[bop-devel] AuthorizeNet MD5 Check

Bill Moseley moseley at hank.org
Thu Sep 27 07:26:57 PDT 2007 

This discussion is about using the md5 returned by Authorize.net to
validate the response.  The current ::AuthorizeNet class exposes the
md5 returned from the response, but doesn't expose all the data needed
to make use of the md5, namely the "amount".  The amount returned in
the response can be different (reformatted) in the response from what
is sent in the request.

On Tue, Sep 25, 2007 at 02:03:07PM -0700, Ivan Kohler wrote:
> > > What are you trying to do?
> > 
> > Provide additional functionality.  For example, as I commented before,
> > 
> >     $tx->validate_md5( $secret );
> > 
> > or even just to override submit to include the md5 check.
> 
> This seems like you would modify the module itself, not write a separate 
> class.

Ok, my question is where should the "amount" returned in the response
be stored?

There's just one object for request and response so I could just do:

    $self->amount( $col[9] );  # save "amount" from response.

for example.  But, that's altering the "request" amount.

That is if one did:

    $tx->amount( $amount );
    $tx->submit;

Then it's possible that $tx->amount ne $amount, although they may be
equal in value ( == ).  See the AIM docs on how it might be
reformatted.

I don't see that as a problem, but another option would be instead
use a different accessor name:


    $self->returned_amount( $col[9] );  # save "amount" from response.

so there's no risk of clash.

Which would you pick?

Ivan, you in commented in private mail that a new method validate_md5
is specific to Authorize.net, but the general idea is not -- so maybe
there needs to be a more general method to validate a response.
Perhaps:

    $self->validate_response( secret => $key );


(In my abstraction layer when I create my gateway object I save the
key, and then all later transactions automatically validate the
response).

Finally, if I add this validation to AuthorizeNet do you want the
changes?  If so, is there a repo I can provide a diff against?


-- 
Bill Moseley
moseley at hank.org

More information about the bop-devel mailing list