Skip to content

Commit ae6ac85

Browse files
harman28harman28
authored
[utility] Sorts values before hashing (#81)
1 parent 239cd49 commit ae6ac85

File tree

2 files changed

+11
-8
lines changed

2 files changed

+11
-8
lines changed

lib/razorpay/utility.rb

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,12 @@ module Razorpay
44
# Helper functions are defined here
55
class Utility
66
def self.verify_payment_signature(attributes)
7-
signature = attributes[:razorpay_signature]
8-
order_id = attributes[:razorpay_order_id] || attributes[:razorpay_subscription_id]
9-
payment_id = attributes[:razorpay_payment_id]
7+
signature = attributes.delete(:razorpay_signature)
108

11-
data = [order_id, payment_id].join '|'
9+
# Data requires the values to be in sorted order of their keys.
10+
# attributes.sort returns a nested array, and the last
11+
# element of each is the value. These are joined.
12+
data = attributes.sort.map(&:last).join('|')
1213

1314
secret = Razorpay.auth[:password]
1415

test/razorpay/test_utility.rb

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ def setup
99

1010
def test_payment_signature_verification
1111
payment_response = {
12-
razorpay_order_id: 'fake_order_id',
12+
razorpay_order_id: 'fake_other_id',
1313
razorpay_payment_id: 'fake_payment_id',
14-
razorpay_signature: 'b2335e3b0801106b84a7faff035df56ecffde06918c9ddd1f0fafbb37a51cc89'
14+
razorpay_signature: '965ee2de4c5c4e6f006fb0a5a1736d992e5d4d52f9fe10b98c9b97ee169ebe18'
1515
}
1616
Razorpay::Utility.verify_payment_signature(payment_response)
1717

@@ -23,10 +23,12 @@ def test_payment_signature_verification
2323

2424
def test_subscription_signature_verification
2525
payment_response = {
26-
razorpay_subscription_id: 'fake_order_id',
2726
razorpay_payment_id: 'fake_payment_id',
28-
razorpay_signature: 'b2335e3b0801106b84a7faff035df56ecffde06918c9ddd1f0fafbb37a51cc89'
27+
razorpay_subscription_id: 'fake_other_id',
28+
razorpay_signature: '3dabcab8ca113e7994cf78c80f8d50974ddfb2d380029743f30a6d67934cd845'
2929
}
30+
# A different signature is expected here compared to the previous test,
31+
# since the sorted order of the keys is different in this case
3032
Razorpay::Utility.verify_payment_signature(payment_response)
3133

3234
payment_response[:razorpay_signature] = '_dummy_signature' * 4

0 commit comments

Comments
 (0)