From 59fc0432b4bee005999d3b860a887c648bb6664e Mon Sep 17 00:00:00 2001
From: Khwezi Mngoma <khwezi@msn.com>
Date: Sat, 13 Jun 2026 15:49:45 +0200
Subject: [PATCH] ensure alphabetical sorting

---
 .../Payments/PayfastService.cs                    | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/LiteCharms.Features.MidrandBooks/Payments/PayfastService.cs b/LiteCharms.Features.MidrandBooks/Payments/PayfastService.cs
index cbca90d..5ebaa7e 100644
--- a/LiteCharms.Features.MidrandBooks/Payments/PayfastService.cs
+++ b/LiteCharms.Features.MidrandBooks/Payments/PayfastService.cs
@@ -3,7 +3,6 @@ using LiteCharms.Features.Api.Configuration;
 using LiteCharms.Features.Hasher;
 using LiteCharms.Features.MidrandBooks.Payments.Models;
 using LiteCharms.Features.MidrandBooks.Postgres;
-using Microsoft.AspNetCore.Http;
 
 namespace LiteCharms.Features.MidrandBooks.Payments;
 
@@ -51,7 +50,10 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
 
     public static bool VerifyIncomingSignature(HttpRequest request, string passphrase)
     {
-        var formFields = request.Form.ToDictionary(x => x.Key, x => x.Value.ToString());
+        var formFields = new Dictionary<string, string>(StringComparer.Ordinal);
+
+        foreach (var file in request.Form)
+            formFields.Add(file.Key, file.Value.ToString());
 
         if (!formFields.TryGetValue("signature", out string? incomingSignature))
             return false;
@@ -63,18 +65,21 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
             if (key.Equals("signature", StringComparison.OrdinalIgnoreCase))
                 continue;
 
-            string encodedVal = HttpUtility.UrlEncode(formFields[key].Trim());
-            string cleanVal = PercentEncodingRegex.Replace(encodedVal,  m => m.Value.ToUpperInvariant());
+            string rawValue = formFields[key] ?? string.Empty;
+
+            string encodedVal = HttpUtility.UrlEncode(rawValue.Trim());
+            string cleanVal = PercentEncodingRegex.Replace(encodedVal, m => m.Value.ToUpperInvariant());
 
             stringBuilder.Append($"{key}={cleanVal}&");
         }
 
         string encodedPassphrase = HttpUtility.UrlEncode(passphrase.Trim());
-        string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase,  m => m.Value.ToUpperInvariant());
+        string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase, m => m.Value.ToUpperInvariant());
 
         stringBuilder.Append($"passphrase={safePassphrase}");
 
         string generatedSignature = HashService.ToMd5Hash(stringBuilder.ToString()).Value;
+
         return incomingSignature.Equals(generatedSignature, StringComparison.OrdinalIgnoreCase);
     }