[bop-devel] AuthorizeNet MD5 Check

Ivan Kohler ivan at sisd.com
Mon Oct 1 15:38:14 PDT 2007 

On Thu, Sep 27, 2007 at 07:26:57AM -0700, Bill Moseley wrote:
> This discussion is about using the md5 returned by Authorize.net to
> validate the response.  The current ::AuthorizeNet class exposes the
> md5 returned from the response, but doesn't expose all the data needed
> to make use of the md5, namely the "amount".  The amount returned in
> the response can be different (reformatted) in the response from what
> is sent in the request.
> 
> On Tue, Sep 25, 2007 at 02:03:07PM -0700, Ivan Kohler wrote:
> > > > What are you trying to do?
> > > 
> > > Provide additional functionality.  For example, as I commented before,
> > > 
> > >     $tx->validate_md5( $secret );
> > > 
> > > or even just to override submit to include the md5 check.
> > 
> > This seems like you would modify the module itself, not write a separate 
> > class.
> 
> Ok, my question is where should the "amount" returned in the response
> be stored?
> 
> There's just one object for request and response so I could just do:
> 
>     $self->amount( $col[9] );  # save "amount" from response.
> 
> for example.  But, that's altering the "request" amount.
> 
> That is if one did:
> 
>     $tx->amount( $amount );
>     $tx->submit;
> 
> Then it's possible that $tx->amount ne $amount, although they may be
> equal in value ( == ).  See the AIM docs on how it might be
> reformatted.
> 
> I don't see that as a problem, but another option would be instead
> use a different accessor name:
> 
> 
>     $self->returned_amount( $col[9] );  # save "amount" from response.
> 
> so there's no risk of clash.
> 
> Which would you pick?

Given things as they are (no clear separation between gateway, request 
and return info), I would pick returned_amount.

> Ivan, you in commented in private mail that a new method validate_md5
> is specific to Authorize.net, but the general idea is not -- so maybe
> there needs to be a more general method to validate a response.
> Perhaps:
> 
>     $self->validate_response( secret => $key );

That sounds good.

> (In my abstraction layer when I create my gateway object I save the
> key, and then all later transactions automatically validate the
> response).
> 
> Finally, if I add this validation to AuthorizeNet do you want the
> changes?  If so, is there a repo I can provide a diff against?

CVSROOT=":pserver:anonymous at cvs.420.am:/home/cvs/cvsroot"
User: anonymous
Pass: anonymous
Module: Business-OnlinePayment-AuthorizeNet

-- 
_ivan

More information about the bop-devel mailing list