midtrans-client - npm Package Compare versions

Comparing version 1.4.0 to 1.4.1

lib/httpClient.js

@@ -20,3 +20,3 @@ 'use strict'
       'accept': 'application/json',
-      'user-agent': 'midtransclient-nodejs/1.4.0'
+      'user-agent': 'midtransclient-nodejs/1.4.1'
     };
@@ -23,0 +23,0 @@

lib/SnapBi/snapBi.js

@@ -30,2 +30,5 @@
         this.timeout = null;
+        this.signature = '';
+        this.notificationUrlPath = '';
+        this.notificationPayload = {};
     }
@@ -44,3 +47,7 @@
     }
+    static notification() {
+        return new SnapBi('');
+    }
 
+
     withAccessTokenHeader(headers) {
@@ -65,2 +72,18 @@ this.accessTokenHeader = { ...this.accessTokenHeader, ...headers };
     }
+    withSignature(signature) {
+        this.signature = signature;
+        return this;
+    }
+    withTimeStamp(timeStamp) {
+        this.timeStamp = timeStamp;
+        return this;
+    }
+    withNotificationPayload(notificationPayload) {
+        this.notificationPayload = notificationPayload;
+        return this;
+    }
+    withNotificationUrlPath(notificationUrlPath) {
+        this.notificationUrlPath = notificationUrlPath;
+        return this;
+    }
 
@@ -127,2 +150,35 @@ withPrivateKey(privateKey) {
 
+    isWebhookNotificationVerified() {
+
+        if (SnapBiConfig.snapBiPublicKey == null){
+            throw new Error("The public key is null, You need to set the public key from SnapBiConfig.'\n" +
+                "For more details, contact support at support@midtrans.com if you have any questions.");
+        }
+        var notificationHttpMethod = "POST";
+        var minifiedNotificationBodyJsonString = JSON.stringify(this.notificationPayload);
+        var hashedNotificationBodyJsonString  = crypto
+            .createHash("sha256")
+            .update(minifiedNotificationBodyJsonString)
+            .digest("hex")
+            .toLowerCase();
+
+        var rawStringDataToVerifyAgainstSignature =
+            notificationHttpMethod +
+            ":" +
+            this.notificationUrlPath +
+            ":" +
+            hashedNotificationBodyJsonString +
+            ":" +
+            this.timeStamp;
+
+        var verifier = crypto.createVerify("SHA256");
+        verifier.update(rawStringDataToVerifyAgainstSignature, "utf8");
+        var isSignatureVerified = verifier.verify(
+            SnapBiConfig.snapBiPublicKey,
+            this.signature,
+            "base64",
+        );
+        return isSignatureVerified
+    }
+
     async getAccessToken() {
@@ -129,0 +185,0 @@ const snapBiAccessTokenHeader = this.buildAccessTokenHeader(this.timeStamp);

lib/SnapBi/snapBiConfig.js

@@ -10,2 +10,3 @@ class SnapBiConfig {
     static enableLogging = false;
+    static snapBiPublicKey = null;
 
@@ -12,0 +13,0 @@ // Constants for base URLs

package.json

 {
   "name": "midtrans-client",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "description": "Official Midtrans Payment API Client for Node JS",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

@@ -1243,3 +1243,27 @@ Midtrans Client - Node JS
 To implement Snap-Bi Payment Notification you can refer to this [docs](https://docs.midtrans.com/reference/payment-notification-api)
+To verify the webhook notification that you receive you can use this method below
+```javascript
+ 
+// The request body/ payload sent by the webhook
+// Sample notification body, replace with actual data you receive from Midtrans
+let notificationPayload = "{\"originalPartnerReferenceNo\":\"GP24043015193402809\",\"originalReferenceNo\":\"A120240430081940S9vu8gSjaRID\",\"merchantId\":\"G099333790\",\"amount\":{\"value\":\"102800.00\",\"currency\":\"IDR\"},\"latestTransactionStatus\":\"00\",\"transactionStatusDesc\":\"SUCCESS\",\"additionalInfo\":{\"refundHistory\":[]}}";
 
+// To get the signature value, you need to retrieve it from the webhook header called X-Signature
+let signature = "CgjmAyC9OZ3pB2JhBRDihL939kS86LjP1VLD1R7LgI4JkvYvskUQrPXgjhrZqU2SFkfPmLtSbcEUw21pg2nItQ0KoX582Y6Tqg4Mn45BQbxo4LTPzkZwclD4WI+aCYePQtUrXpJSTM8D32lSJQQndlloJfzoD6Rh24lNb+zjUpc+YEi4vMM6MBmS26PpCm/7FZ7/OgsVh9rlSNUsuQ/1QFpldA0F8bBNWSW4trwv9bE1NFDzliHrRAnQXrT/J3chOg5qqH0+s3E6v/W21hIrBYZVDTppyJPtTOoCWeuT1Tk9XI2HhSDiSuI3pevzLL8FLEWY/G4M5zkjm/9056LTDw==";
+
+// To get the timeStamp value, you need to retrieve it from the webhook header called X-Timestamp
+let timeStamp = "2024-10-07T15:45:22+07:00";
+
+// The url path is based on the webhook url of the payment method for example for direct debit is `/v1.0/debit/notify`
+let notificationUrlPath = "/v1.0/debit/notify";
+/**
+ * Example verifying the webhook notification
+ */
+let isVerified = SnapBi.notification()
+        .withNotificationPayload(notificationPayload)
+        .withSignature(signature)
+        .withTimeStamp(timeStamp)
+        .withNotificationUrlPath(notificationUrlPath)
+        .isWebhookNotificationVerified()
+```
 ## Examples
@@ -1246,0 +1270,0 @@ Examples are available on [/examples](/examples) folder.

Fixed alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

92246

increased by4.01%

Lines of code

1169

increased by4.66%

Number of lines in readme file

1295

increased by1.89%

Number of medium supply chain risk alerts

1

decreased by-50%

No dependency changes