Callback Checksum Verification
To ensure the integrity and authenticity of the callback, you must verify the checksum included in the query string. The checksum is generated using the following formula:
hash('sha256', orderUuid . status . createdAt)
Where:
orderUuidis the value of theorderUuidparameter from the callback URL.statusis the value of thestatusparameter from the callback URL.createdAtis the value of thecreatedAtparameter from the callback URL.
Example Verification (Conceptual):
// In your callback handler
$receivedOrderUuid = $_GET['orderUuid'];
$receivedStatus = $_GET['status'];
$receivedCreatedAt = $_GET['createdAt'];
$receivedTimestamp = $_GET['timestamp']; // You might also want to log/check this for freshness
$receivedChecksum = $_GET['checksum'];
// Construct the string used to calculate the checksum
$stringToHash = $receivedOrderUuid . $receivedStatus . $receivedCreatedAt;
$calculatedChecksum = hash('sha256', $stringToHash);
if ($receivedChecksum === $calculatedChecksum) {
// Checksum is valid, process the callback data
// e.g., update order status in your database
echo "Callback successfully processed.";
} else {
// Checksum mismatch, reject the callback as potentially tampered
// Log the discrepancy for investigation for security purposes
http_response_code(403); // Forbidden
echo "Checksum verification failed.";
}
By verifying the checksum, you can confirm that the callback data has not been altered during transmission, enhancing the security of your integration.