Skip to content

I
iwl-live
Commit e0b6cb8d authored by Antonio.Suerte's avatar Antonio.Suerte
Browse files
Options

Payment API Enhanced Security Features

parent 26e14df5
Hide whitespace changes
Inline Side-by-side
Showing with 52 additions and 7 deletions
en/template/tmp_settlement_api.php
View file @ e0b6cb8d
......@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" />
......
id/template/tmp_settlement_api.php
View file @ e0b6cb8d
......@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" />
......
ja/template/tmp_settlement_api.php
View file @ e0b6cb8d
......@@ -175,6 +175,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" />
......
js/settlement.js
View file @ e0b6cb8d
......@@ -79,6 +79,7 @@ $(function() {
$("#from_account").val(transactionDetails.from_account)
$("#message").val(transactionDetails.message)
$("#rate").val(transactionDetails.rate)
$("#verifierToken").val(transactionDetails.verifierToken)
$("#type").val("settle_express_submit")
setTimeout(function(){
submitForm()
......
logic/settlement/model.php
View file @ e0b6cb8d
<?php
use Firebase\JWT\JWT;
use Defuse\Crypto\Crypto;
use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException;
require_once(SITE_LOGICS . 'settlement/config.php');
......@@ -38,6 +39,7 @@ class SettlementModelClass extends ModelClassEx {
private $formName = NO_STRING;
private $balance = NO_STRING;
private $uniqueSubmission = NO_STRING;
private $verifierToken = NO_STRING;
private $validationResult = NO_STRING;
private $invalidFormParams = [];
private $midconf = null;
......@@ -107,6 +109,7 @@ class SettlementModelClass extends ModelClassEx {
$this -> paymentToken = $this -> getDataGet("ptoken");
$this -> uniqueSubmission = $this -> getDataPost("uniqueSubmission");
$this -> verifierToken = $this -> getDataPost("verifierToken");
$this -> formName = $this -> getDataPost("formName");
$this -> signature = $this -> getDataPost(PARAM_SIGNATURE, true); // シグネチャ
$this -> pNum = $this -> getDataPost(PARAM_P_NUM, true); // 番組コード
......@@ -296,9 +299,17 @@ class SettlementModelClass extends ModelClassEx {
if($displayTransactionDetails){
$fromUser = $this -> getRowData($this -> getAccountCommon($this -> fromAccount));
$fullName = $this -> getColumnData($fromUser, COLUMN_FIRST_NAME)." ".
$this -> getColumnData($fromUser, COLUMN_LAST_NAME);
$fullName = $this -> getColumnData($fromUser, COLUMN_FIRST_NAME)." "
.$this -> getColumnData($fromUser, COLUMN_LAST_NAME);
$uniqueSubmission = !$this -> isLoopData($invalid) ?
$this -> formName.md5($this -> paymentAPIConf -> middleware_sig_passphrase) : NO_STRING;
$verifierToken = Crypto::encryptWithPassword(json_encode([
PARAM_FROM_ACCOUNT => $this -> fromAccount,
PARAM_USER_ACCOUNT => $this -> toAccount
]), $uniqueSubmission.date("Ymd"));
$return["transaction_details"] = [
PARAM_FROM_ACCOUNT => $this -> fromAccount,
"from_full_name" => $fullName,
......@@ -309,8 +320,8 @@ class SettlementModelClass extends ModelClassEx {
PARAM_AMOUNT => $this -> formatCurrency($this -> amount, $this -> currency),
PARAM_CURRENCY => $this -> currency,
PARAM_RATE => $this -> getRateEx(),
"uniqueSubmission" => !$this -> isLoopData($invalid) ?
$this -> formName.md5($this -> paymentAPIConf -> middleware_sig_passphrase) : NO_STRING,
"uniqueSubmission" => $uniqueSubmission,
"verifierToken" => $verifierToken,
PARAM_MESSAGE => $this -> msg
];
}
......@@ -463,6 +474,28 @@ class SettlementModelClass extends ModelClassEx {
private function validateProcessing(){
try{
$mismatchedAccountNum = false;
// catch under-the-table modifications
$decryptedVerifierToken = Crypto::decryptWithPassword(
$this -> verifierToken,
$this -> uniqueSubmission.date("Ymd"));
// catch under-the-table modifications
if($this -> checkJSONString($decryptedVerifierToken)){
$encryptedVerifierToken = json_decode($decryptedVerifierToken, true);
if($this -> getColumnData($encryptedVerifierToken, PARAM_FROM_ACCOUNT) != $this -> fromAccount){
$this -> invalidFormParams[] = "Mismatched Remitter Account Number ({$this -> fromAccount})";
$mismatchedAccountNum = true;
}
if($this -> getColumnData($encryptedVerifierToken, PARAM_USER_ACCOUNT) != $this -> toAccount){
$this -> invalidFormParams[] = "Mismatched Receiver Account Number ({$this -> toAccount})";
$mismatchedAccountNum = true;
}
}
$midPsignKey = $this -> paymentAPIConf -> middleware_sig_passphrase;
$jwtTokenKey = $this -> midconf -> token_secretkey.strtotime(date("Ymd"));
......@@ -490,7 +523,7 @@ class SettlementModelClass extends ModelClassEx {
$this -> setData();
$this -> arrangeFreeParams();
if($this -> balance < ($this -> debitAmount + $this -> getFeeEx())) {
if($this -> balance < ($this -> debitAmount + $this -> getFeeEx()) && !$mismatchedAccountNum) {
$this -> invalidFormParams[] = $this -> getMessage(ERROR, 'E_INSUFFICIENT_FUNDS',
array($this -> debitCurrency,
$this -> formatCurrency(($this -> debitAmount + $this -> getFeeEx()), $this -> debitCurrency)));
......@@ -502,11 +535,17 @@ class SettlementModelClass extends ModelClassEx {
$this -> setType(TYPE_FAIL);
}catch(Exception $e){
$this -> accessModify("DELETE_SETTLEMENT_FORM", [$this -> formName], false);
$this -> setType(TYPE_REQUEST_SESSION_EXPIRED);
if($e instanceof WrongKeyOrModifiedCiphertextException){
$this -> invalidFormParams[] = "Unnecessary modification is not allowed";
$this -> setType(TYPE_FAIL);
}else{
$this -> accessModify("DELETE_SETTLEMENT_FORM", [$this -> formName], false);
$this -> setType(TYPE_REQUEST_SESSION_EXPIRED);
}
}
}
private function arrangeFormLink(){
$freeParams = [];
......
sc/template/tmp_settlement_api.php
View file @ e0b6cb8d
......@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" />
......
tc/template/tmp_settlement_api.php
View file @ e0b6cb8d
......@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" />
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment