Merge pull request #23 from xendit/TPI-7747/weak-cryptography-impleme…

…ntation Fix Weak Cryptography Implementation
xendit · Jul 27, 2022 · 0d682c1 · 0d682c1
2 parents 8ec4669 + d53aca3
commit 0d682c1
Show file tree

Hide file tree

Showing 8 changed files with 69 additions and 98 deletions.
diff --git a/modules/gateways/callback/xendit.php b/modules/gateways/callback/xendit.php
@@ -5,7 +5,7 @@
 require_once __DIR__ . '/../xendit/autoload.php';
 
 use Xendit\Lib\Callback;
-use Xendit\lib\CreditCard;
+use Xendit\Lib\CreditCard;
 use Xendit\Lib\XenditRequest;
 
 $callback = new Callback();
@@ -20,18 +20,18 @@
 // Create/Update credit card
 if ($action == 'updatecc' || $action == "createcc") {
     /*
-     * Make sure the 3DS authentication status = 1
+     * Make sure the CC authentication status = 1
      * That mean the CC token is valid to create the charge
      */
-//    if(!isset($postData['xendit_3ds_authentication_status']) || $postData['xendit_3ds_authentication_status'] == 0){
-//        logTransaction($gatewayParams['paymentmethod'], $postData, "3DS authentication failed");
-//        $creditCard->renderJson(
-//            [
-//                'error' => true,
-//                'message' => '3DS authentication failed.',
-//            ]
-//        );
-//    }
+    if (!isset($postData['xendit_cc_authentication_status']) || $postData['xendit_cc_authentication_status'] == 0) {
+        logTransaction($gatewayParams['paymentmethod'], $postData, "CC authentication failed");
+        $creditCard->renderJson(
+            [
+                'error' => true,
+                'message' => 'CC authentication failed.',
+            ]
+        );
+    }
 
     /*
      * Make sure the credit card info has value
@@ -70,7 +70,7 @@
         $creditCard->renderJson(
             [
                 'error' => true,
-                'message' => 'Invalid Hash',
+                'message' => 'Invalid.',
             ]
         );
     }

diff --git a/modules/gateways/xendit.php b/modules/gateways/xendit.php
@@ -10,10 +10,11 @@
 require __DIR__ . '/xendit/autoload.php';
 
 // defines
-define('XENDIT_PAYMENT_GATEWAY_VERSION', '1.0.6');
+define('XENDIT_PAYMENT_GATEWAY_VERSION', '1.0.7');
 
 use WHMCS\Billing\Invoice;
 use Xendit\Lib\ActionBase;
+use Xendit\Lib\CreditCard;
 use Xendit\Lib\Link;
 use Xendit\Lib\Model\XenditTransaction;
 use Xendit\Lib\Recurring;
@@ -118,7 +119,7 @@ function xendit_capture($params)
     }
 
     // Generate payload
-    $cc = new \Xendit\Lib\CreditCard();
+    $cc = new CreditCard();
     $payload = $cc->generateCCPaymentRequest($params);
 
     try {
@@ -195,13 +196,14 @@ function xendit_remoteinput($params)
     $secretKey = $params['xenditTestMode'] == 'on' ? $params['xenditTestSecretKey'] : $params['xenditSecretKey'];
 
     $xenditRequest = new XenditRequest();
+    $creditCard = new CreditCard();
 
     // Card settings
     try {
         $cardSettings = $xenditRequest->getCardSettings();
         $canUseDynamic3ds = $cardSettings['can_use_dynamic_3ds'] ?? 0;
     } catch (\Exception $e) {
-        return (new ActionBase)->errorMessage($e->getMessage());
+        return $creditCard->errorMessage($e->getMessage());
     }
 
     // Client Parameters
@@ -228,7 +230,7 @@ function xendit_remoteinput($params)
         'return_url' => $systemUrl . 'modules/gateways/callback/xendit.php',
         'payment_method_url' => $systemUrl . 'index.php?rp=/account/paymentmethods',
         'can_use_dynamic_3ds' => $canUseDynamic3ds,
-        'verification_hash' => sha1(
+        'verification_hash' => $creditCard->generateHash(
             implode('|', [
                 $publicKey,
                 $clientId,
@@ -286,6 +288,7 @@ function xendit_remoteupdate($params)
     }
 
     $xenditRequest = new XenditRequest();
+    $creditCard = new CreditCard();
 
     // Gateway Configuration Parameters
     $publicKey = $xenditRequest->getPublicKey();
@@ -297,7 +300,7 @@ function xendit_remoteupdate($params)
         $cardSettings = $xenditRequest->getCardSettings();
         $canUseDynamic3ds = $cardSettings['can_use_dynamic_3ds'] ?? 0;
     } catch (\Exception $e) {
-        return (new ActionBase)->errorMessage($e->getMessage());
+        return $creditCard->errorMessage($e->getMessage());
     }
 
     // Client Parameters
@@ -327,7 +330,7 @@ function xendit_remoteupdate($params)
         'return_url' => $systemUrl . 'modules/gateways/callback/xendit.php',
         'payment_method_url' => $systemUrl . 'index.php?rp=/account/paymentmethods',
         'can_use_dynamic_3ds' => $canUseDynamic3ds,
-        'verification_hash' => sha1(
+        'verification_hash' => $creditCard->generateHash(
             implode('|', [
                 $publicKey,
                 $clientId,

diff --git a/modules/gateways/xendit/assets/js/xendit.js b/modules/gateways/xendit/assets/js/xendit.js
@@ -75,7 +75,7 @@ jQuery(function ($) {
             if (typeof err != 'undefined') {
                 failure_reason = err.message || err.error_code;
             } else {
-                failure_reason = 'We encountered an issue while processing the checkout. Please contact us. Code: 200035';
+                failure_reason = 'We encountered an issue while processing the update card. Please contact us. Code: 200035';
             }
             cc_xendit_form.validation.html(failure_reason);
             cc_xendit_form.form.append("<input type='hidden' class='xendit_cc_hidden_input' name='xendit_failure_reason' value='" + failure_reason + "'/>");
@@ -209,13 +209,9 @@ jQuery(function ($) {
             if(cc_xendit_form.canUseDynamic3DS()){
                 Xendit.card.threeDSRecommendation({'token_id': token_id}, cc_xendit_form.on3DSRecommendationResponse);
             }else{
-                let data = {'token_id': token_id, 'amount': '10000'};
-                Xendit.card.createToken(data, cc_xendit_form.onTokenizationResponse);
+                Xendit.card.createAuthentication({'token_id': token_id, 'amount': 0}, cc_xendit_form.on3DSAuthenticationResponse);
             }
 
-            // Check if it needs to use 3DS
-            Xendit.card.threeDSRecommendation({'token_id': token_id}, cc_xendit_form.on3DSRecommendationResponse);
-
             // Prevent form submitting
             return false;
         },
@@ -228,11 +224,11 @@ jQuery(function ($) {
             }
 
             if(response.should_3ds){
-                let data = {'token_id': $("input[name='xendit_token']").val(), 'amount': '10000'};
+                let data = {'token_id': $("input[name='xendit_token']").val(), 'amount': '0'};
                 Xendit.card.createAuthentication(data, cc_xendit_form.on3DSAuthenticationResponse);
                 return;
             }else{
-                cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_3ds_authentication_status' value='1'/>" );
+                cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_cc_authentication_status' value='1'/>" );
                 cc_xendit_form.form.submit();
                 return false;
             }
@@ -244,7 +240,7 @@ jQuery(function ($) {
                 return false;
             }
 
-            let threeDsAuthenticationSuccess = 0;
+            let ccAuthenticationSuccess = 0;
             if(response.status === 'IN_REVIEW' || response.status === 'CARD_ENROLLED' ){
                 $('body').append('<div class="three-ds-overlay" style="display: none;"></div>' +
                     '<div id="three-ds-container" style="display: none;">\n' +
@@ -255,20 +251,15 @@ jQuery(function ($) {
                 $("#three-ds-container").show();
                 return;
             }else if (response.status === 'APPROVED' || response.status === 'VERIFIED') {
-                threeDsAuthenticationSuccess = 1;
+                ccAuthenticationSuccess = 1;
                 $(".three-ds-overlay").hide();
                 $("#three-ds-container").hide();
             }
-
-            cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_3ds_authentication_status' value='"+ threeDsAuthenticationSuccess +"'/>" );
+            cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_cc_authentication_status' value='"+ ccAuthenticationSuccess +"'/>" );
             cc_xendit_form.form.submit();
             return;
         },
 
-        shouldAuthenticate: function (){
-            return $("input[name='should_authenticate']").val() == 1;
-        },
-
         canUseDynamic3DS: function (){
             return $("input[name='can_use_dynamic_3ds']").val() == 1;
         },

diff --git a/modules/gateways/xendit/handler/submitcc.php b/modules/gateways/xendit/handler/submitcc.php
diff --git a/modules/gateways/xendit/handler/updatecc.php b/modules/gateways/xendit/handler/updatecc.php
@@ -28,7 +28,8 @@
 $verificationHash = $_POST['verification_hash'] ?? '';
 $canUseDynamic3ds = $_POST['can_use_dynamic_3ds'] ?? 0;
 
-$comparisonHash = sha1(
+$comparisonHash = hash(
+    'sha512',
     implode('|', [
         $publicKey,
         $customerId,
@@ -39,7 +40,7 @@
     ])
 );
 if ($verificationHash !== $comparisonHash) {
-    die('Invalid hash.');
+    die('Invalid.');
 }
 
 if ($action === 'payment') {
@@ -87,7 +88,7 @@
 </head>
 <body>
 
-<form method="post" id="frmUpdateCC" action="submitcc.php" style="margin:0 auto;width:80%;" autocomplete="on">
+<form method="post" id="frmUpdateCC" style="margin:0 auto;width:80%;" autocomplete="on">
     <input type="hidden" name="action" value="<?= $action ?>">
     <input type="hidden" name="amount" value="<?= $amount ?>">
     <input type="hidden" name="currency" value="<?= $currencyCode ?>">

diff --git a/modules/gateways/xendit/lib/ActionBase.php b/modules/gateways/xendit/lib/ActionBase.php
@@ -354,6 +354,31 @@ public function renderJson(array $data)
      */
     public function errorMessage(string $message = ''): string
     {
+        if (strpos($message, 'INVALID_API_KEY') !== false) {
+            $message = 'The API key is invalid.';
+        }
         return sprintf('<p class="alert alert-danger">%s</p>', $message);
     }
+
+    /**
+     * @param string $header
+     * @param string $content
+     * @return void
+     */
+    protected function sendHeader(string $header, string $content)
+    {
+        if (!headers_sent()) {
+            header(sprintf('%s: %s', $header, $content));
+        }
+    }
+
+    /**
+     * @param string $url
+     * @return void
+     */
+    public function redirectUrl(string $url)
+    {
+        $this->sendHeader("Location", $url);
+        exit();
+    }
 }
diff --git a/modules/gateways/xendit/lib/CreditCard.php b/modules/gateways/xendit/lib/CreditCard.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace Xendit\lib;
+namespace Xendit\Lib;
 
 class CreditCard extends \Xendit\Lib\ActionBase
 {
@@ -154,7 +154,7 @@ public function generateCCPaymentRequest(array $params = [], int $auth_id = null
      */
     public function compareHash(string $verificationHash, array $params = [])
     {
-        $comparisonHash = sha1(
+        $comparisonHash = $this->generateHash(
             implode('|', [
                 $params["publicKey"],
                 $params["customerId"],
@@ -230,4 +230,13 @@ public function saveCreditCardToken(array $params = [], bool $isNew = true)
             throw new \Exception($e->getMessage());
         }
     }
+
+    /**
+     * @param string $str
+     * @return false|string
+     */
+    public function generateHash(string $str)
+    {
+        return hash('sha512', $str);
+    }
 }
diff --git a/modules/gateways/xendit/lib/Link.php b/modules/gateways/xendit/lib/Link.php
@@ -125,8 +125,7 @@ public function getCallbackUrl(string $systemUrl): string
     protected function generateFormParam(array $params, string $invoiceUrl): string
     {
         if ($this->isRefererUrlFromCart()) {
-            header("Location: " . $invoiceUrl);
-            exit();
+            return $this->redirectUrl($invoiceUrl);
         }
 
         $postfields = array();