: Ensure that the payload has not been altered during transmission.
- Unauthorized Access: Avoid processing requests that don’t come from a trusted source.
This validation step helps maintain the integrity, security, and trustworthiness of your integration with the PayPlus API.
How to confirm the authenticity of the data:
Here is a sample of the response:
{
"results": {
"status": "success",
"code": 0,
"description": "payment page link has been generated"
},
"data": {
"page_request_uid": "0e8789bf-9eaf-4a07-9c16-0a348a4fd5d9",
"payment_page_link": "http://localhost:8000/0e8789bf-9eaf-4a07-9c16-0a348a4fd5d9"
}
}
And headers:
{
"hash": "yb4ViUaVO6OFdF9iyISKtCi+cXTvWm0+3e/sQkPsNS0=",
"user-agent": "PayPlus"
}
Sample function (Node.js) to verify encrypted data:
resolvePayPlusHash = (response, secret_key) => {
if (!response) {
return false;
}
if (response.headers['user-agent'] !== 'PayPlus') {
return false;
}
const message = response.body && JSON.stringify(response.body);
if (!message) {
return false;
}
const hash = response.headers['hash'];
if (!hash) {
return false;
}
const genHash = crypto.createHmac("sha256", secret_key)
.update(message)
.digest("base64");
return genHash === hash;
}
This function is an example to check the validation of the PayPlus response. This part:
const genHash = crypto.createHmac("sha256", secret_key)
.update(message)
.digest("base64");
return genHash === hash;
is verifying the encrypted data.