/// <summary>
/// This method is called when payment is submitted inside the iframe. This method is called from Sagepay not from us, that's why the response is a string what Sagepay is expected.
/// This page is required to validate if the website that originated the transaction is the same one receiving the parameters (to avoid tampering with)
/// </summary>
/// <param name="strTxAuthNo"></param>
/// <param name="strAvscv2"></param>
/// <param name="strAddressResult"></param>
/// <param name="strPostCodeResult"></param>
/// <param name="strCv2Result"></param>
/// <param name="strGiftAid"></param>
/// <param name="str3DSecureStatus"></param>
/// <param name="strCavv"></param>
/// <param name="strAddressStatus"></param>
/// <param name="strPayerStatus"></param>
/// <param name="strCardType"></param>
/// <param name="strLast4Digits"></param>
/// <param name="strVpsTxId"></param>
/// <param name="strVpsSignature"></param>
/// <param name="strStatus"></param>
/// <param name="strStatusDetail"></param>
/// <param name="strVendorTxCode"></param>
/// <returns></returns>
public string ValidateTransaction(string strTxAuthNo, string strAvscv2, string strAddressResult, string strPostCodeResult, string strCv2Result, string strGiftAid, string str3DSecureStatus, string strCavv,
string strAddressStatus, string strPayerStatus, string strCardType, string strLast4Digits, string strVpsTxId, string strVpsSignature, string strStatus, string strStatusDetail, string strVendorTxCode)
{
var strVendorName = _sagePayServerPaymentSettings.VendorName.ToLower();
//Obtain from DB
var transx = _sagePayServerTransactionService.GetSagePayServerTransactionByVendorTxCode(strVendorTxCode);
if (transx == null)
{
strStatusDetail = "Vendor Transaction code " + strVendorTxCode + " does not exist.";
return("Status=INVALID" + Environment.NewLine +
"RedirectURL=" + _webHelper.GetStoreLocation() + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode + Environment.NewLine +
"StatusDetail=" + strStatusDetail);
}
if (string.IsNullOrWhiteSpace(transx.SecurityKey))
{
strStatusDetail = "Security Key for transaction " + strVendorTxCode + " is empty.";
return("Status=INVALID" + Environment.NewLine +
"RedirectURL=" + _webHelper.GetStoreLocation() + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode + Environment.NewLine +
"StatusDetail=" + strStatusDetail);
}
//Update DB with what we've got so far
transx.VpsTxId = strVpsTxId;
transx.VpsSignature = strVpsSignature;
transx.Status = strStatus;
transx.StatusDetail = strStatusDetail;
transx.TxAuthNo = strTxAuthNo;
transx.Avscv2 = strAvscv2;
transx.AddressResult = strAddressResult;
transx.PostCodeResult = strPostCodeResult;
transx.Cv2Result = strCv2Result;
transx.GiftAid = strGiftAid;
transx.ThreeDSecureStatus = str3DSecureStatus;
transx.Cavv = strCavv;
transx.AddressStatus = strAddressStatus;
transx.PayerStatus = strPayerStatus;
transx.CardType = strCardType;
transx.Last4Digits = strLast4Digits;
//Update DB with what we've got so far
_sagePayServerTransactionService.UpdateSagePayServerTransaction(transx);
var strMessage = strVpsTxId + strVendorTxCode + strStatus + strTxAuthNo + strVendorName + strAvscv2 + transx.SecurityKey +
strAddressResult + strPostCodeResult + strCv2Result + strGiftAid + str3DSecureStatus + strCavv +
strAddressStatus + strPayerStatus + strCardType + strLast4Digits;
//Because Sagepay also hashed all these variables, we also need to do the same to verify that they are the same
var strMySignature = SagePayHelper.HashMd5(strMessage);
if (strMySignature != strVpsSignature)
{
transx.StatusDetail = "Your server was unable to register this transaction with Sage Pay. Cannot match the MD5 Hash. Order might be tampered with: " + strMessage;
_sagePayServerTransactionService.UpdateSagePayServerTransaction(transx);
return("Status=INVALID" + Environment.NewLine +
"RedirectURL=" + _webHelper.GetStoreLocation() + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode + Environment.NewLine +
"StatusDetail=Your server was unable to register this transaction with Sage Pay. Cannot match the MD5 Hash. Order might be tampered with");
}
//Always send a Status of OK if we've read everything correctly. Only INVALID for messages with a Status of ERROR
var responseStatus = strStatus == "ERROR" ? "INVALID" : "OK";
return("Status=" + responseStatus + Environment.NewLine +
"RedirectURL=" + _webHelper.GetStoreLocation() + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode);
}
public ActionResult NotificationPage()
{
string strTxAuthNo = String.Empty;
string strAVSCV2 = String.Empty;
string strAddressResult = String.Empty;
string strPostCodeResult = String.Empty;
string strCV2Result = String.Empty;
string strGiftAid = String.Empty;
string str3DSecureStatus = String.Empty;
string strCAVV = String.Empty;
string strAddressStatus = String.Empty;
string strPayerStatus = String.Empty;
string strCardType = String.Empty;
string strLast4Digits = String.Empty;
string strVPSTxId = (String)Request.Params["VPSTxId"];
string strVPSSignature = (String)Request.Params["VPSSignature"];
string strStatus = (String)Request.Params["Status"];
string strStatusDetail = (String)Request.Params["StatusDetail"];
string strVendorTxCode = (String)Request.Params["VendorTxCode"];
string strVendorName = _sagePayServerPaymentSettings.VendorName.ToLower();
//Obtain from DB
var transx = _sagePayServerTransactionService.GetSagePayServerTransactionByVendorTxCode(strVendorTxCode);
var returnUrl = _sagePayServerPaymentSettings.ReturnFullyQualifiedDomainName;
if (transx == null)
{
strStatusDetail = "Vendor Transaction code " + strVendorTxCode + " does not exist.";
return(Content("Status=INVALID" + Environment.NewLine +
"RedirectURL=" + returnUrl + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode + Environment.NewLine +
"StatusDetail=" + strStatusDetail));
}
if (string.IsNullOrWhiteSpace(transx.SecurityKey))
{
strStatusDetail = "Security Key for transaction " + strVendorTxCode + " is empty.";
return(Content("Status=INVALID" + Environment.NewLine +
"RedirectURL=" + returnUrl + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode + Environment.NewLine +
"StatusDetail=" + strStatusDetail));
}
if (String.IsNullOrWhiteSpace(Request.Params["TxAuthNo"]) == false)
{
strTxAuthNo = (string)Request.Params["TxAuthNo"];
}
if (String.IsNullOrWhiteSpace(Request.Params["AVSCV2"]) == false)
{
strAVSCV2 = (string)Request.Params["AVSCV2"];
}
if (String.IsNullOrWhiteSpace(Request.Params["AddressResult"]) == false)
{
strAddressResult = (string)Request.Params["AddressResult"];
}
if (String.IsNullOrWhiteSpace(Request.Params["PostCodeResult"]) == false)
{
strPostCodeResult = (string)Request.Params["PostCodeResult"];
}
if (String.IsNullOrWhiteSpace(Request.Params["CV2Result"]) == false)
{
strCV2Result = (string)Request.Params["CV2Result"];
}
if (String.IsNullOrWhiteSpace(Request.Params["GiftAid"]) == false)
{
strGiftAid = (string)Request.Params["GiftAid"];
}
if (String.IsNullOrWhiteSpace(Request.Params["3DSecureStatus"]) == false)
{
str3DSecureStatus = (string)Request.Params["3DSecureStatus"];
}
if (String.IsNullOrWhiteSpace(Request.Params["CAVV"]) == false)
{
strCAVV = (string)Request.Params["CAVV"];
}
if (String.IsNullOrWhiteSpace(Request.Params["AddressStatus"]) == false)
{
strAddressStatus = (string)Request.Params["AddressStatus"];
}
if (String.IsNullOrWhiteSpace(Request.Params["PayerStatus"]) == false)
{
strPayerStatus = (string)Request.Params["PayerStatus"];
}
if (String.IsNullOrWhiteSpace(Request.Params["CardType"]) == false)
{
strCardType = (string)Request.Params["CardType"];
}
if (String.IsNullOrWhiteSpace(Request.Params["Last4Digits"]) == false)
{
strLast4Digits = (string)Request.Params["Last4Digits"];
}
//Update DB with what we've got so far
transx.VPSTxId = strVPSTxId;
transx.VPSSignature = strVPSSignature;
transx.Status = strStatus;
transx.StatusDetail = strStatusDetail;
transx.TxAuthNo = strTxAuthNo;
transx.AVSCV2 = strAVSCV2;
transx.AddressResult = strAddressResult;
transx.PostCodeResult = strPostCodeResult;
transx.CV2Result = strCV2Result;
transx.GiftAid = strGiftAid;
transx.ThreeDSecureStatus = str3DSecureStatus;
transx.CAVV = strCAVV;
transx.AddressStatus = strAddressStatus;
transx.PayerStatus = strPayerStatus;
transx.CardType = strCardType;
transx.Last4Digits = strLast4Digits;
//Update DB with what we've got so far
_sagePayServerTransactionService.UpdateSagePayServerTransaction(transx);
string strMessage = strVPSTxId + strVendorTxCode + strStatus + strTxAuthNo + strVendorName + strAVSCV2 + transx.SecurityKey +
strAddressResult + strPostCodeResult + strCV2Result + strGiftAid + str3DSecureStatus + strCAVV +
strAddressStatus + strPayerStatus + strCardType + strLast4Digits;
string strMySignature = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(strMessage, "MD5");
if (strMySignature != strVPSSignature)
{
transx.StatusDetail = "Your server was unable to register this transaction with Sage Pay. Cannot match the MD5 Hash. Order might be tampered with: " + strMessage;
_sagePayServerTransactionService.UpdateSagePayServerTransaction(transx);
return(Content("Status=INVALID" + Environment.NewLine +
"RedirectURL=" + returnUrl + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode + Environment.NewLine +
"StatusDetail=Your server was unable to register this transaction with Sage Pay. Cannot match the MD5 Hash. Order might be tampered with"));
}
//Always send a Status of OK if we've read everything correctly. Only INVALID for messages with a Status of ERROR
string strResponseStatus = String.Empty;
if (strStatus == "ERROR")
{
strResponseStatus = "INVALID";
}
else
{
strResponseStatus = "OK";
}
return(Content("Status=" + strResponseStatus + Environment.NewLine +
"RedirectURL=" + returnUrl + "Plugins/PaymentSagePayServer/ResponsePage?uid=" + strVendorTxCode));
}
