[bop-devel] AuthorizeNet MD5 Check

[Bill Moseley]

On Thu, Sep 27, 2007 at 10:40:35AM -0600, Jason Hall wrote:
> Instead I would say that the Auth.net module instead would have this
> behavior built into its submit method.  When it gets the response it should
> perform validation while all the data is there, then look at an internal
> flag to see if it should just warn on mismatch, or die (or other
> configurable behavior).

It can't do this without additional information from the client.  The
md5 returned by Auth.net is created using a secret (hopefully) known
only by both the sender and receiver.  Plus, if the account is not setup
with the secret then the response from Auth.net will not include the
md5, so would just be ignored.


So, I suspect the best would be:

    my %options = (
        md5_secret  => $my_secret,
    );

    $gateway = Business::OnlinePayment->new( 'AuthorizeNet', \%options );


A problem with Auth.net is that they don't require an md5 created
from the secret in the *request*.

That means it's possible that you and Auth.net don't share the same
secret -- and therefore a transaction could complete but the md5
doesn't validate.  What do you do then?  The transaction may be
completed fine, you just don't know.

That's a business decision and depends on the type of transaction.
For some, they may want to stop the purchase (Not sending a new
expensive thingy if the md5 doesn't check) vs. md5 validated but don't
want to stop our valued customer from using the service just because
of a typo on our end.

So, I think the best approach is make a method available:

    $tx->submit;

    unless ( $tx->validate_response ) {
        # do what I need for my business
    }

The md5 is a good idea, but Auth.net failed to implement it correctly.


As Ivan remarked, a better approach would be to validate the
gateway's certificate.  This seems less than trivial to do with
Net::SSLeay.


-- 
Bill Moseley
moseley at hank.org