Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verifying URL encoded body #8

Open
DrewRidley opened this issue Jun 4, 2021 · 7 comments
Open

Verifying URL encoded body #8

DrewRidley opened this issue Jun 4, 2021 · 7 comments

Comments

@DrewRidley
Copy link

Hello,

the IPN body is a url-encoded form. I tried passing it as a string to the SDK to verify the signature, but the SDK indicates that it requires an object. I am confused on the format it expects.

Thanks in advance,
Drew.
@OrahKokos
Copy link
Owner

OrahKokos commented Jun 10, 2021
edited
Loading

Hey Drew,
Thanks for the feedback.
This ipn lib, should be updated to typescript, so problems like this are no longer encountered.
Will update this soon.

@DrewRidley
Copy link
Author

Thanks for the update. IPN documentation was the one thing I felt that coinpayments lacked, and as a developer I found it very difficult to verify the IPNs with my own code. There are very few libraries that offer HMAC signature checking, and the ones that do still did not work. How is the body encoded or formatted when its signature is created? Is it just the raw text of the URL encoded form?

@OrahKokos OrahKokos mentioned this issue Jun 14, 2021
Closed
@OrahKokos
Copy link
Owner

https://github.com/OrahKokos/coinpayments/discussions/68

@DrewRidley
Copy link
Author

DrewRidley commented Jun 21, 2021
edited
Loading

I understand that this library is being updated to support URL encoded bodies, but despite that, I would appreciate more clarification/insight into how the form payload is manipulated before being signed. I am using cloudflare workers for my backend which requires me to use WebCrypto. For this reason, any insight into how I can manually verify the HMAC would be appreciated.

@OrahKokos
Copy link
Owner

Hey @DrewRidley,
Pretty much everything is said in the official doc: https://www.coinpayments.net/merchant-tools-ipn
This lib is just one little function: https://github.com/OrahKokos/coinpayments-ipn/blob/master/lib/index.js#L14
So it just returns a boolean, verifing if the payload received is in fact coming from coinpayments servers.

If you are managing multiple accounts the best i could suggest to you is to play around with:

  • IPN URL - Crate Transaction/Deposit
  • Use "custom" fields to fill them up with some non-sensitive metadata for internal systems.

Hope this helps.

@DrewRidley
Copy link
Author

Thanks for the clarification. I was stumped up on how the payload is verified because I was generating an HMAC signature of the request 'body' and it did not match to the HMAC coinpayments generated. For this reason I wondered if the request headers were included in the HMAC signature, or if it was just the request body itself.

@OrahKokos
Copy link
Owner

You just fetch HMAC from header and use it on the body only.
The only thing which i can see going wrong in your case, outside of simple mistakes is some encoding problem.
There is some glue here: https://github.com/OrahKokos/coinpayments-ipn/blob/master/lib/index.js#L24
There might be some more oddities which I was not aware of, which would make this a bug.

Could you please describe your setup roughly (no sensitive info plox)? Will try to emulate the same test case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OrahKokos @DrewRidley