Skip to content

I
iwl-live
Commit e0b6cb8d authored by Antonio.Suerte's avatar Antonio.Suerte
Browse files
Options

Payment API Enhanced Security Features

parent 26e14df5
Show whitespace changes
Inline Side-by-side
Showing with 52 additions and 7 deletions
en/template/tmp_settlement_api.php
View file @ e0b6cb8d
...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php'); ...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" /> <input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" /> <input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" /> <input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" /> <input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" /> <input type="hidden" value="" id="message" name="message" />
......
id/template/tmp_settlement_api.php
View file @ e0b6cb8d
...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php'); ...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" /> <input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" /> <input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" /> <input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" /> <input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" /> <input type="hidden" value="" id="message" name="message" />
......
ja/template/tmp_settlement_api.php
View file @ e0b6cb8d
...@@ -175,6 +175,7 @@ include_once('template/base_head_API.php'); ...@@ -175,6 +175,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" /> <input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" /> <input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" /> <input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" /> <input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" /> <input type="hidden" value="" id="message" name="message" />
......
js/settlement.js
View file @ e0b6cb8d
...@@ -79,6 +79,7 @@ $(function() { ...@@ -79,6 +79,7 @@ $(function() {
$("#from_account").val(transactionDetails.from_account) $("#from_account").val(transactionDetails.from_account)
$("#message").val(transactionDetails.message) $("#message").val(transactionDetails.message)
$("#rate").val(transactionDetails.rate) $("#rate").val(transactionDetails.rate)
$("#verifierToken").val(transactionDetails.verifierToken)
$("#type").val("settle_express_submit") $("#type").val("settle_express_submit")
setTimeout(function(){ setTimeout(function(){
submitForm() submitForm()
......
logic/settlement/model.php
View file @ e0b6cb8d
<?php <?php
use Firebase\JWT\JWT; use Firebase\JWT\JWT;
use Defuse\Crypto\Crypto; use Defuse\Crypto\Crypto;
use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException;
require_once(SITE_LOGICS . 'settlement/config.php'); require_once(SITE_LOGICS . 'settlement/config.php');
...@@ -38,6 +39,7 @@ class SettlementModelClass extends ModelClassEx { ...@@ -38,6 +39,7 @@ class SettlementModelClass extends ModelClassEx {
private $formName = NO_STRING; private $formName = NO_STRING;
private $balance = NO_STRING; private $balance = NO_STRING;
private $uniqueSubmission = NO_STRING; private $uniqueSubmission = NO_STRING;
private $verifierToken = NO_STRING;
private $validationResult = NO_STRING; private $validationResult = NO_STRING;
private $invalidFormParams = []; private $invalidFormParams = [];
private $midconf = null; private $midconf = null;
...@@ -107,6 +109,7 @@ class SettlementModelClass extends ModelClassEx { ...@@ -107,6 +109,7 @@ class SettlementModelClass extends ModelClassEx {
$this -> paymentToken = $this -> getDataGet("ptoken"); $this -> paymentToken = $this -> getDataGet("ptoken");
$this -> uniqueSubmission = $this -> getDataPost("uniqueSubmission"); $this -> uniqueSubmission = $this -> getDataPost("uniqueSubmission");
$this -> verifierToken = $this -> getDataPost("verifierToken");
$this -> formName = $this -> getDataPost("formName"); $this -> formName = $this -> getDataPost("formName");
$this -> signature = $this -> getDataPost(PARAM_SIGNATURE, true); // シグネチャ $this -> signature = $this -> getDataPost(PARAM_SIGNATURE, true); // シグネチャ
$this -> pNum = $this -> getDataPost(PARAM_P_NUM, true); // 番組コード $this -> pNum = $this -> getDataPost(PARAM_P_NUM, true); // 番組コード
...@@ -296,8 +299,16 @@ class SettlementModelClass extends ModelClassEx { ...@@ -296,8 +299,16 @@ class SettlementModelClass extends ModelClassEx {
if($displayTransactionDetails){ if($displayTransactionDetails){
$fromUser = $this -> getRowData($this -> getAccountCommon($this -> fromAccount)); $fromUser = $this -> getRowData($this -> getAccountCommon($this -> fromAccount));
$fullName = $this -> getColumnData($fromUser, COLUMN_FIRST_NAME)." ". $fullName = $this -> getColumnData($fromUser, COLUMN_FIRST_NAME)." "
$this -> getColumnData($fromUser, COLUMN_LAST_NAME); .$this -> getColumnData($fromUser, COLUMN_LAST_NAME);
$uniqueSubmission = !$this -> isLoopData($invalid) ?
$this -> formName.md5($this -> paymentAPIConf -> middleware_sig_passphrase) : NO_STRING;
$verifierToken = Crypto::encryptWithPassword(json_encode([
PARAM_FROM_ACCOUNT => $this -> fromAccount,
PARAM_USER_ACCOUNT => $this -> toAccount
]), $uniqueSubmission.date("Ymd"));
$return["transaction_details"] = [ $return["transaction_details"] = [
PARAM_FROM_ACCOUNT => $this -> fromAccount, PARAM_FROM_ACCOUNT => $this -> fromAccount,
...@@ -309,8 +320,8 @@ class SettlementModelClass extends ModelClassEx { ...@@ -309,8 +320,8 @@ class SettlementModelClass extends ModelClassEx {
PARAM_AMOUNT => $this -> formatCurrency($this -> amount, $this -> currency), PARAM_AMOUNT => $this -> formatCurrency($this -> amount, $this -> currency),
PARAM_CURRENCY => $this -> currency, PARAM_CURRENCY => $this -> currency,
PARAM_RATE => $this -> getRateEx(), PARAM_RATE => $this -> getRateEx(),
"uniqueSubmission" => !$this -> isLoopData($invalid) ? "uniqueSubmission" => $uniqueSubmission,
$this -> formName.md5($this -> paymentAPIConf -> middleware_sig_passphrase) : NO_STRING, "verifierToken" => $verifierToken,
PARAM_MESSAGE => $this -> msg PARAM_MESSAGE => $this -> msg
]; ];
} }
...@@ -463,6 +474,28 @@ class SettlementModelClass extends ModelClassEx { ...@@ -463,6 +474,28 @@ class SettlementModelClass extends ModelClassEx {
private function validateProcessing(){ private function validateProcessing(){
try{ try{
$mismatchedAccountNum = false;
// catch under-the-table modifications
$decryptedVerifierToken = Crypto::decryptWithPassword(
$this -> verifierToken,
$this -> uniqueSubmission.date("Ymd"));
// catch under-the-table modifications
if($this -> checkJSONString($decryptedVerifierToken)){
$encryptedVerifierToken = json_decode($decryptedVerifierToken, true);
if($this -> getColumnData($encryptedVerifierToken, PARAM_FROM_ACCOUNT) != $this -> fromAccount){
$this -> invalidFormParams[] = "Mismatched Remitter Account Number ({$this -> fromAccount})";
$mismatchedAccountNum = true;
}
if($this -> getColumnData($encryptedVerifierToken, PARAM_USER_ACCOUNT) != $this -> toAccount){
$this -> invalidFormParams[] = "Mismatched Receiver Account Number ({$this -> toAccount})";
$mismatchedAccountNum = true;
}
}
$midPsignKey = $this -> paymentAPIConf -> middleware_sig_passphrase; $midPsignKey = $this -> paymentAPIConf -> middleware_sig_passphrase;
$jwtTokenKey = $this -> midconf -> token_secretkey.strtotime(date("Ymd")); $jwtTokenKey = $this -> midconf -> token_secretkey.strtotime(date("Ymd"));
...@@ -490,7 +523,7 @@ class SettlementModelClass extends ModelClassEx { ...@@ -490,7 +523,7 @@ class SettlementModelClass extends ModelClassEx {
$this -> setData(); $this -> setData();
$this -> arrangeFreeParams(); $this -> arrangeFreeParams();
if($this -> balance < ($this -> debitAmount + $this -> getFeeEx())) { if($this -> balance < ($this -> debitAmount + $this -> getFeeEx()) && !$mismatchedAccountNum) {
$this -> invalidFormParams[] = $this -> getMessage(ERROR, 'E_INSUFFICIENT_FUNDS', $this -> invalidFormParams[] = $this -> getMessage(ERROR, 'E_INSUFFICIENT_FUNDS',
array($this -> debitCurrency, array($this -> debitCurrency,
$this -> formatCurrency(($this -> debitAmount + $this -> getFeeEx()), $this -> debitCurrency))); $this -> formatCurrency(($this -> debitAmount + $this -> getFeeEx()), $this -> debitCurrency)));
...@@ -502,10 +535,16 @@ class SettlementModelClass extends ModelClassEx { ...@@ -502,10 +535,16 @@ class SettlementModelClass extends ModelClassEx {
$this -> setType(TYPE_FAIL); $this -> setType(TYPE_FAIL);
}catch(Exception $e){ }catch(Exception $e){
if($e instanceof WrongKeyOrModifiedCiphertextException){
$this -> invalidFormParams[] = "Unnecessary modification is not allowed";
$this -> setType(TYPE_FAIL);
}else{
$this -> accessModify("DELETE_SETTLEMENT_FORM", [$this -> formName], false); $this -> accessModify("DELETE_SETTLEMENT_FORM", [$this -> formName], false);
$this -> setType(TYPE_REQUEST_SESSION_EXPIRED); $this -> setType(TYPE_REQUEST_SESSION_EXPIRED);
} }
} }
}
private function arrangeFormLink(){ private function arrangeFormLink(){
$freeParams = []; $freeParams = [];
......
sc/template/tmp_settlement_api.php
View file @ e0b6cb8d
...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php'); ...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" /> <input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" /> <input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" /> <input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" /> <input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" /> <input type="hidden" value="" id="message" name="message" />
......
tc/template/tmp_settlement_api.php
View file @ e0b6cb8d
...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php'); ...@@ -174,6 +174,7 @@ include_once('template/base_head_API.php');
<input type="hidden" value="" id="type" name="type" /> <input type="hidden" value="" id="type" name="type" />
<input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" /> <input type="hidden" value="" id="uniqueSubmission" name="uniqueSubmission" />
<input type="hidden" value="" id="verifierToken" name="verifierToken" />
<input type="hidden" value="" id="debit_currency_ac" name="debit_currency" /> <input type="hidden" value="" id="debit_currency_ac" name="debit_currency" />
<input type="hidden" value="" id="from_account" name="from_account" /> <input type="hidden" value="" id="from_account" name="from_account" />
<input type="hidden" value="" id="message" name="message" /> <input type="hidden" value="" id="message" name="message" />
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment