Validate Requests Received from PayPlus

Why Validation Is Important

Validating incoming requests from PayPlus is a critical security measure. It ensures that the data you receive hasn't been tampered with and that it genuinely originated from PayPlus.

By verifying the hash and user-agent headers using your API secret key, you protect your system from:

  • Spoofed Requests: Prevent attackers from sending fake data that appears to come from PayPlus.
  • Data Integrity Issues: Ensure that the payload has not been altered during transmission.
  • Unauthorized Access: Avoid processing requests that don’t come from a trusted source.

This validation step helps maintain the integrity, security, and trustworthiness of your integration with the PayPlus API.

How to confirm the authenticity of the data:

Here is a sample of the response:

{  
    "results": {  
        "status": "success",  
        "code": 0,  
        "description": "payment page link has been generated"  
    },  
    "data": {  
        "page_request_uid": "0e8789bf-9eaf-4a07-9c16-0a348a4fd5d9",  
        "payment_page_link": "http://localhost:8000/0e8789bf-9eaf-4a07-9c16-0a348a4fd5d9"  
    }  
}

And headers:

{
    "hash": "yb4ViUaVO6OFdF9iyISKtCi+cXTvWm0+3e/sQkPsNS0=",
    "user-agent": "PayPlus"
}

Sample function (Node.js) to verify encrypted data:

resolvePayPlusHash = (response, secret_key) => {
    if (!response) {
        return false;
    }
    if (response.headers['user-agent'] !== 'PayPlus') {
        return false;
    }
    const message = response.body && JSON.stringify(response.body);
    if (!message) {
        return false;
    }
    const hash = response.headers['hash'];
    if (!hash) {
        return false;
    }
    const genHash = crypto.createHmac("sha256", secret_key)
        .update(message)
        .digest("base64");
    return genHash === hash;
}

This function is an example to check the validation of the PayPlus response. This part:

const genHash = crypto.createHmac("sha256", secret_key)
    .update(message)
    .digest("base64");
return genHash === hash;

is verifying the encrypted data.