Merge pull request 'refactored incoming signature validator to use form fields instead of httprequest' (#111 ) from payments into master

Reviewed-on: #111
refactored incoming signature validator to use form fields instead of httprequest
2026-06-13 15:58:58 +02:00 · 2026-06-13 15:58:30 +02:00 · 2026-06-13 15:50:20 +02:00 · 2026-06-13 15:49:45 +02:00 · 2026-06-13 15:45:59 +02:00 · 2026-06-13 12:08:23 +02:00
3 changed files with 31 additions and 2 deletions
@@ -148,6 +148,7 @@
  <!-- Shared Usings -->
  <ItemGroup>
    <Using Include="Microsoft.AspNetCore.Http" />
    <Using Include="System.Net.Sockets" />
    <Using Include="System.Text.RegularExpressions" />
    <Using Include="System.Web" />
@@ -48,6 +48,36 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
        }
    }
    public static bool VerifyIncomingSignature(IDictionary<string, string> formFields, string passphrase)
    {
        if (!formFields.TryGetValue("signature", out string? incomingSignature))
            return false;
        var stringBuilder = new StringBuilder();
        foreach (var key in formFields.Keys)
        {
            if (key.Equals("signature", StringComparison.OrdinalIgnoreCase))
                continue;
            string rawValue = formFields[key] ?? string.Empty;
            string encodedVal = HttpUtility.UrlEncode(rawValue.Trim());
            string cleanVal = PercentEncodingRegex.Replace(encodedVal, m => m.Value.ToUpperInvariant());
            stringBuilder.Append($"{key}={cleanVal}&");
        }
        string encodedPassphrase = HttpUtility.UrlEncode(passphrase.Trim());
        string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase, m => m.Value.ToUpperInvariant());
        stringBuilder.Append($"passphrase={safePassphrase}");
        string generatedSignature = HashService.ToMd5Hash(stringBuilder.ToString()).Value;
        return incomingSignature.Equals(generatedSignature, StringComparison.OrdinalIgnoreCase);
    }
    public async ValueTask<Result<bool>> ValidateReferrerIpAsync(string remoteIpAddress, bool allowLoopback = false, CancellationToken cancellationToken = default)
    {
        if(payfastOptions.Value?.ValidHosts?.Length == 0)
@@ -4,8 +4,6 @@
    "ValidHosts": [
      "www.payfast.co.za",
      "sandbox.payfast.co.za",
      "w1w.payfast.co.za",
      "w2w.payfast.co.za",
      "ips.payfast.co.za",
      "api.payfast.co.za",
      "payment.payfast.io"
Author	SHA1	Message	Date
khwezi	da5f233c3b	Merge pull request 'refactored incoming signature validator to use form fields instead of httprequest' (#111 ) from payments into master Reviewed-on: #111	2026-06-13 15:58:58 +02:00
Khwezi Mngoma	02d89eec4f	refactored incoming signature validator to use form fields instead of httprequest continuous-integration/drone/pr Build is passing Details	2026-06-13 15:58:30 +02:00
khwezi	95dc2e2da2	Merge pull request 'payments' (#110 ) from payments into master Reviewed-on: #110	2026-06-13 15:50:20 +02:00
Khwezi Mngoma	59fc0432b4	ensure alphabetical sorting continuous-integration/drone/pr Build is passing Details	2026-06-13 15:49:45 +02:00
Khwezi Mngoma	99c0508f6f	Implemented separate signature validator	2026-06-13 15:45:59 +02:00
Khwezi Mngoma	b984dab2be	Updated valid payfast addresses	2026-06-13 12:08:23 +02:00