Merge pull request #111 from swlodarski-sumoheavy/10.0.x

SP-966 - Validate incoming webhooks

Author: p-maguire

Exception/HMACVerificationException.php

@@ -0,0 +1,9 @@
+<?php
+declare(strict_types=1);
+
+namespace Bitpay\BPCheckout\Exception;
+
+class HMACVerificationException extends \Exception
+{
+
+}

Model/BPRedirect.php

@@ -37,6 +37,7 @@ class BPRedirect
     protected OrderRepository $orderRepository;
     protected BitpayInvoiceRepository $bitpayInvoiceRepository;
     protected ReturnHash $returnHashHelper;
+    protected EncryptorInterface $encryptor;
 
     /**
      * @param Session $checkoutSession
@@ -53,6 +54,7 @@ class BPRedirect
      * @param OrderRepository $orderRepository
      * @param BitpayInvoiceRepository $bitpayInvoiceRepository
      * @param ReturnHash $returnHashHelper
+     * @param EncryptorInterface $encryptor
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -69,7 +71,8 @@ public function __construct(
         Client $client,
         OrderRepository $orderRepository,
         BitpayInvoiceRepository $bitpayInvoiceRepository,
-        ReturnHash $returnHashHelper
+        ReturnHash $returnHashHelper,
+        EncryptorInterface $encryptor,
     ) {
         $this->checkoutSession = $checkoutSession;
         $this->orderInterface = $orderInterface;
@@ -85,6 +88,7 @@ public function __construct(
         $this->orderRepository = $orderRepository;
         $this->bitpayInvoiceRepository = $bitpayInvoiceRepository;
         $this->returnHashHelper = $returnHashHelper;
+        $this->encryptor = $encryptor;
     }
 
     /**
@@ -150,7 +154,8 @@ public function execute(ResultInterface $defaultResult, string $returnId = null)
                 $order->getId(),
                 $invoiceID,
                 $invoice->getExpirationTime(),
-                $invoice->getAcceptanceWindow()
+                $invoice->getAcceptanceWindow(),
+                $this->encryptor->encrypt($this->config->getToken())
             );
             $this->transactionRepository->add($incrementId, $invoiceID, 'new');
 

Model/BitpayInvoiceRepository.php

@@ -21,11 +21,17 @@ public function __construct(BitpayInvoice $bitpayInvoice)
      * @param string $invoiceID
      * @param int $expirationTime
      * @param int|null $acceptanceWindow
+     * @param string|null $bitpayToken
      * @return void
      */
-    public function add(string $orderId, string $invoiceID, int $expirationTime, ?int $acceptanceWindow): void
-    {
-        $this->bitpayInvoice->add($orderId, $invoiceID, $expirationTime, $acceptanceWindow);
+    public function add(
+        string $orderId,
+        string $invoiceID,
+        int $expirationTime,
+        ?int $acceptanceWindow,
+        ?string $bitpayToken
+    ): void {
+        $this->bitpayInvoice->add($orderId, $invoiceID, $expirationTime, $acceptanceWindow, $bitpayToken);
     }
 
     /**

Model/Ipn/WebhookVerifier.php

@@ -0,0 +1,32 @@
+<?php
+declare(strict_types=1);
+
+namespace Bitpay\BPCheckout\Model\Ipn;
+
+class WebhookVerifier
+{
+    /**
+     * Verify the validity of webhooks (HMAC)
+     *
+     * @see https://developer.bitpay.com/reference/hmac-verification
+     *
+     * @param string $signingKey
+     * @param string $sigHeader
+     * @param string $webhookBody
+     *
+     * @return bool
+     */
+    public function isValidHmac(string $signingKey, string $sigHeader, string $webhookBody): bool
+    {
+        $hmac = base64_encode(
+            hash_hmac(
+                'sha256',
+                $webhookBody,
+                $signingKey,
+                true
+            )
+        );
+
+        return $sigHeader === $hmac;
+    }
+}

Model/IpnManagement.php

@@ -5,20 +5,23 @@
 
 use Bitpay\BPCheckout\Api\IpnManagementInterface;
 use Bitpay\BPCheckout\Exception\IPNValidationException;
+use Bitpay\BPCheckout\Exception\HMACVerificationException;
 use Bitpay\BPCheckout\Helper\ReturnHash;
 use Bitpay\BPCheckout\Logger\Logger;
 use Bitpay\BPCheckout\Model\Ipn\BPCItem;
 use Bitpay\BPCheckout\Model\Ipn\Validator;
+use Bitpay\BPCheckout\Model\Ipn\WebhookVerifier;
 use Magento\Checkout\Model\Session;
 use Magento\Framework\App\ResponseFactory;
 use Magento\Framework\DataObject;
+use Magento\Framework\Encryption\EncryptorInterface;
 use Magento\Framework\Registry;
 use Magento\Framework\Serialize\Serializer\Json;
 use Magento\Framework\UrlInterface;
 use Magento\Framework\Webapi\Rest\Request;
 use Magento\Framework\Webapi\Rest\Response;
 use Magento\Quote\Model\QuoteFactory;
-use Magento\Sales\Api\Data\OrderInterface;
+use Magento\Sales\Model\OrderFactory;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -32,7 +35,7 @@ class IpnManagement implements IpnManagementInterface
     protected UrlInterface $url;
     protected Session $checkoutSession;
     protected QuoteFactory $quoteFactory;
-    protected OrderInterface $orderInterface;
+    protected OrderFactory $orderFactory;
     protected Registry $coreRegistry;
     protected Logger $logger;
     protected Config $config;
@@ -42,14 +45,33 @@ class IpnManagement implements IpnManagementInterface
     protected Request $request;
     protected Client $client;
     protected Response $response;
+
+    /**
+     * @var BitpayInvoiceRepository
+     */
+    protected BitpayInvoiceRepository $bitpayInvoiceRepository;
+
+    /**
+     * @var EncryptorInterface
+     */
+    protected EncryptorInterface $encryptor;
+
+    /**
+     * @var WebhookVerifier
+     */
+    protected WebhookVerifier $webhookVerifier;
+
+    /**
+     * @var ReturnHash
+     */
     protected ReturnHash $returnHashHelper;
 
     /**
      * @param ResponseFactory $responseFactory
      * @param UrlInterface $url
      * @param Registry $registry
      * @param Session $checkoutSession
-     * @param OrderInterface $orderInterface
+     * @param OrderFactory $orderFactory
      * @param QuoteFactory $quoteFactory
      * @param Logger $logger
      * @param Config $config
@@ -59,6 +81,9 @@ class IpnManagement implements IpnManagementInterface
      * @param Request $request
      * @param Client $client
      * @param Response $response
+     * @param BitpayInvoiceRepository $bitpayInvoiceRepository
+     * @param EncryptorInterface $encryptor
+     * @param WebhookVerifier $webhookVerifier
      * @param ReturnHash $returnHashHelper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -67,7 +92,7 @@ public function __construct(
         UrlInterface $url,
         Registry $registry,
         Session $checkoutSession,
-        OrderInterface $orderInterface,
+        OrderFactory $orderFactory,
         QuoteFactory $quoteFactory,
         Logger $logger,
         Config $config,
@@ -77,13 +102,16 @@ public function __construct(
         Request $request,
         Client $client,
         Response $response,
+        BitpayInvoiceRepository $bitpayInvoiceRepository,
+        EncryptorInterface $encryptor,
+        WebhookVerifier $webhookVerifier,
         ReturnHash $returnHashHelper
     ) {
         $this->coreRegistry = $registry;
         $this->responseFactory = $responseFactory;
         $this->url = $url;
         $this->quoteFactory = $quoteFactory;
-        $this->orderInterface = $orderInterface;
+        $this->orderFactory = $orderFactory;
         $this->checkoutSession = $checkoutSession;
         $this->logger = $logger;
         $this->config = $config;
@@ -93,6 +121,9 @@ public function __construct(
         $this->request = $request;
         $this->client = $client;
         $this->response = $response;
+        $this->bitpayInvoiceRepository = $bitpayInvoiceRepository;
+        $this->encryptor = $encryptor;
+        $this->webhookVerifier = $webhookVerifier;
         $this->returnHashHelper = $returnHashHelper;
     }
 
@@ -108,7 +139,7 @@ public function postClose()
         $response = $this->responseFactory->create();
         try {
             $orderID = $this->request->getParam('orderID', null);
-            $order = $this->orderInterface->loadByIncrementId($orderID);
+            $order = $this->orderFactory->create()->loadByIncrementId($orderID);
             $invoiceCloseHandling = $this->config->getBitpayInvoiceCloseHandling();
             if ($this->config->getBitpayCheckoutSuccess() === 'standard' && $invoiceCloseHandling === 'keep_order') {
                 $this->checkoutSession->setLastSuccessQuoteId($order->getQuoteId())
@@ -151,10 +182,22 @@ public function postClose()
     public function postIpn()
     {
         try {
-            $allData = $this->serializer->unserialize($this->request->getContent());
+            $requestBody = $this->request->getContent();
+            $allData = $this->serializer->unserialize($requestBody);
             $data = $allData['data'];
             $event = $allData['event'];
             $orderId = $data['orderId'];
+
+            $bitPayInvoiceData = $this->bitpayInvoiceRepository->getByOrderId($orderId);
+            if (!empty($bitPayInvoiceData['bitpay_token'])) {
+                $signingKey = $this->encryptor->decrypt($bitPayInvoiceData['bitpay_token']);
+                $xSignature = $this->request->getHeader('x-signature');
+
+                if (!$this->webhookVerifier->isValidHmac($signingKey, $xSignature, $requestBody)) {
+                    throw new HMACVerificationException('HMAC Verification Failed!');
+                }
+            }
+
             $orderInvoiceId = $data['id'];
             $row = $this->transactionRepository->findBy($orderId, $orderInvoiceId);
             $client = $this->client->initialize();
@@ -179,7 +222,7 @@ public function postIpn()
             $invoiceStatus = $this->invoice->getBPCCheckInvoiceStatus($client, $orderInvoiceId);
             $updateWhere = ['order_id = ?' => $orderId, 'transaction_id = ?' => $orderInvoiceId];
             $this->transactionRepository->update('transaction_status', $invoiceStatus, $updateWhere);
-            $order = $this->orderInterface->loadByIncrementId($orderId);
+            $order = $this->orderFactory->create()->loadByIncrementId($orderId);
             switch ($event['name']) {
                 case Invoice::COMPLETED:
                     if ($invoiceStatus == 'complete') {

Model/ResourceModel/BitpayInvoice.php

@@ -26,10 +26,16 @@ public function _construct()
      * @param string $invoiceID
      * @param int $expirationTime
      * @param int|null $acceptanceWindow
+     * @param string|null $bitpayToken
      * @return void
      */
-    public function add(string $orderId, string $invoiceID, int $expirationTime, ?int $acceptanceWindow)
-    {
+    public function add(
+        string $orderId,
+        string $invoiceID,
+        int $expirationTime,
+        ?int $acceptanceWindow,
+        ?string $bitpayToken
+    ) {
         $connection = $this->getConnection();
         $table_name = $connection->getTableName(self::TABLE_NAME);
         $connection->insert(
@@ -38,7 +44,8 @@ public function add(string $orderId, string $invoiceID, int $expirationTime, ?in
                 'order_id' => $orderId,
                 'invoice_id' => $invoiceID,
                 'expiration_time' => $expirationTime,
-                'acceptance_window'=> $acceptanceWindow
+                'acceptance_window'=> $acceptanceWindow,
+                'bitpay_token' => $bitpayToken
             ]
         );
     }

Test/Integration/Model/BPRedirectTest.php

@@ -24,6 +24,7 @@
 use Magento\Sales\Model\OrderRepository;
 use Magento\TestFramework\Helper\Bootstrap;
 use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\MockObject\MockObject;
 use Magento\Framework\Encryption\EncryptorInterface;
 
 /**
@@ -111,27 +112,45 @@ class BPRedirectTest extends TestCase
      * @var EncryptorInterface|MockObject $encryptor
      */
     private $encryptor;
+
+    /**
+     * @var ReturnHash $returnHash
+     */
+    private $returnHash;
+
+
     public function setUp(): void
     {
         $this->objectManager =  Bootstrap::getObjectManager();
         $this->checkoutSession = $this->objectManager->get(Session::class);
         $this->orderInterface = $this->objectManager->get(OrderInterface::class);
         $this->config = $this->objectManager->get(Config::class);
         $this->transactionRepository = $this->objectManager->get(TransactionRepository::class);
+        /**
+         * @var Invoice|MockObject
+         */
         $this->invoice = $this->getMockBuilder(Invoice::class)->disableOriginalConstructor()->getMock();
         $this->messageManager = $this->objectManager->get(Manager::class);
         $this->registry = $this->objectManager->get(Registry::class);
         $this->url = $this->objectManager->get(UrlInterface::class);
         $this->logger = $this->objectManager->get(Logger::class);
         $this->resultFactory = $this->objectManager->get(ResultFactory::class);
+        /**
+         * @var Client|MockObject
+         */
         $this->client = $this->getMockBuilder(Client::class)->disableOriginalConstructor()->getMock();
         $this->orderRepository = $this->objectManager->get(OrderRepository::class);
         $this->bitpayInvoiceRepository = $this->objectManager->get(BitpayInvoiceRepository::class);
         $this->bitpayInvoiceRepository = $this->objectManager->get(BitpayInvoiceRepository::class);
+        /**
+         * @var EncryptorInterface|MockObject
+         */
         $this->encryptor = $this->getMockBuilder(EncryptorInterface::class)
              ->disableOriginalConstructor()
              ->getMock();
 
+        $this->returnHash = $this->objectManager->get(ReturnHash::class);
+
         $this->bpRedirect = new BPRedirect(
             $this->checkoutSession,
             $this->orderInterface,
@@ -146,6 +165,7 @@ public function setUp(): void
             $this->client,
             $this->orderRepository,
             $this->bitpayInvoiceRepository,
+            $this->returnHash,
             $this->encryptor
         );
     }
@@ -197,7 +217,6 @@ public function testExecute(): void
         $this->assertEquals('100000001', $result[0]['order_id']);
         $this->assertEquals('new', $result[0]['transaction_status']);
         $this->assertEquals('test', $this->config->getBitpayEnv());
-        $this->assertEquals('redirect', $this->config->getBitpayUx());
         $this->assertEquals($bitpayMethodCode, $methodCode);
     }