How It Works
When you receive a data payload from PayPlus, it will include a header called hash and a header called user-agent.
Verify That the Data Came from PayPlus
Use your API secret key to verify that the data was sent by PayPlus.
Here is a sample of the response:
{
"results": {
"status": "success",
"code": 0,
"description": "payment page link has been generated"
},
"data": {
"page_request_uid": "0e8789bf-9eaf-4a07-9c16-0a348a4fd5d9",
"payment_page_link": "http\://localhost:8000/0e8789bf-9eaf-4a07-9c16-0a348a4fd5d9"
}
}
And headers:
{
"hash": "yb4ViUaVO6OFdF9iyISKtCi+cXTvWm0+3e/sQkPsNS0=",
"user-agent": "PayPlus"
}
Sample function (Node.js) to verify encrypted data:
resolvePayPlusHash = (response, secret_key) => {
if (!response) {
return false;
}
if (response.headers['user-agent'] !== 'PayPlus') {
return false;
}
const message = response.body && JSON.stringify(response.body);
if (!message) {
return false;
}
const hash = response.headers['hash'];
if (!hash) {
return false;
}
const genHash = crypto.createHmac("sha256", secret_key)
.update(message)
.digest("base64");
return genHash === hash;
}
This function is an example to check the validation of the PayPlus response. This part:
const genHash = crypto.createHmac("sha256", secret_key)
.update(message)
.digest("base64");
return genHash === hash;
is verifying the encrypted data.