Webhooks

Code samples to generate and verify signature hash for the data received via Payment Status webhooks sent from PortOne servers.

Golang

import (

"crypto/hmac"

"crypto/sha256"

"encoding/base64"

)

type WebhookResponseObj struct {

Currency string

Amount string

OrderRef string

MerchantOrderRef string

CountryCode string

ChannelOrderRef string

Status string

ChannelKey string

MethodName string

Signature string

}

func VerifySignature(webhookResponseObj WebhookResponseObj, secretKey string) bool {

params := make(url.Values)

params.Add("currency", webhookResponseObj.Currency)

params.Add("amount", webhookResponseObj.Amount)

params.Add("order_ref", webhookResponseObj.OrderRef)

params.Add("merchant_order_ref", webhookResponseObj.MerchantOrderRef)

params.Add("channel_order_ref", webhookResponseObj.ChannelOrderRef)

params.Add("country_code", webhookResponseObj.CountryCode)

params.Add("status", webhookResponseObj.Status)

params.Add("channel_key", webhookResponseObj.ChannelKey)

params.Add("method_name", webhookResponseObj.MethodName)

data = params.Encode()

secret := []byte(secretKey)

message := []byte(data)

hash := hmac.New(sha256.New, secret)

hash.Write(message)

hash_value := base64.StdEncodin.EncodeToString(hash.Sum(nil))

// compare this hash_value to one received in payment response

if hash_value != webhookResponseObj.Signature {

println("Hash verification failed, not from valid source")

return false

} else {

println("Hash verification succeded")

return true

}

}

PHP

<?php

function VerifySignature($webhookResponseObj, $secretKey) {

$data = array(

'currency' =>$webhookResponseObj.Currency,

'amount' => $webhookResponseObj.Amount,

'order_ref' => $webhookResponseObj.OrderRef,

'merchant_order_ref' => $webhookResponseObj.MerchantOrderRef,

'channel_order_ref'=> $webhookResponseObj.ChannelOrderRef,

'country_code' => $webhookResponseObj.CountryCode,

'status' => $webhookResponseObj.Status,

'channel_key' => $webhookResponseObj.ChannelKey,

'method_name' => $webhookResponseObj.MethodName

);

ksort($data);

$message = http_build_query($data);

$hash_value = base64_encode(hash_hmac('sha256', $message, $secretKey, true));

if($hash_value !== responseObj.Signature){

echo "Hash verification failed, not from valid source";

return false;

} else{

echo "Hash verification succeded";

return true;

}

}

?>

NodeJS

var url = require('url');

var crypto = require('crypto');

function VerifySignature(webhookResponseObj, secretKey) {

const params = new URLSearchParams();

params.append('currency', webhookResponseObj.Currency)

params.append('amount', webhookResponseObj.Amount)

params.append('order_ref', webhookResponseObj.OrderRef)

params.append('merchant_order_ref', webhookResponseObj.MerchantOrderRef)

params.append('channel_order_ref', webhookResponseObj.ChannelOrderRef)

params.append('country_code', webhookResponseObj.CountryCode)

params.append('status', webhookResponseObj.Status)

params.append('channel_key', webhookResponseObj.ChannelKey)

params.append('method_name', webhookResponseObj.MethodName)

params.sort();

var message = params.toString()

var hash_value = crypto.createHmac('sha256', secretKey).update(message).hash.digest('base64');

if(hash_value !== webhookResponseObj.signature_hash){

console.log("Hash verification failed, not from valid source")

return false;

} else{

console.log("Hash verification succeded")

return true;

}

}

C#

using System;

using System.Security.Cryptography;

using System.Collections.Specialized;

class WebhookResponse {

string Currency,

string Amount,

string OrderRef,

string MerchantOrderRef,

string CountryCode,

string ChannelOrderRef,

string Status,

string ChannelKey,

string MethodName,

string Signature,

}

namespace Signature {

public class Signature {

private bool VerifySignature(WebhookResponse webhookResponse, string secret) {

NameValueCollection myCollection = System.Web.HttpUtility.ParseQueryString(string.Empty);

myCollection.Add("currency", webhookResponse.Currency);

myCollection.Add("amount", webhookResponse.Amount);

myCollection.Add("order_ref", webhookResponse.OrderRef);

myCollection.Add("merchant_order_ref", webhookResponse.MerchantOrderRef);

myCollection.Add("channel_order_ref", webhookResponse.ChannelOrderRef);

myCollection.Add("country_code", webhookResponse.CountryCode);

myCollection.Add("status", webhookResponse.Status);

myCollection.Add("channel_key", webhookResponse.ChannelKey);

myCollection.Add("method_name", webhookResponse.MethodName);

string message = myCollection.ToString();

var encoding = new System.Text.ASCIIEncoding();

byte[] keyByte = encoding.GetBytes(secret);

byte[] messageBytes = encoding.GetBytes(message);

var hmacsha256 = new HMACSHA256(keyByte);

byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);

string hash_value = Convert.ToBase64String(hashmessage);

if (hash_value !== webhookResponse.Signature) {

Console.WriteLine("Hash verification failed, not from valid source")

return false;

} else {

Console.WriteLine("Hash verification succeded")

return true;

}

}

}

}

Java

import javax.crypto.Mac;

import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;

class WebhookResponse {

string Currency,

string Amount,

string OrderRef,

string MerchantOrderRef,

string CountryCode,

string ChannelOrderRef,

string Status,

string ChannelKey,

string MethodName,

string Signature,

}

public class ApiSecurityExample {

public static String VerifySignature(WebhookResponse webhookResponse, String secret) {

StringBuilder stringBuilder = new StringBuilder();

Map < String, String > map;

map["currency"] = webhookResponse.Currency;

map["amount"] = webhookResponse.Amount;

map["order_ref"] = webhookResponse.OrderRef;

map["merchant_order_ref"] = webhookResponse.MerchantOrderRef;

map["channel_order_ref"] = webhookResponse.ChannelOrderRef;

map["country_code"] = webhookResponse.CountryCode;

map["status"] = webhookResponse.Status;

map["channel_key"] = webhookResponse.ChannelKey;

map["method_name"] = webhookResponse.ChannelKey;

for (String key: map.keySet()) {

if (stringBuilder.length() > 0) {

stringBuilder.append("&");

}

String value = map.get(key);

try {

stringBuilder.append((key != null ? URLEncoder.encode(key, "UTF-8") : ""));

stringBuilder.append("=");

stringBuilder.append(value != null ? URLEncoder.encode(value, "UTF-8") : "");

} catch (UnsupportedEncodingException e) {

throw new RuntimeException("This method requires UTF-8 encoding support", e);

}

}

String message = stringBuilder.toString();

Mac sha256_HMAC = Mac.getInstance("HmacSHA256");

SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");

sha256_HMAC.init(secret_key);

String hash_value = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));

if (hash_value !== webhookResponse.Signature) {

System.out.println("Hash verification failed, not from valid source")

return false;

} else {

System.out.println("Hash verification succeded")

return true;

}

}

}

Python

#!/usr/bin/python

# -*- coding: utf-8 -*-

import urllib

import hashlib

import hmac

import base64

class WebhookResponseObj:

def __init__(self, Currency, Amount, OrderRef, MerchantOrderRef, CountryCode, ChannelOrderRef, Status, ChannelKey, MethodName, Signature):

# Instance Variable

self.Currency = Currency

self.Amount = Amount

self.OrderRef = OrderRef

self.MerchantOrderRef = MerchantOrderRef

self.CountryCode = CountryCode

self.ChannelOrderRef = ChannelOrderRef

self.Status = Status

self.ChannelKey = ChannelKey

self.MethodName = MethodName

self.Signature = Signature

def GenerateSignature(WebhookResponseObj, secretKey):

f = {

'currency': WebhookResponseObj.Currency,

'amount': WebhookResponseObj.Amount,

'order_ref': WebhookResponseObj.OrderRef,

'merchant_order_ref': WebhookResponseObj.MerchantOrderRef,

'channel_order_ref': WebhookResponseObj.ChannelOrderRef,

'country_code': WebhookResponseObj.CountryCode,

'status': WebhookResponseObj.Status,

'channel_key': WebhookResponseObj.ChannelKey,

'method_name': WebhookResponseObj.MethodName,

}

message1 = urllib.urlencode(f)

message = bytes(message1).encode('utf-8')

secret = bytes(secretKey).encode('utf-8')

signature = base64.b64encode(hmac.new(secret, message, digestmod=hashlib.sha256).digest())

if (signature !== WebhookResponseObj.Signature) {

Print("Hash verification failed, not from valid source")

return false;

} else {

Print("Hash verification succeded")

return true;

}

---

Code samples to generate and verify signature hash for the data received via Payment Link Status webhooks sent from PortOne servers.

Golang

import (

"crypto/hmac"

"crypto/sha256"

"encoding/base64"

)

type WebhookResponseObj struct {

Currency string

Amount string

LinkRef string

MerchantOrderRef string

CountryCode string

Status string

Signature string

}

func VerifySignature(webhookResponseObj WebhookResponseObj, secretKey string) bool {

params := make(url.Values)

params.Add("currency", webhookResponseObj.Currency)

params.Add("amount", webhookResponseObj.Amount)

params.Add("link_ref", webhookResponseObj.LinkRef)

params.Add("merchant_order_ref", webhookResponseObj.MerchantOrderRef)

params.Add("country_code", webhookResponseObj.CountryCode)

params.Add("status", webhookResponseObj.Status)

data = params.Encode()

secret := []byte(secretKey)

message := []byte(data)

hash := hmac.New(sha256.New, secret)

hash.Write(message)

hash_value := base64.StdEncodin.EncodeToString(hash.Sum(nil))

// compare this hash_value to one received in payment response

if hash_value != webhookResponseObj.Signature {

println("Hash verification failed, not from valid source")

return false

} else {

println("Hash verification succeded")

return true

}

}

PHP

<?php

function VerifySignature($webhookResponseObj, $secretKey) {

$data = array(

'currency' =>$webhookResponseObj.Currency,

'amount' => $webhookResponseObj.Amount,

'link_ref' => $webhookResponseObj.LinkRef,

'merchant_order_ref' => $webhookResponseObj.MerchantOrderRef,

'country_code' => $webhookResponseObj.CountryCode,

'status' => $webhookResponseObj.Status,

);

ksort($data);

$message = http_build_query($data);

$hash_value = base64_encode(hash_hmac('sha256', $message, $secretKey, true));

if($hash_value !== responseObj.Signature){

echo "Hash verification failed, not from valid source";

return false;

} else{

echo "Hash verification succeded";

return true;

}

}

?>

NodeJS

var url = require('url');

var crypto = require('crypto');

function VerifySignature(webhookResponseObj, secretKey) {

const params = new URLSearchParams();

params.append('currency', webhookResponseObj.Currency)

params.append('amount', webhookResponseObj.Amount)

params.append('link_ref', webhookResponseObj.LinkRef)

params.append('merchant_order_ref', webhookResponseObj.MerchantOrderRef)

params.append('country_code', webhookResponseObj.CountryCode)

params.append('status', webhookResponseObj.Status)

params.sort();

var message = params.toString()

var hash_value = crypto.createHmac('sha256', secretKey).update(message).hash.digest('base64');

if(hash_value !== webhookResponseObj.signature_hash){

console.log("Hash verification failed, not from valid source")

return false;

} else{

console.log("Hash verification succeded")

return true;

}

}

C#

using System;

using System.Security.Cryptography;

using System.Collections.Specialized;

class WebhookResponse {

string Currency,

string Amount,

string LinkRef,

string MerchantOrderRef,

string CountryCode,

string Status,

string Signature,

}

namespace Signature {

public class Signature {

private bool VerifySignature(WebhookResponse webhookResponse, string secret) {

NameValueCollection myCollection = System.Web.HttpUtility.ParseQueryString(string.Empty);

myCollection.Add("currency", webhookResponse.Currency);

myCollection.Add("amount", webhookResponse.Amount);

myCollection.Add("link_ref", webhookResponse.LinkRef);

myCollection.Add("merchant_order_ref", webhookResponse.MerchantOrderRef);

myCollection.Add("country_code", webhookResponse.CountryCode);

myCollection.Add("status", webhookResponse.Status);

string message = myCollection.ToString();

var encoding = new System.Text.ASCIIEncoding();

byte[] keyByte = encoding.GetBytes(secret);

byte[] messageBytes = encoding.GetBytes(message);

var hmacsha256 = new HMACSHA256(keyByte);

byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);

string hash_value = Convert.ToBase64String(hashmessage);

if (hash_value !== webhookResponse.Signature) {

Console.WriteLine("Hash verification failed, not from valid source")

return false;

} else {

Console.WriteLine("Hash verification succeded")

return true;

}

}

}

}

Java

import javax.crypto.Mac;

import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;

class WebhookResponse {

string Currency,

string Amount,

string LinkRef,

string MerchantOrderRef,

string CountryCode,

string Status,

string Signature,

}

public class ApiSecurityExample {

public static String VerifySignature(WebhookResponse webhookResponse, String secret) {

StringBuilder stringBuilder = new StringBuilder();

Map < String, String > map;

map["currency"] = webhookResponse.Currency;

map["amount"] = webhookResponse.Amount;

map["link_ref"] = webhookResponse.LinkRef;

map["merchant_order_ref"] = webhookResponse.MerchantOrderRef;

map["country_code"] = webhookResponse.CountryCode;

map["status"] = webhookResponse.Status;

for (String key: map.keySet()) {

if (stringBuilder.length() > 0) {

stringBuilder.append("&");

}

String value = map.get(key);

try {

stringBuilder.append((key != null ? URLEncoder.encode(key, "UTF-8") : ""));

stringBuilder.append("=");

stringBuilder.append(value != null ? URLEncoder.encode(value, "UTF-8") : "");

} catch (UnsupportedEncodingException e) {

throw new RuntimeException("This method requires UTF-8 encoding support", e);

}

}

String message = stringBuilder.toString();

Mac sha256_HMAC = Mac.getInstance("HmacSHA256");

SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");

sha256_HMAC.init(secret_key);

String hash_value = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));

if (hash_value !== webhookResponse.Signature) {

System.out.println("Hash verification failed, not from valid source")

return false;

} else {

System.out.println("Hash verification succeded")

return true;

}

}

}

Python

#!/usr/bin/python

# -*- coding: utf-8 -*-

import urllib

import hashlib

import hmac

import base64

class WebhookResponseObj:

def __init__(self, Currency, Amount, LinkRef, MerchantOrderRef, CountryCode, Status, Signature):

# Instance Variable

self.Currency = Currency

self.Amount = Amount

self.LinkRef = LinkRef

self.MerchantOrderRef = MerchantOrderRef

self.CountryCode = CountryCode

self.Status = Status

self.Signature = Signature

def GenerateSignature(WebhookResponseObj, secretKey):

f = {

'currency': WebhookResponseObj.Currency,

'amount': WebhookResponseObj.Amount,

'link_ref': WebhookResponseObj.LinkRef,

'merchant_order_ref': WebhookResponseObj.MerchantOrderRef,

'country_code': WebhookResponseObj.CountryCode,

'status': WebhookResponseObj.Status,

}

message1 = urllib.urlencode(f)

message = bytes(message1).encode('utf-8')

secret = bytes(secretKey).encode('utf-8')

signature = base64.b64encode(hmac.new(secret, message, digestmod=hashlib.sha256).digest())

if (signature !== WebhookResponseObj.Signature) {

Print("Hash verification failed, not from valid source")

return false;

} else {

Print("Hash verification succeded")

return true;

}