added transaction table, fixed signature auth. Monitor for bugs before rmoving bypass

2025-12-15 15:51:11 +02:00
parent 5768d8a7af
commit acd7f563b1
12 changed files with 716 additions and 191 deletions
--- a/test.php
+++ b/test.php
@@ -1,41 +1,56 @@
 <?php
-
 require_once("./src/config/env.php");
+require_once("./src/config/functions.php");

-/**
- * EXACT escape function from iKhokha docs
- */
-function escapeString($str) {
-    $escaped = preg_replace(
-        ['/[\\"\'\"]/u', '/\x00/'],
-        ['\\\\$0', '\\0'],
-        (string)$str
-    );
-    $cleaned = str_replace('\/', '/', $escaped);
-    return $cleaned;
-}
+$callbackUrl = $_ENV['IKHOKHA_CALLBACK_URL'] ?? '';
+$secret      = $_ENV['IKHOKHA_APP_SECRET'] ?? '';
+$path        = '/src/api/ikhokha_webhook.php';

-$callbackUrl = $_ENV['IKHOKHA_CALLBACK_URL'] ?? null;
-$path = '/src/api/ikhokha_webhook.php';
-$secret      = $_ENV['IKHOKHA_APP_SECRET'] ?? null;
-
-// Simulated raw webhook body (EXACT, no whitespace changes)
+// Simulated raw webhook body (EXACT)
 $raw = '{"paylinkID":"ys5225k4z56x0mm","status":"SUCCESS","externalTransactionID":"693efeaca71a9","responseCode":"00","text":null}';

-echo "<strong>IK-SIGN FROM WEBHOOK:</strong><br>";
-echo "bb1702d488a40091ebd5414bc6f524e203e2c5e36b24a1b86e243dad440bb557<br><br>";
+// Simulated header signature from iKhokha
+$ikSignFromWebhook = 'bb1702d488a40091ebd5414bc6f524e203e2c5e36b24a1b86e243dad440bb557';

-$payloadToSign = $path . $raw; 
+// Simulated raw webhook body (EXACT)
+$raw = '{"paylinkID":"ys5225k4z56x0mm","status":"SUCCESS","externalTransactionID":"693efeaca71a9","responseCode":"00","text":null}';

-// Generate signature using hash_hmac directly on the constructed string
-$expected = hash_hmac('sha256', $payloadToSign, $secret);
+// Simulated header signature from iKhokha
+$ikSignFromWebhook = 'bb1702d488a40091ebd5414bc6f524e203e2c5e36b24a1b86e243dad440bb557';

-// --- Output debug info (UPDATED) ---
-echo "<strong>DEBUG INFO</strong><br>";
-echo "Callback URL: $callbackUrl<br><br>";
+// Decode JSON string into array
+$bodyArray = json_decode($raw, true);

-echo "<strong>Payload to Sign (Un-escaped):</strong><br>";
-echo htmlspecialchars($payloadToSign) . "<br><br>";
+// Remove `text` key exactly like JS
+unset($bodyArray['text']);
+
+// Re-encode JSON (no double-encoding)
+$cleanBody = json_encode($bodyArray, JSON_UNESCAPED_SLASHES);
+
+// Now sign the SAME payload JS signs
+$payloadToSign = createPayloadToSign($callbackUrl, $cleanBody);
+
+$ikSign = generateSignature($payloadToSign, $secret);
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>iKhokha Signature Debug (JS)</title>
+</head>
+<body>
+
+<h3>IK-SIGN FROM WEBHOOK:</h3>
+<pre><?= htmlspecialchars($ikSignFromWebhook) ?></pre>
+
+<h3>DEBUG INFO</h3>
+<p><strong>Callback URL:</strong> <?= htmlspecialchars($callbackUrl) ?></p>
+
+<h3>Payload to Sign (Un-escaped):</h3>
+
+<pre><?= $payloadToSign ?></pre>
+
+<h3>EXPECTED SIGNATURE (JS):</h3>
+
+<pre><?= $ikSign ?></pre>

-echo "<strong>EXPECTED SIGNATURE:</strong><br>";
-echo $expected . "<br>";