Merge pull request 'Using IFormCollection for VerifyIncomingSignatureFromForm' (#112) from payments into master

Reviewed-on: #112

LiteCharms.Features.MidrandBooks/Extensions/Shop.cs

@@ -1,11 +1,12 @@
 using LiteCharms.Features.Abstractions;
+using LiteCharms.Features.Browser;
 using LiteCharms.Features.MidrandBooks.Abstractions;
 
 namespace LiteCharms.Features.MidrandBooks.Extensions;
 
 public static class Shop
 {
-    public static IServiceCollection AddShopServices(this IServiceCollection services)
+    public static IServiceCollection AddShopServices(this IServiceCollection services, bool includeLocalStorage = false)
     {
         var serviceType = typeof(IService);
 
@@ -19,6 +20,9 @@ public static class Shop
 
         foreach (var coreImplementation in coreImplementations) services.AddScoped(coreImplementation);
 
+        if (includeLocalStorage)
+            services.AddScoped<LocalStorageService>();
+
         return services;
     }
 }

LiteCharms.Features.MidrandBooks/LiteCharms.Features.MidrandBooks.csproj

@@ -148,6 +148,7 @@
 
   <!-- Shared Usings -->
   <ItemGroup>
+    <Using Include="Microsoft.AspNetCore.Http" />
     <Using Include="System.Net.Sockets" />
     <Using Include="System.Text.RegularExpressions" />
     <Using Include="System.Web" />

LiteCharms.Features.MidrandBooks/Payments/CartService.cs

@@ -1,5 +1,4 @@
-using LiteCharms.Features.Abstractions;
+using LiteCharms.Features.Browser;
-using LiteCharms.Features.Browser;
 using LiteCharms.Features.Hasher;
 using LiteCharms.Features.MidrandBooks.Authors.Models;
 using LiteCharms.Features.MidrandBooks.Payments.Models;
@@ -7,7 +6,7 @@ using LiteCharms.Features.MidrandBooks.Products.Models;
 
 namespace LiteCharms.Features.MidrandBooks.Payments;
 
-public sealed class CartService(LocalStorageService localStorage) : IService
+public sealed class CartService(LocalStorageService localStorage)
 {
     private readonly string CartStorageKey = HashService.ToMd5Hash(nameof(Cart)).Value;
 

LiteCharms.Features.MidrandBooks/Payments/PayfastService.cs

@@ -48,6 +48,39 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
         }
     }
 
+    public static bool VerifyIncomingSignatureFromForm(IFormCollection formCollection, string passphrase)
+    {
+        var sortedFields = new Dictionary<string, string>(StringComparer.Ordinal);
+
+        foreach (var field in formCollection)
+        {
+            sortedFields.Add(field.Key, field.Value.ToString());
+        }
+
+        if (!sortedFields.TryGetValue("signature", out var incomingSignature)) return false;
+
+        var stringBuilder = new StringBuilder();
+
+        foreach (var key in sortedFields.Keys)
+        {
+            if (key.Equals("signature", StringComparison.OrdinalIgnoreCase)) continue;
+
+            string encodedVal = HttpUtility.UrlEncode(sortedFields[key].Trim());
+            string cleanVal = PercentEncodingRegex.Replace(encodedVal, m => m.Value.ToUpperInvariant());
+
+            stringBuilder.Append($"{key}={cleanVal}&");
+        }
+
+        string encodedPassphrase = HttpUtility.UrlEncode(passphrase.Trim());
+        string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase, m => m.Value.ToUpperInvariant());
+
+        stringBuilder.Append($"passphrase={safePassphrase}");
+
+        string generatedSignature = HashService.ToMd5Hash(stringBuilder.ToString()).Value;
+
+        return incomingSignature.Equals(generatedSignature, StringComparison.OrdinalIgnoreCase);
+    }
+
     public async ValueTask<Result<bool>> ValidateReferrerIpAsync(string remoteIpAddress, bool allowLoopback = false, CancellationToken cancellationToken = default)
     {
         if(payfastOptions.Value?.ValidHosts?.Length == 0)
@@ -147,8 +180,35 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
     {
         var pfOutput = new StringBuilder();
 
-        // Define the exact structural sequence mandated by Payfast's documentation
+        var mandatorySequence = GetPayfastMandatoryFieldSequence();
-        string[] mandatorySequence =
+
+        foreach (string key in mandatorySequence)
+        {
+            if (data.TryGetValue(key, out string? rawValue) && !string.IsNullOrEmpty(rawValue))
+            {
+                string encodedVal = HttpUtility.UrlEncode(rawValue.Trim());
+                string val = PercentEncodingRegex.Replace(encodedVal, m => m.Value.ToUpperInvariant());
+
+                pfOutput.Append($"{key}={val}&");
+            }
+        }
+
+        var getString = pfOutput.Length > 0
+            ? pfOutput.ToString()[..^1]
+            : string.Empty;
+
+        if (!string.IsNullOrWhiteSpace(passPhrase))
+        {
+            string encodedPassphrase = HttpUtility.UrlEncode(passPhrase.Trim());
+            string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase, m => m.Value.ToUpperInvariant());
+
+            getString += $"&passphrase={safePassphrase}";
+        }
+
+        return HashService.ToMd5Hash(getString);
+    }
+
+    private static string[] GetPayfastMandatoryFieldSequence() =>
         [
             "merchant_id",
             "merchant_key",
@@ -182,35 +242,4 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
             "frequency",
             "cycles"
         ];
-
-        // 1. Iterate explicitly by the mandatory positional array sequence instead of the dictionary's internal order
-        foreach (string key in mandatorySequence)
-        {
-            // Only append if the key exists in your source dictionary and contains data
-            if (data.TryGetValue(key, out string? rawValue) && !string.IsNullOrEmpty(rawValue))
-            {
-                // Payfast requires spaces to be '+' signs. HttpUtility does this natively.
-                string encodedVal = HttpUtility.UrlEncode(rawValue.Trim());
-
-                // Payfast requires all OTHER percent-encoded hex arrays to be UPPERCASE (e.g., %3A instead of %3a)
-                string val = Regex.Replace(encodedVal, "%[0-9A-Fa-f]{2}", m => m.Value.ToUpperInvariant());
-
-                pfOutput.Append($"{key}={val}&");
-            }
-        }
-
-        string getString = pfOutput.Length > 0
-            ? pfOutput.ToString()[..^1]
-            : string.Empty;
-
-        if (!string.IsNullOrWhiteSpace(passPhrase))
-        {
-            string encodedPassphrase = HttpUtility.UrlEncode(passPhrase.Trim());
-            string safePassphrase = Regex.Replace(encodedPassphrase, "%[0-9A-Fa-f]{2}", m => m.Value.ToUpperInvariant());
-
-            getString += $"&passphrase={safePassphrase}";
-        }
-
-        return HashService.ToMd5Hash(getString);
-    }
 }

LiteCharms.Features.Tests.Common/appsettings.json

@@ -4,8 +4,6 @@
     "ValidHosts": [
       "www.payfast.co.za",
       "sandbox.payfast.co.za",
-      "w1w.payfast.co.za",
-      "w2w.payfast.co.za",
       "ips.payfast.co.za",
       "api.payfast.co.za",
       "payment.payfast.io"

LiteCharms.Features/Api/TokenService.cs

@@ -1,11 +1,10 @@
-using LiteCharms.Features.Abstractions;
+using LiteCharms.Features.Api.Configuration;
-using LiteCharms.Features.Api.Configuration;
 using LiteCharms.Features.Api.Models;
 using LiteCharms.Features.Api.Sdk;
 
 namespace LiteCharms.Features.Api;
 
-public sealed class TokenService(IConnectApi connectApi, IOptions<LiteCharmsClientSettings> clientOptions) : IService
+public sealed class TokenService(IConnectApi connectApi, IOptions<LiteCharmsClientSettings> clientOptions)
 {
     private readonly LiteCharmsClientSettings clientSettings = clientOptions.Value;
 

LiteCharms.Features/Extensions/Api.cs

@@ -46,6 +46,8 @@ public static class Api
                 options.Retry.BackoffType = Polly.DelayBackoffType.Exponential;
             });
 
+        services.AddScoped<TokenService>();
+
         return services;
     }