From 5744759d53da3f8d38b336b06d6737c2fd3b9e6f Mon Sep 17 00:00:00 2001
From: Juan Ferrer Toribio <juan@verdnatura.es>
Date: Mon, 30 Jan 2023 17:33:15 +0100
Subject: [PATCH] refs #5122 Hotfix: Signature verification

---
 .../back/methods/tpv-transaction/confirm.js   | 74 +++++++++++++++++--
 package-lock.json                             | 18 ++++-
 package.json                                  |  1 +
 3 files changed, 85 insertions(+), 8 deletions(-)

diff --git a/modules/client/back/methods/tpv-transaction/confirm.js b/modules/client/back/methods/tpv-transaction/confirm.js
index 21484b2203..8c7d10558e 100644
--- a/modules/client/back/methods/tpv-transaction/confirm.js
+++ b/modules/client/back/methods/tpv-transaction/confirm.js
@@ -1,3 +1,6 @@
+const crypto = require('crypto');
+const UserError = require('vn-loopback/util/user-error');
+const base64url = require('base64url');
 
 module.exports = Self => {
     Self.remoteMethod('confirm', {
@@ -7,7 +10,7 @@ module.exports = Self => {
             {
                 arg: 'Ds_SignatureVersion',
                 type: 'string',
-                required: true,
+                required: false,
             }, {
                 arg: 'Ds_MerchantParameters',
                 type: 'string',
@@ -28,15 +31,64 @@ module.exports = Self => {
         }
     });
 
+    /*
+     * Source: https://github.com/santiperez/node-redsys-api
+     */
     Self.confirm = async(signatureVersion, merchantParameters, signature) => {
-        const buffer = Buffer.from(merchantParameters, 'base64');
-        const params = JSON.parse(buffer.toString());
-        console.debug('Payment confirmation received:', params);
+        const $ = Self.app.models;
+
+        const decodedParams = JSON.parse(
+            base64url.decode(merchantParameters, 'utf8'));
+        const params = {};
+
+        for (const param in decodedParams)
+            params[param] = decodeURIComponent(decodedParams[param]);
+
+        console.debug('Payment confirmation received:', {
+            signatureVersion,
+            merchantParameters,
+            signature,
+            params
+        });
+
+        const orderId = params['Ds_Order'];
+        const merchantId = parseInt(params['Ds_MerchantCode']);
+
+        if (!orderId)
+            throw new UserError('Order id not found');
+        if (!merchantId)
+            throw new UserError('Mechant id not found');
+
+        const merchant = await $.TpvMerchant.findById(merchantId, {
+            fields: ['id', 'secretKey']
+        });
+
+        const secretKey = Buffer.from(merchant.secretKey, 'base64');
+        const iv = Buffer.alloc(8, 0);
+
+        const cipher = crypto.createDecipheriv('des-ede3-cbc', secretKey, iv);
+        cipher.setAutoPadding(false);
+        const orderKey = cipher.update(zeroPad(str, 8), 'utf8', 'base64')
+            + cipher.final('utf8');
+
+        const res = crypto.createHmac('sha256', Buffer.from(orderKey, 'base64'))
+            .update(merchantParameters)
+            .digest('base64');
+        const base64Res = base64url.encode(res, 'base64');
+
+        // if (base64Res !== signature)
+        //    throw new UserError('Invalid signature');
+
+        console.debug('Payment signature:', {
+            res,
+            base64Res
+        });
+
         await Self.rawSql(
             'CALL hedera.tpvTransaction_confirm(?, ?, ?, ?, ?, ?)', [
                 params['Ds_Amount'],
-                params['Ds_Order'],
-                params['Ds_MerchantCode'],
+                orderId,
+                merchantId,
                 params['Ds_Currency'],
                 params['Ds_Response'],
                 params['Ds_ErrorCode']
@@ -44,4 +96,14 @@ module.exports = Self => {
         );
         return true;
     };
+
+    function zeroPad(buf, blocksize) {
+        const buffer = typeof buf === 'string' ? Buffer.from(buf, 'utf8') : buf;
+        const pad = Buffer.alloc((blocksize - (buffer.length % blocksize)) % blocksize, 0);
+        return Buffer.concat([buffer, pad]);
+    }
+
+    function base64UrlDecode() {
+
+    }
 };
diff --git a/package-lock.json b/package-lock.json
index 31820196fa..61180fa3f6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,15 +1,16 @@
 {
     "name": "salix-back",
-    "version": "9.0.0",
+    "version": "23.02.03",
     "lockfileVersion": 2,
     "requires": true,
     "packages": {
         "": {
             "name": "salix-back",
-            "version": "9.0.0",
+            "version": "23.02.03",
             "license": "GPL-3.0",
             "dependencies": {
                 "axios": "^1.2.2",
+                "base64url": "^3.0.1",
                 "bcrypt": "^5.0.1",
                 "bmp-js": "^0.1.0",
                 "compression": "^1.7.3",
@@ -4200,6 +4201,14 @@
                 "node": ">= 0.4"
             }
         },
+        "node_modules/base64url": {
+            "version": "3.0.1",
+            "resolved": "https://registry.npmjs.org/base64url/-/base64url-3.0.1.tgz",
+            "integrity": "sha512-ir1UPr3dkwexU7FdV8qBBbNDRUhMmIekYMFZfi+C/sLNnRESKPl23nB9b2pltqfOQNnGzsDdId90AEtG5tCx4A==",
+            "engines": {
+                "node": ">=6.0.0"
+            }
+        },
         "node_modules/batch": {
             "version": "0.6.1",
             "dev": true,
@@ -29057,6 +29066,11 @@
         "base64-js": {
             "version": "1.0.2"
         },
+        "base64url": {
+            "version": "3.0.1",
+            "resolved": "https://registry.npmjs.org/base64url/-/base64url-3.0.1.tgz",
+            "integrity": "sha512-ir1UPr3dkwexU7FdV8qBBbNDRUhMmIekYMFZfi+C/sLNnRESKPl23nB9b2pltqfOQNnGzsDdId90AEtG5tCx4A=="
+        },
         "batch": {
             "version": "0.6.1",
             "dev": true
diff --git a/package.json b/package.json
index 2031da4755..85f8feb138 100644
--- a/package.json
+++ b/package.json
@@ -13,6 +13,7 @@
     },
     "dependencies": {
         "axios": "^1.2.2",
+        "base64url": "^3.0.1",
         "bcrypt": "^5.0.1",
         "bmp-js": "^0.1.0",
         "compression": "^1.7.3",