Issue thephpleague#19 Main changes.

Author: judgej

src/Message/AbstractRequest.php

@@ -5,8 +5,16 @@
 /**
  * Authorize.Net Abstract Request
  */
-abstract class AbstractRequest extends \Omnipay\Common\Message\AbstractRequest
+
+use Omnipay\Common\Message\AbstractRequest as CommonAbstractRequest;
+
+abstract class AbstractRequest extends CommonAbstractRequest
 {
+    /**
+     * Recommended custom field name to send the transaction ID to the notify handler.
+     */
+    const TRANSACTION_ID_PARAM = 'omnipay_transaction_id';
+
     public function getApiLoginId()
     {
         return $this->getParameter('apiLoginId');
@@ -99,7 +107,13 @@ protected function getBillingData()
     {
         $data = array();
         $data['x_amount'] = $this->getAmount();
+
+        // This is deprecated. The invoice number field is reserved for the invoice number.
         $data['x_invoice_num'] = $this->getTransactionId();
+
+        // A custom field can be used to pass over the merchant site transaction ID.
+        $data[static::TRANSACTION_ID_PARAM] = $this->getTransactionId();
+
         $data['x_description'] = $this->getDescription();
 
         if ($card = $this->getCard()) {

src/Message/DPMCompleteRequest.php

@@ -9,62 +9,6 @@
  */
 class DPMCompleteRequest extends SIMCompleteAuthorizeRequest
 {
-    public function getData()
-    {
-        // The hash sent in the callback from the Authorize.Net gateway.
-        $hash_posted = strtolower($this->httpRequest->request->get('x_MD5_Hash'));
-
-        // The transaction reference generated by the Authorize.Net gateway and sent in the callback.
-        $posted_transaction_reference = $this->httpRequest->request->get('x_trans_id');
-
-        // The amount that the callback has authorized.
-        $posted_amount = $this->httpRequest->request->get('x_amount');
-
-        // Calculate the hash locally, using the shared "hash secret" and login ID.
-        $hash_calculated = $this->getDpmHash($posted_transaction_reference, $posted_amount);
-
-        if ($hash_posted !== $hash_calculated) {
-            // If the hash is incorrect, then we can't trust the source nor anything sent.
-            // Throwing exceptions here is probably a bad idea. We are trying to get the data,
-            // and if it is invalid, then we need to be able to log that data for analysis.
-            // Except we can't, baceuse the exception means we can't get to the data.
-            // For now, this is consistent with other OmniPay gateway drivers.
-
-            throw new InvalidRequestException('Incorrect hash');
-        }
-
-        // The hashes have passed, but the amount should also be validated against the
-        // amount in the stored and retrieved transaction. If the application has the
-        // ability to retrieve the transaction (using the transaction_id sent as a custom
-        // form field, or perhaps in an otherwise unused field such as x_invoice_id.
-
-        $amount = $this->getAmount();
-
-        if (isset($amount) && $amount != $posted_amount) {
-            // The amounts don't match. Someone may have been playing with the
-            // transaction references.
-
-            throw new InvalidRequestException('Incorrect amount');
-        }
-
-        return $this->httpRequest->request->all();
-    }
-
-    /**
-     * This hash confirms the ransaction has come from the Authorize.Net gateway.
-     * It confirms the sender knows ther shared hash secret and that the amount and
-     * transaction reference has not been changed in transit.
-     */
-    public function getDpmHash($transaction_reference, $amount)
-    {
-        $key = $this->getHashSecret()
-            . $this->getApiLoginId()
-            . $transaction_reference
-            . $amount;
-
-        return md5($key);
-    }
-
     public function sendData($data)
     {
         return $this->response = new DPMCompleteResponse($this, $data);

src/Message/DPMCompleteResponse.php

@@ -16,11 +16,6 @@
  */
 class DPMCompleteResponse extends SIMCompleteAuthorizeResponse implements RedirectResponseInterface
 {
-    const RESPONSE_CODE_APPROVED    = '1';
-    const RESPONSE_CODE_DECLINED    = '2';
-    const RESPONSE_CODE_ERROR       = '3';
-    const RESPONSE_CODE_REVIEW      = '4';
-
     public function isSuccessful()
     {
         return isset($this->data['x_response_code'])

src/Message/SIMAuthorizeRequest.php

@@ -28,7 +28,7 @@ public function getData()
             $data['x_customer_ip'] = $this->getClientIp();
         }
 
-        // The returnUrl MUST be set in Authorize.net admin panel under
+        // The returnUrl MUST be whitelisted in Authorize.net admin panel under
         // "Response/Receipt URLs".
         $data['x_relay_url'] = $this->getReturnUrl();
         $data['x_cancel_url'] = $this->getCancelUrl();

src/Message/SIMCompleteAuthorizeRequest.php

@@ -11,10 +11,42 @@ class SIMCompleteAuthorizeRequest extends AbstractRequest
 {
     public function getData()
     {
-        if (strtolower($this->httpRequest->request->get('x_MD5_Hash')) !== $this->getHash()) {
+        // The hash sent in the callback from the Authorize.Net gateway.
+        $hash_posted = strtolower($this->httpRequest->request->get('x_MD5_Hash'));
+
+        // The transaction reference generated by the Authorize.Net gateway and sent in the callback.
+        $posted_transaction_reference = $this->httpRequest->request->get('x_trans_id');
+
+        // The amount that the callback has authorized.
+        $posted_amount = $this->httpRequest->request->get('x_amount');
+
+        // Calculate the hash locally, using the shared "hash secret" and login ID.
+        $hash_calculated = $this->getHash($posted_transaction_reference, $posted_amount);
+
+        if ($hash_posted !== $hash_calculated) {
+            // If the hash is incorrect, then we can't trust the source nor anything sent.
+            // Throwing exceptions here is probably a bad idea. We are trying to get the data,
+            // and if it is invalid, then we need to be able to log that data for analysis.
+            // Except we can't, baceuse the exception means we can't get to the data.
+            // For now, this is consistent with other OmniPay gateway drivers.
+
             throw new InvalidRequestException('Incorrect hash');
         }
 
+        // The hashes have passed, but the amount should also be validated against the
+        // amount in the stored and retrieved transaction. If the application has the
+        // ability to retrieve the transaction (using the transaction_id sent as a custom
+        // form field, or perhaps in an otherwise unused field such as x_invoice_id.
+
+        $amount = $this->getAmount();
+
+        if (isset($amount) && $amount != $posted_amount) {
+            // The amounts don't match. Someone may have been playing with the
+            // transaction references.
+
+            throw new InvalidRequestException('Incorrect amount');
+        }
+
         return $this->httpRequest->request->all();
     }
 
@@ -23,9 +55,16 @@ public function getData()
      * The transaction reference and the amount are both sent by the remote gateway (x_trans_id
      * and x_amount) and it is those that should be checked against.
      */
-    public function getHash()
+    public function getHash($transaction_reference, $amount)
     {
-        return md5($this->getHashSecret().$this->getApiLoginId().$this->getTransactionId().$this->getAmount());
+        $key = array(
+            $this->getHashSecret(),
+            $this->getApiLoginId(),
+            $transaction_reference,
+            $amount,
+         );
+
+        return md5(implode('', $key));
     }
 
     public function sendData($data)

src/Message/SIMCompleteAuthorizeResponse.php

@@ -9,9 +9,16 @@
  */
 class SIMCompleteAuthorizeResponse extends AbstractResponse
 {
+    // Response codes returned by Authorize.Net
+
+    const RESPONSE_CODE_APPROVED    = '1';
+    const RESPONSE_CODE_DECLINED    = '2';
+    const RESPONSE_CODE_ERROR       = '3';
+    const RESPONSE_CODE_REVIEW      = '4';
+
     public function isSuccessful()
     {
-        return isset($this->data['x_response_code']) && '1' === $this->data['x_response_code'];
+        return isset($this->data['x_response_code']) && static::RESPONSE_CODE_APPROVED === $this->data['x_response_code'];
     }
 
     public function getTransactionReference()

tests/Message/DPMCompleteRequestTest.php

@@ -25,14 +25,14 @@ public function testGetDataInvalid()
         $this->request->getData();
     }
 
-    public function testGetDpmHash()
+    public function testGetHash()
     {
-        $this->assertSame(md5(''), $this->request->getHash());
+        $this->assertSame(md5(''), $this->request->getHash('', ''));
 
         $this->request->setHashSecret('hashsec');
         $this->request->setApiLoginId('apilogin');
 
-        $this->assertSame(md5('hashsec' . 'apilogin' . 'trnid' . '10.00'), $this->request->getDpmHash('trnid', '10.00'));
+        $this->assertSame(md5('hashsec' . 'apilogin' . 'trnid' . '10.00'), $this->request->getHash('trnid', '10.00'));
     }
 
     public function testSend()

tests/Message/SIMCompleteAuthorizeRequestTest.php

@@ -23,34 +23,36 @@ public function testGetDataInvalid()
 
     public function testGetHash()
     {
-        $this->assertSame(md5(''), $this->request->getHash());
+        $this->assertSame(md5(''), $this->request->getHash('', ''));
 
         $this->request->setHashSecret('hashsec');
         $this->request->setApiLoginId('apilogin');
-        $this->request->setTransactionId('trnid');
-        $this->request->setAmount('10.00');
 
-        $this->assertSame(md5('hashsecapilogintrnid10.00'), $this->request->getHash());
+        $this->assertSame(md5('hashsec' . 'apilogin' . 'trnref ' . '10.00'), $this->request->getHash('trnref ', '10.00'));
     }
 
     public function testSend()
     {
+        $posted_trans_id = '12345'; // transactionReference in POST.
+        $posted_amount = '10.00'; // amount authothorised in POST.
+
         $this->getHttpRequest()->request->replace(
             array(
                 'x_response_code' => '1',
-                'x_trans_id' => '12345',
-                'x_MD5_Hash' => md5('shhhuser9910.00'),
+                'x_trans_id' => $posted_trans_id,
+                'x_amount' => $posted_amount,
+                'x_MD5_Hash' => md5('shhh' . 'user' . $posted_trans_id . $posted_amount),
             )
         );
         $this->request->setApiLoginId('user');
         $this->request->setHashSecret('shhh');
         $this->request->setAmount('10.00');
-        $this->request->setTransactionId(99);
+        //$this->request->setTransactionId(99);
 
         $response = $this->request->send();
 
         $this->assertTrue($response->isSuccessful());
-        $this->assertSame('12345', $response->getTransactionReference());
+        $this->assertSame($posted_trans_id, $response->getTransactionReference());
         $this->assertNull($response->getMessage());
     }
 }

tests/SIMGatewayTest.php

@@ -39,7 +39,8 @@ public function testCompleteAuthorize()
             array(
                 'x_response_code' => '1',
                 'x_trans_id' => '12345',
-                'x_MD5_Hash' => md5('elpmaxeexample9910.00'),
+                'x_amount' => '10.00',
+                'x_MD5_Hash' => md5('elpmaxe' . 'example' . '12345' . '10.00'),
             )
         );
 
@@ -68,7 +69,8 @@ public function testCompletePurchase()
             array(
                 'x_response_code' => '1',
                 'x_trans_id' => '12345',
-                'x_MD5_Hash' => md5('elpmaxeexample9910.00'),
+                'x_amount' => '10.00',
+                'x_MD5_Hash' => md5('elpmaxe' . 'example' . '12345' . '10.00'),
             )
         );