Skip to content

`completePurchase()` additional security features
Compare
Choose a tag to compare
@judgej judgej released this 23 Feb 22:46
3.1.0
7453e74
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

See Issue #12 for further details.

Summary of the changes, possibly breaking to some merchant sites:

  • The completePurchase() and completeAuthorize() methods now require the original transactionId to be set. If the transaction being returned with the user does not have a transactionId matching the transactionId expected, then isSuccessful() will return false regardless of status of the transaction behind it.
  • The completePurchase() method returns a Request message. To inspect the transaction result details, you must send() this request to get a Response message. Previously the Request and Response were shared and all transaction results could be inspected in both. The README documentation has been updated to show how this works.

In summary completePurchase() now works like this:

$completeRequest = $gateway->completePurhcase([
    'secret' -> $signingSecret,
    'transactionId' = $originalTransactionId,
]);

$completeResponse = $completeRequest->send();

$success = $completeResponse->isSuccessful();

If your merchant site does not include [at least] the 'transactionId' or does not send() the request to get a response, then it must do from version 3.1.0 onwards.

Assets 2
Loading