In addition to the header,webhook-hash
when calling back, there's another header with the name,dusupay-signature
and this is to help merchants trust that the callbacks originate from the DusuPay servers. Signature verification can be done with the following procedure;
Retrieve the value of the dusupay-signature
header.
Form the string payload to be used in signature verification. This is obtained by concatenating values of the callback data in the format that follows
id:internal_reference:transaction_status:callback_url
where callback_url is the full URL as added to your merchant account settings.
The other values are obtained from the callback data. e.g. assume the following is the callback data
{"id": 226,"request_amount": 10,"request_currency": "USD","account_amount": 737.9934,"account_currency": "UGX","transaction_fee": 21.4018,"total_credit": 716.5916,"customer_charged": false,"provider_id": "mtn_ug","merchant_reference": "76859aae-f148-48c5-9901-2e474cf19b71","internal_reference": "DUSUPAY405GZM1G5JXGA71IK","transaction_status": "COMPLETED","transaction_type": "collection","message": "Transaction Completed Successfully"}
and that the callback URL is
https://www.sample-url.com/callback
The string payload would therefore be
226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.sample-url.com/callback
Obtain the public key as described here and store it as a file.
Use the public key to verify the signature as described in the example source codes below;
const crypto = require('crypto');const fs = require('fs');function isValidSignature() {const strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.sample-url.com/callback";const signature = "value-of-dusupay-signature";const publicKeyFile = "path-to-file/dusupay.public.key.pem";const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');const verify = crypto.createVerify("SHA512");verify.write(strPayload);verify.end();/*true or false*/return verify.verify(publicKey, signature, 'base64');}
<?phppublic function isValidSignature() {$file = "path-to-file/dusupay.public.key.pem";$keyContent = file_get_contents($file);$publicKey = openssl_get_publickey($keyContent);$strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.sample-url.com/callback";$signature = base64_decode("value-of-dusupay-signature");/*true or false*/return openssl_verify($strPayload, $signature, $publicKey) == 1;}?>