Opened 2 years ago

Last modified 2 years ago

#1 assigned task

INTERSWITCH QTB PAYMENT GATEWAY INTEGRATION

Reported by: benedict emenaogu Owned by: benedict emenaogu
Priority: major Keywords:
Cc:

Description

Dear Henrik,

Adebayo Razaq of Interswitch Merchants Support, has advised you to proceed with the integration.

Below are the relevant credentials;

Merchant Credentials
Merchant code
MX76823

Pay item ID
Default_Payable_MX76823

Data ref
n/0ul8aYgC8g56wjKeRx3v0kK9r2rDxhKnmw7c8rryg=

API/SDK Integration
Client ID
IKIADF43A697D6EE991D1D0FAE1A1FB6672997E8D4E2

Secret key
1O/dKvTXE4nfXgdsa8+rzgY7i1dbBFObq45qqu7EweY=

Documentation on how to integrate can be accessed via the URL below;
https://docs.interswitchgroup.com/docs/web-checkout


Please join the slack channel to get real time support as you commence integration; https://join.slack.com/t/iswdevelopercommunity/shared_invite/zt-1kbuhwumr-16yXhfj2yHq0eql7iHV4Fw

I have just joined .
You will have to sign up first then come back to re-click on the link for direct access to the isw developers community .

Please also take note of the correction in both Account names ;

2.
i. BIG TENT FOUNDATION Account Details :

ACCOUNT NAME: Big Tent Foundation for Charity, Enlightenment and Empowerment
BANK: ECOBANK Nigeria
ACCOUNT NUMBER: 0010078210

i.e
institution_acct = '0010078210'
institution_bank_id = '47'

0010079822: USD INFLOW ONLY

0010079853: USD CASH ONLY

ii. WAEAC Account Details :

ACCOUNT NAME: West Africa e-Academy Limited Kofa Plus
BANK: ZENITH BANK Nigeria
ACCOUNT NUMBER: 1017032875

i.e
provider_acct = '1017032875'
provider_bank_id = '117'

5071347159 USD

Regards,
ben

Attachments (1)

6f4a9a3-Verve_card_API_docs.png (12.1 KB) - added by Henrik Bettermann 2 years ago.

Download all attachments as: .zip

Change history (98)

comment:1 Changed 2 years ago by benedict emenaogu

Type: taskdefect

comment:2 Changed 2 years ago by benedict emenaogu

Type: defecttask

comment:3 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

https://docs.interswitchgroup.com/docs/web-checkout

Have they changed their API again?? Have they changed their documentation again? We have already implemented two different types of payments:

  1. PAYDirect
  1. CollegePAY

The integration of such payment channels is very complicated and takes a lot of time. Please contact Interswitch and ask which of the above ones I should use.

This is the documentation which I used:

https://sandbox.interswitchng.com/docbase/

https://sandbox.interswitchng.com/docbase/docs/collegepay-web/

https://sandbox.interswitchng.com/docbase/docs/paydirect/
https://sandbox.interswitchng.com/bookonhold/bookonhold.asmx?op=FetchBookingDetails

Regards,

Henrik

comment:4 Changed 2 years ago by Henrik Bettermann

These are the URLs we are using for WebPAY (= CollegePAY??):

POST_ACTION = 'https://webpay.interswitchng.com/paydirect/pay'
#POST_ACTION = 'https://sandbox.interswitchng.com/webpay/pay'
HOST = 'webpay.interswitchng.com'
#HOST = 'sandbox.interswitchng.com'
URL = '/paydirect/api/v1/gettransaction.json'
#URL = '/webpay/api/v1/gettransaction.json'

These are the URLs we are using for PAYDirect:

PAYDIRECT_HOST = 'orion.interswitchng.com'
PAYDIRECT_URL = '/bookonhold/bookonhold.asmx'

Can we use both payment methods?

comment:5 in reply to:  3 Changed 2 years ago by benedict emenaogu

This is the documentation which I used:

The implementation engineer shared and advised you use the documentation below

https://docs.interswitchgroup.com/docs/web-checkout

Regards,

benedict emenaogu
aka ben emenaogu

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:6 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:7 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

The implementation engineer shared and advised you use the documentation below

This documentation is more or less useless. We are Python developers. And as I wrote, I can't implement a new payment method. WebPAY and PAYDirect are still working. Interswitch must enable these payment channels for us. All what we need are Product Id and MAC Key. Then we will send a POST request to

https://webpay.interswitchng.com/paydirect/pay

and retrieve the transaction status from

https://webpay.interswitchng.com/api/v1/gettransaction.json

Regards, Henrik

comment:8 in reply to:  7 ; Changed 2 years ago by benedict emenaogu

All what we need are Product Id and MAC Key. Then we will send a POST request to

https://webpay.interswitchng.com/paydirect/pay

and retrieve the transaction status from

https://webpay.interswitchng.com/api/v1/gettransaction.json

I have requested for the Product Id and MAC Key and waiting
to receive it from the implementation engineer .

Regards,

ben

comment:9 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:10 in reply to:  8 Changed 2 years ago by benedict emenaogu

I have requested for the Product Id and MAC Key and waiting
to receive it from the implementation engineer .

The implementation engineer said the newly registered merchant (i.e The Big Tent Foundation) cannot use these endpoints
(​https://webpay.interswitchng.com/paydirect/pay and https://webpay.interswitchng.com/api/v1/gettransaction.json)

because they are for the old webpay that Quickteller business now speaks to the new webpay method .
So he advised we use the new web pay channel by following this documentation https://docs.interswitchgroup.com/docs/web-checkout

Regards,
ben

comment:11 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Neither on the test server nor on the live server the provided merchant id of pay item id is accepted. I tried to send the folowing POST requests:

<form method='post' action='https://webpay-ui.k8.isw.la/collections/w/pay'>
    <input name='merchant_code' value='MX76823' />
    <input name='pay_item_id' value='Default_Payable_MX76823' />
    <input name='site_redirect_url' value='https://example.com/payment-response' />
    <input name='txn_ref' value='sample_txn_ref_123' />
    <input name='amount' value='10000' />
    <input name='currency' value='566' />
    <input type='submit' value='Make Payment' />
</form>

<form method='post' action='https://newwebpay.interswitchng.com/collections/w/pay'>
    <input name='merchant_code' value='MX76823' />
    <input name='pay_item_id' value='Default_Payable_MX76823' />
    <input name='site_redirect_url' value='https://example.com/payment-response' />
    <input name='txn_ref' value='sample_txn_ref_123' />
    <input name='amount' value='10000' />
    <input name='currency' value='566' />
    <input type='submit' value='Make Payment' />
</form>

The JSON response is always:

%7B%22responseCode%22%3A%22Z4%22%2C%22responseDescription%22%3A%22MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST%22%2C%22siteRedirectUrl%22%3A%22https%3A%2F%2Fexample.com%2Fpayment-response%22%2C%22amount%22%3A0%2C%22surcharge%22%3A0%2C%22payableId%22%3A0%2C%22paymentId%22%3A0%2C%22logoUrl%22%3A%22https%3A%2F%2Fmufasa.interswitchng.com%2Fp%2Fwebpay%2Flogos%2Fdefault.png%22%2C%22displayModeType%22%3A%22PAGE%22%2C%22merchantTransactionReference%22%3A%22sample_txn_ref_123%22%7D

MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIS

I am stuck.

Regards, Henrik

comment:12 in reply to:  11 Changed 2 years ago by benedict emenaogu

MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIS
I am stuck.

Do i relay this to the implementation engineer ?
for their possible assistance?

Regards,
ben

Version 0, edited 2 years ago by benedict emenaogu (next)

comment:13 in reply to:  11 Changed 2 years ago by benedict emenaogu

MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIS
I am stuck.

Is this response not because you are neither on the test server nor on the live server ?

should i relay this to the implementation engineer ?
for their possible assistance?

Regards,
ben

comment:14 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:15 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Is this response not because you are neither on the test server nor on the live server ?

This is a misunderstanding. Both servers refuse my request. Both are replying with MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIS

should i relay this to the implementation engineer ?

Yes please

Regards, Henrik

comment:16 in reply to:  15 ; Changed 2 years ago by benedict emenaogu

Yes please

I have done so and will feedback once he responds.

Regards,
Ben

comment:17 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:18 in reply to:  16 Changed 2 years ago by benedict emenaogu

I have done so and will feedback once he responds.

kindly use the sample code as provided in the documentation (edited)

<html>
<head>
<title>Ekene Webpay test</title>
</head>
<body>
<div class="checkout-container">
<form id="submit-form">
   <button type="submit">Pay</button>
</form>
<script type="text/javascript" src="https://qa.interswitchng.com/collections/public/javascripts/inline-checkout.js"></script>
</div>
</body>
</html>
<script>
 var submitForm = document.getElementById("submit-form");
     submitForm.addEventListener("submit", submitHandler);
      function submitHandler(event) {
     event.preventDefault();
     var redirectUrl = location.href;
        var paymentRequest = {
          merchant_code: "MX15510",
          pay_item_id: "Default_Payable_MX15510",
          txn_ref: "781234543542678",
          amount: "30000",
          currency: 566,
          site_redirect_url: location.href,
          onComplete: paymentCallback,
          mode: "TEST"
        };
/*
        if (customerName != "") {
          paymentRequest.cust_name = customerName;}
        if (customerId != "") {
          paymentRequest.cust_id = customerId;}
*/
        window.webpayCheckout(paymentRequest);}
      function paymentCallback(response) {
        console.log(response);
      }
</script>

He said what he sent (above) is a sample code you can use

Regards,
Ben

Last edited 2 years ago by Henrik Bettermann (previous) (diff)

comment:19 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

He said what he sent (above) is a sample code you can use

For security reasons we do not use such third-party Javascript. Therefore I decided to use Option 2, the Web Redirect method. The POST requests can be easily created, either as html file in a text editor or using Postman. The Web Redirect method always returns MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST, also for the data provided above.

They need to explain this!

Regards, Henrik

comment:20 in reply to:  19 ; Changed 2 years ago by benedict emenaogu

They need to explain this!

they asked me to send them
the merchant code and payment item you are using
i sent these;
merchant_code ='MX76823'
pay_item_id' value='Default_Payable_MX76823'

He also asked that i share the url you are passing this to
so i sent these;
post' action='https://webpay-ui.k8.isw.la/collections/w/pay'>
post' action='https://newwebpay.interswitchng.com/collections/w/pay'>

awaiting his feedback

Regards,
Ben

comment:21 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:22 in reply to:  20 Changed 2 years ago by benedict emenaogu

awaiting his feedback

The test environment was down
however he shared a sample code for the live environment
that way our merchant code will work

<html>
<head>
<title>Ekene Webpay test</title>
</head>
<body>
<div class="checkout-container">
<form id="submit-form">
   <button type="submit">Pay</button>
</form>
<script type="text/javascript" src="https://newwebpay.interswitchng.com/inline-checkout.js"></script>
</div>
</body>
</html>
<script>
 var submitForm = document.getElementById("submit-form");
     submitForm.addEventListener("submit", submitHandler);
      function submitHandler(event) {
       event.preventDefault();
     var redirectUrl = location.href;
        var paymentRequest = {
          merchant_code: "MX60799",
          pay_item_id: "MX60799_MERCHANT_APP",
          txn_ref: "78123454354261",
          amount: "30000",
          currency: 566,
          site_redirect_url: location.href,
          onComplete: paymentCallback,
          mode: "LIVE"
        };
/*
        if (customerName != "") {
          paymentRequest.cust_name = customerName;}
        if (customerId != "") {
          paymentRequest.cust_id = customerId;}
*/
        window.webpayCheckout(paymentRequest);}
      function paymentCallback(response) {
        console.log(response);
      }
</script>

Regards,
Ben

Last edited 2 years ago by Henrik Bettermann (previous) (diff)

comment:23 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

however he shared a sample code for the live environment

Again, for security reasons we do not use third-party embedded Javascript code. Therefore I decided to use option 2.

that way our merchant code will work

It doesn't work. Neither on the live system nor on the test system. The response to our POST requests is: MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST

Regards,

Henrik

comment:24 in reply to:  23 Changed 2 years ago by benedict emenaogu

It doesn't work. Neither on the live system nor on the test system. The response to our POST requests is: MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST

Relayed these and have asked them to advise on how we can possibly get a correct response to our POST requests

Regards,
Ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:25 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:26 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

It's really strange, they provide a documentation with an example which does not work:

https://docs.interswitchgroup.com/docs/web-checkout Option 2 - Web Redirect

You can easily verify this by submitting this POST request. The response is an empty html page with some Javascript code.

Regards, Henrik

comment:27 Changed 2 years ago by Henrik Bettermann

Hello Ben

That's really amazing. I just tested the POST request again. Now it's working! It seems that they have fixed the problem last night. And as always, we were not told. No excuse at all. It's always the customers who are to blame. This is my 15 years experience with Interswitch technicians. I am sorry to say that.

Regards,

Henrik

comment:28 Changed 2 years ago by Henrik Bettermann

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:29 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Next problems:

  1. The live system is working now (https://newwebpay.interswitchng.com/collections/w/pay) but not their test system https://webpay-ui.k8.isw.la/collections/w/pay. So how shall I test the software?
  1. The 'here' link is not working:

"As you can see in the form above, the site_redirect_url value you provide will be the URL that we will call when the user is done completing the transaction. The list of the response parameters can be found here"

https://docs.interswitchgroup.com/docs/response-codes-5

I need the response codes.

Regards, Henrik

Last edited 2 years ago by Henrik Bettermann (previous) (diff)

comment:30 in reply to:  29 ; Changed 2 years ago by benedict emenaogu

1.The live system is working now

Glad to hear this ..At least we now have a direction.

So how shall I test the software?

The test system might probably have gone down again .
I have reported this to them and expecting feedback.

I need the response codes.

will revert once they respond as well

Regards,
ben

comment:31 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:32 in reply to:  30 ; Changed 2 years ago by benedict emenaogu

The test system might probably have gone down again .
I have reported this to them and expecting feedback.

The implementation Engineer just responded that the test url is down at the moment.
so he is asking if we can use the Production platform.
Are you familiar with the Production platform he is referring to ?

Regards,
ben

comment:33 in reply to:  32 Changed 2 years ago by benedict emenaogu

He just shared these

<form method='post' action='https://newwebpay.interswitchng.com/collections/w/pay'>

<input name='merchant_code' value='MX60799' />
<input name='pay_item_id' value='MX60799_MERCHANT_APP' />
<input name='site_redirect_url' value='https://example.com/payment-response' />
<input name='txn_ref' value='sample_txn_ref_1235' />
<input name='amount' value='10000' />
<input name='currency' value='566' />
<input type='submit' value='Make Payment' />

</form>
that is the option 2

it currently speaks to our live environment for test transactions you can use an actual card

please don't make any substantial payment with it as it is actually going to make a debit

it is just for test purposes if it meets your requirements we can work on getting your own live credentials to substitute with

Regards,
ben

comment:34 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Hello Ben,

I wrote the following in my mail to Hector Etomi today:

We have to test our software extensively and need a test system for automatized functional and unit testing. This test system (with a dummy merchant code and dummy transactions which can be requeried) must always be available. It seems Interswitch shuts down this system most of the time. This is a no-go.

The next problem is a broken link on Interswitch's online documentation website. I've already pointed this out to Ben.

Last but not least, how is the web checkout gateway secured? Particularly the "Confirming Transaction Status" method to requery payments/transactions is completely unsecured. It seems that everybody can request these transaction data. How does Interswitch protect their system from unauthorized data retrieval?

Did they also replay to my last question?

so he is asking if we can use the Production platform.

Using the production system for testing? Please recall that our software is open source and everybody can see the source code of our tests including all parameters and transaction data.

The tests include: (1) Sending a POST request to the gateway, (2) testing the various response codes coming from the gateway after a possible redirect, (2) making a payment on the payment platform and finally (3) confirming the transaction status of the payment. How can we test this with the production system? Only (3) can be tested my means of a real payment of a real person. Do they really provide such data from the production system?

Regards,

Henrik

comment:35 Changed 2 years ago by Henrik Bettermann

We wrote our comments at the same time. So let me answer the question:

please don't make any substantial payment with it as it is actually going to make a debit

You mean a real payment of 100 Naira and then requery this payment so that we can test at least (3)?

we can work on getting your own live credentials to substitute with

We already have a mearchant code and payment id. This is all what we need according to the documentation.

comment:36 Changed 2 years ago by Henrik Bettermann

In order to illustrate what I mean by automatized testing:

https://lpng-trac.waeup.org/browser/main/kofacustom.nigeria/trunk/src/kofacustom/nigeria/interswitch/tests.py

These are the tests for the CollegePay? and PAYDirect platforms.

comment:37 in reply to:  34 ; Changed 2 years ago by benedict emenaogu

Did they also replay to my last question?

No. They only said that the test url was down .

so he is asking if we can use the Production platform.

Yes.

Do they really provide such data from the production system?

He is yet to respond

Regards,
ben

comment:38 in reply to:  35 Changed 2 years ago by benedict emenaogu

You mean a real payment of 100 Naira and then requery this payment so that we can test at least (3)?

Yes.

We already have a merchant code and payment id. This is all what we need according to the documentation.

I believe the merchant code and payment id are what he is referring to as "our own live credentials"

Regards,
ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:39 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:40 in reply to:  37 ; Changed 2 years ago by benedict emenaogu

Do they really provide such data from the production system?

He has responded;

Ensuring that this payment method is totally safe. He has also suggested that i have a chat with one of the gateways business guys to schedule a call with the product team to get through all our security concerns and guide us to what product best suites our case.

I implore you to proceed with the implementation/test while i engage the gateways business guys and product team regarding our security concerns and what product best suites our case.

Regards,
ben

comment:41 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Okay, I tried to make a 100 Naira payment. Paying with the Visa card on the documentation site results in the following JSON response:

{"responseCode":"Z82","responseDescription":"Merchant has not been configured for bin","logId":"2bd8ed2e-122f-49be-b6c5-27688c0d8d73","isRedirect":false,"responseTag":"CARD_NOT_CONFIGURED","additionalInfo":[{"infoTitle":"BIN","infoData":"40"}]}

Paying with the Verve card works! But, I am asked to enter an OTP which had been send to a Nigerian phone number 234806*7521 which is not mine. So I cannot finalize the payment.

Regards,

Henrik

comment:42 Changed 2 years ago by Henrik Bettermann

I am asked to enter an OTP

Oh, I just see that the OTP is given on the website.

comment:43 Changed 2 years ago by Henrik Bettermann

... but it doesn't work: "Invalid OTP provided".

Changed 2 years ago by Henrik Bettermann

comment:44 Changed 2 years ago by Henrik Bettermann

Maybe you can try yourself:

5060 9905 8000 0217 499
Exp. 03/50
CVV 111
PIN 1111
OTP 123456

(see file attached above)

comment:45 Changed 2 years ago by Henrik Bettermann

Next very interesting phenomenon: When trying to confirm a non-existing transation on the live system, the response always is:

'Token Authorization Not Successful. Incorrect Token Supplied'

That means they have a security feature to protect the webservice against unauthorized access, but this feature and the required parameters are not described in their documentation.

comment:46 Changed 2 years ago by Henrik Bettermann

Probably I was wrong. I requeried the transaction from yesterday with "Invalid OTP provided". So it seems that this transaction does really exist in their system. But what does "Incorrect Token Supplied" mean? I thought OTP meany "one-time password"?! Questions upon questions, all not answered in their documentation.

Last edited 2 years ago by Henrik Bettermann (previous) (diff)

comment:47 in reply to:  40 Changed 2 years ago by benedict emenaogu

Do they really provide such data from the production system?

had to recall this, just to keep you abreast with my conversations with them yesterday on this query.
I asked "Please is the test url up now ?"
He responded "the test url is not up yet"
I asked "so how else can test or what next do you advise we do ?"
He responded "that is why i setup that production environment but
you are insisting we use test, i can't give you a timeline for that"

Regards,
ben

comment:48 in reply to:  44 Changed 2 years ago by benedict emenaogu

Maybe you can try yourself:
5060 9905 8000 0217 499
Exp. 03/50
CVV 111
PIN 1111
OTP 123456
(see file attached above)

He asked how the test went, so I relayed and asked him to try it out himself.
He said we should "understand that the environment you are using is a LIVE environment hence the test card will not work.
that they are working on the test environment but
wants us to kindly do a 1 naira transactions with an actual verve card or mastercard or visa card to test the api

while they work on getting the test environment up to prevent time delay to our project.

Awaiting your feedback on this .

Regards,
ben

comment:49 Changed 2 years ago by Henrik Bettermann

wants us to kindly do a 1 naira transactions with an actual verve card

As I wrote above: "Invalid OTP provided"

comment:50 in reply to:  49 Changed 2 years ago by benedict emenaogu

Replying to Henrik Bettermann:

wants us to kindly do a 1 naira transactions with an actual verve card

As I wrote above: "Invalid OTP provided"

using 1 Naira on the 3 cards not 100 Naira ?

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:51 in reply to:  45 Changed 2 years ago by benedict emenaogu

That means they have a security feature to protect the webservice against unauthorized access, but this feature and the required parameters are not described in their documentation.

That's indeed a very interesting phenomenon and getting to know that they have a security feature to protect the webservice against unauthorized access,resolves our security concerns/worries of the platform.

Security should be an integral feature of every sensitive platform its baffling that this feature and the required parameters were not described in their documentation.

comment:52 in reply to:  46 Changed 2 years ago by benedict emenaogu

But what does "Incorrect Token Supplied" mean? I thought OTP meany "one-time password"?!

Awaiting their response ..

comment:53 in reply to:  49 Changed 2 years ago by benedict emenaogu

Replying to Henrik Bettermann:

wants us to kindly do a 1 naira transactions with an actual verve card

As I wrote above: "Invalid OTP provided"

He said the card above is a test card so the otp there will fail on production
which is where you are using to test right now .

so if you can use an actual live card to do a test transaction of 1 naira an otp should be sent to you and then you can provide that otp

Regards,
ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:54 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:55 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

so if you can use an actual live card

I shall use my own credit card? I am sorry, I'd like to avoid that. Instead, they should just send the details of successful transaction in their system: merchantcode, transactionreference, amount. Then I will use these data for testing.

Regards, Henrik

comment:56 in reply to:  55 ; Changed 2 years ago by benedict emenaogu

Replying to Henrik Bettermann:

so if you can use an actual live card

I shall use my own credit card? I am sorry, I'd like to avoid that. Instead, they should just send the details of successful transaction in their system: merchantcode, transactionreference, amount. Then I will use these data for testing.

I have relayed to them and expecting feedback

comment:57 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:58 in reply to:  56 Changed 2 years ago by benedict emenaogu

Replying to benedict emenaogu:

Replying to Henrik Bettermann:

so if you can use an actual live card

I shall use my own credit card? I am sorry, I'd like to avoid that. Instead, they should just send the details of successful transaction in their system: merchantcode, transactionreference, amount. Then I will use these data for testing.

I have relayed to them and expecting feedback

I have informed them of the successful transaction/payment
so the implementation engineer asked that we confirm
that this integration method works for us

So kindly confirm

Regards,
ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:59 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Yes, the integration method seems to work, although I could not test the various responses. Furthermore, the Confirm Transaction method is totally unsecured. A simple GET request will bring up the transaction data:

https://webpay.interswitchng.com/collections/api/v1/gettransaction.json?merchantcode=MX76823&transactionreference=p6709347986663&amount=10000

This should be secured e.g. with a keyed-hash message authentication code (MAC).

Regards,

Henrik

comment:60 Changed 2 years ago by benedict emenaogu

Hello Henrik,
They want you to substitute the merchant code and payment item code with our's
that way the live environment will settle to our position .

Regards,
Ben

comment:61 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:62 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

They want you to substitute the merchant code and payment item code with our's

that way the live environment will settle to our position .

I used 'ours', the ones which you mentioned in the description of this ticket.

Regards, Henrik

comment:63 in reply to:  62 ; Changed 2 years ago by benedict emenaogu

I used 'ours', the ones which you mentioned in the description of this ticket.

Thanks.

Regards,
ben

comment:64 in reply to:  63 Changed 2 years ago by benedict emenaogu

I used 'ours', the ones which you mentioned in the description of this ticket.

The implementation engineer wants to know if the substitution worked
Please confirm you have implemented .

Regards,
ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:65 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:66 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Please confirm you have implemented .

As I said, I used the merchant code MX76823 and the payment id Default_Payable_MX76823. I hink they are the live parameters which seem to work. At least we have made a successful payment.

However, the GET method below can be used by any person in the www. So everybody can call the gettransaction function. The merchant code is public. The transaction id is computed by Kofa and is more or less a timestamp. Thus a bot can easily find out how much money has been transferred by Interswitch to the Big Tent Foundation. This is not secure at all.

https://webpay.interswitchng.com/collections/api/v1/gettransaction.json?merchantcode=MX76823&transactionreference=p6709347986663&amount=10000

Regards, Henrik

comment:67 in reply to:  66 Changed 2 years ago by benedict emenaogu

However, the GET method below can be used by any person in the www. So everybody can call the gettransaction function. The merchant code is public. The transaction id is computed by Kofa and is more or less a timestamp. Thus a bot can easily find out how much money has been transferred by Interswitch to the Big Tent Foundation. This is not secure at all.

the Implementation engineer responded saying;
"i can understand your issue with this although i am looking for an alternative"

He also went on to confirm that the "Confirm WebCheckout? Transaction" is just to confirm transaction status and that it doesn't have any sensitive information that can be used against us and it should be called from backend.
He said the "Confirm WebCheckout? Transaction" performs the same function the "Requery CollegePAY History" button does.

and that our payment item id is not part of the request and without it no one can use our gateway.
he suggested that we don't make the call from the front end.

I then made him to understand that it is visible to everyone and can be used by a BOT or other malicious intruders and also asked him the following questions ;

  1. What if the call is made from the front end ?

will it not spool amount and trans_ref from the customer's transaction ?

  1. what do you mean by "but your payment item id is not part of the request and without it no one can use your gateway"

he answered by saying that "the only informations there would be merchant code and asked
what can a malicious entity use that for?

answer 2. i mean that for someone to make a call to use your payment gateway they need payment item id and it is not a part of the get transactions call.

however there is if i use your gateway to collect money elsewhere it will be settled to you.
your concern with the platform is safety and i am telling you that the information that is sent and received as the information therein are merchant code, transaction reference and amount

I asked him if it is possible for this "GET transaction" to be secured with a keyed-hash message authentication code (MAC) as we earlier mentioned ?
He said it is not possible.

i then inquired about the other alternative he said he is looking for,
"what i was looking into doesn't work this is the way that works today
if an update is made we will update you guys" his response .


Regards,
ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:68 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:69 Changed 2 years ago by benedict emenaogu

He shared a documentation to achieve the split instruction aspect
https://sandbox.interswitchng.com/docbase/docs/webpay/new-webpay/split-payment/

comment:70 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

He shared a documentation

Documentation chaos: This is a completely different documentation. Web Pay and Web Checkout are the same?? I don't think so. Web Checkout does not require a MAC key. Also the parameters are different. Even the URLs of the gettransaction methods are different.

Web Checkout:

https://webpay.interswitchng.com/collections/api/v1/gettransaction.json
https://qa.interswitchng.com/collections/api/v1/gettransaction.json?merchantcode={merchantcode}&transactionreference={reference}&amount={amount}

WebPay?:

https://sandbox.interswitchng.com/webpay/api/v1/gettransaction.json?productId=6205&transactionreference=001211343476456&amount=304500

merchantcode == productId ????? Is this really the same function?

And furthermore, I have no idea how to configure the split payment configuration. I have neither any aliases nor percentages. split_accounts is also not part of the Payment Request Parameters list of of the Web Checkout platform.

What a mess!

Regards, Henrik

Last edited 2 years ago by Henrik Bettermann (previous) (diff)

comment:71 in reply to:  70 Changed 2 years ago by benedict emenaogu

Documentation chaos: This is a completely different documentation. Web Pay and Web Checkout are the same?? I don't think so. Web Checkout does not require a MAC key. Also the parameters are different. Even the URLs of the gettransaction methods are different.

Web Checkout:

https://webpay.interswitchng.com/collections/api/v1/gettransaction.json
https://qa.interswitchng.com/collections/api/v1/gettransaction.json?merchantcode={merchantcode}&transactionreference={reference}&amount={amount}

WebPay?:

https://sandbox.interswitchng.com/webpay/api/v1/gettransaction.json?productId=6205&transactionreference=001211343476456&amount=304500
merchantcode == productId ????? Is this really the same function?

In response to our escalation on the "GET transaction" security issues;

  1. They admitted you were right about the merchantCode being public.

"However, it’s the combination of transaction ref, amount and merchant code that is used to return a successful requery response.
The transaction ref is sent by you and can be anything you want it to be".

  1. They also strongly advise that the requery call is ALWAYS done from the backend and not the fronted.
  1. they introduced the option of "a mac validation" which can be enabled on our profile.

that is,if you prefer to have an extra layer of security on the reuqery call, but it’s also going to affect the initial redirect call because you’re going to have to also pass a hash in that request as well.

And furthermore, I have no idea how to configure the split payment configuration.

Please you have to decide the web checkout method of your choice
as we can't commence the split payment configuration or move forward until you make that decision .

Regards,
ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:72 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:73 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

They also strongly advise that the requery call is ALWAYS done from the backend and not the fronted.

That's what we are doing, always!

they introduced the option of "a mac validation" which can be enabled on our profile.

Okay, they should enable it and send me a documentation how to implement this on the Web Checkout system.

And furthermore, I have no idea how to configure the split payment configuration.

I have an idea but I need a documentation for the Web Checkout payment gateway. The one they sent to me was for Web Pay system which seems to be very different.

Regards,

Henrik

comment:74 Changed 2 years ago by Henrik Bettermann

For the split payment configuration I also need aliases and percentages.

comment:75 in reply to:  74 ; Changed 2 years ago by benedict emenaogu

I have an idea but I need a documentation for the Web Checkout payment gateway. The one they sent to me was for Web Pay system which seems to be very different.

These are the docs you need:
Web checkout- https://docs.interswitchgroup.com/docs/web-checkout
Split Payments - https://docs.interswitchgroup.com/docs/split-payments
Request Hash Calculation: https://sandbox.interswitchng.com/docbase/docs/webpay-direct-paydirect-web/transaction-payment-leg/request-hash-calculation/
Response Hash Calculation: https://sandbox.interswitchng.com/docbase/docs/webpay-direct-paydirect-web/transaction-confirmation-leg/hash-computation/

For the split payment configuration I also need aliases and percentages.

As for questions around the aliases, our platform is fully self-service. You can create the accounts and aliases as described in the split document, and you can dynamically send your split instruction (percentage or amount) with each transaction request.

He requested we share our merchant code to enable them create a mac key for it and enable hash validation.
Done that already .


Regards,
ben

comment:76 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:77 in reply to:  75 Changed 2 years ago by benedict emenaogu

He requested we share our merchant code to enable them create a mac key for it and enable hash validation.
Done that already .

Here are test details:

Merchant_code: MX111690

Pay_item_id: Default_Payable_MX111690

Mac Key: ACS9yokAioPVIpSfT431uc1w3jzBVvZqprR4QhXvpMlm9kB6dh7lZXsDVNj3N0Vt0eoVnXqbgl3ecyYmpQax3oCh1CNCWbAJcYorOvu7n8hWAfmbjkYtma2ODckJEkDv

In calculating the hash, you don’t need to send the product_id. You can simply send the hash as Sha512Hash (txn_ref + merchant_code + amount + mackKey).


You can login to https://business.quickteller.com and switch to test mode and create as many accounts and aliases you want.

Regards,
ben

comment:78 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Merchant_code: MX111690

This is a merchant code for testing? And also the Mac Key is for testing only? If so, how can I test if I don't know a valid transaction on the test system. I thought the test server is down?! I only have a valid transaction reference number for the production system.

You can login to ​https://business.quickteller.com and switch to test mode and create as many accounts and aliases you want.

I shall create these aliases and connect them with the bank accounts which you mentioned in the description of this ticket? But I don't have a user name and password for the Quickteller platform.

Regards,

Henrik

comment:79 in reply to:  78 ; Changed 2 years ago by benedict emenaogu

If so, how can I test if I don't know a valid transaction on the test system. I thought the test server is down?! I only have a valid transaction reference number for the production system.

You are right you cant test without a valid transaction on the test system
I will find out if the test server is still down and also request for a valid transaction on the test system

I shall create these aliases and connect them with the bank accounts which you mentioned in the description of this ticket? But I don't have a user name and password for the Quickteller platform.

to login to ​https://business.quickteller.com
Email: florence@…
P.word: GodisGreat_100%&

Regards,
ben

comment:80 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:81 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

to login to ​​https://business.quickteller.com

Okay, but do you have any idea where I can configure aliases?

comment:82 Changed 2 years ago by Henrik Bettermann

I found it. The aliases are: "Big Tent Foundation for Charity," (including a comma) and "West Africa e-Academy Limited Ko". I would like to change them. They are too long.

comment:83 Changed 2 years ago by Henrik Bettermann

I can't change the parameters without OTP which has been sent to a mobile phone.

comment:84 Changed 2 years ago by Henrik Bettermann

I configured the split payments in Kofa as follows:

[
{"alias":"bigtentfdn","percentage":"95","description":"donation","isPrimary":"true"},
{"alias":"waeac","percentage":"5","description":"waeac"},
]

Is this okay?

Last edited 2 years ago by Henrik Bettermann (previous) (diff)

comment:85 Changed 2 years ago by Henrik Bettermann

But this is already the live system configuration. The test portal is not working.

comment:86 in reply to:  82 Changed 2 years ago by benedict emenaogu

I found it. The aliases are: "Big Tent Foundation for Charity," (including a comma) and "West Africa e-Academy Limited Ko". I would like to change them. They are too long.

They are too long because those are their Bank Account names which was created when the both accounts were opened . I hope changing them will not have any effect on transactions/payments.it shouldn't anyway.


comment:87 in reply to:  84 Changed 2 years ago by benedict emenaogu

I configured the split payments in Kofa as follows:

[
{"alias":"bigtentfdn","percentage":"95","description":"donation","isPrimary":"true"},
{"alias":"waeac","percentage":"5","description":"waeac"},
]

Is this okay?

As earlier communicated, Interswitch charge is called "gateway fee"
and waeac fee should be called "technology fee"
Please confirm you have effected the change from "waeac fee" to "technology fee" as requested.

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:88 in reply to:  79 ; Changed 2 years ago by benedict emenaogu

You are right you cant test without a valid transaction on the test system
I will find out if the test server is still down and also request for a valid transaction on the test system

Am still expecting a response from them on these.

comment:89 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:90 Changed 2 years ago by Henrik Bettermann

Split payment is activated on the production system. You can test with a 100N payment.

Last edited 2 years ago by Henrik Bettermann (previous) (diff)

comment:91 in reply to:  90 Changed 2 years ago by benedict emenaogu

Split payment is activated on the production system. You can test with a 100N payment.

confirmed.
Thanks .

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:92 in reply to:  88 Changed 2 years ago by benedict emenaogu

Replying to benedict emenaogu:

You are right you cant test without a valid transaction on the test system
I will find out if the test server is still down and also request for a valid transaction on the test system
Am still expecting a response from them on these.

Below is the mac key for the test via the production system as the test system is still down:

uS6U18pC6GFKCpJoZH6J6jlOmR81FSrHkjBRpMaaydNQtywuG0hdB02J56MCqLV8rmzeAkhiaQR2nNcX3EPJePl5ppidImeKSzdunhddQh61UGpZPiS2CxMdAem8ueA1

Regards,
ben

comment:93 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

In calculating the hash, you don’t need to send the product_id. You can simply send the hash as Sha512Hash (txn_ref + merchant_code + amount + mackKey).

What's wrong with the following string?

p6709347986663MX7682310000uS6U18pC6GFKCpJoZH6J6jlOmR81FSrHkjBRpMaaydNQtywuG0hdB02J56MCqLV8rmzeAkhiaQR2nNcX3EPJePl5ppidImeKSzdunhddQh61UGpZPiS2CxMdAem8ueA1

I am always getting the response 'invalid hash'.

Do we use the same string for both methods: transaction payment and transaction confirmation? The documentation says that they are different.

Would it be possible to simplify the string construction? It would be very fine to use the following string:

txn_ref + merchant_code + mackKey

as we do for the College Pay system. Then hash computation is less error-prone.

comment:94 in reply to:  93 Changed 2 years ago by benedict emenaogu

Would it be possible to simplify the string construction? It would be very fine to use the following string:
txn_ref + merchant_code + mackKey

Will find out if using the suggested string can be possible,
but if its possible, can this be implemented on production test system since it is the only viable test option?

Here's to confirm that the hash/mac key validation has been disabled as requested,
split instruction tested and perfect thus the portal now useable .

Thank you !

Regards,
ben

Last edited 2 years ago by benedict emenaogu (previous) (diff)

comment:95 Changed 2 years ago by benedict emenaogu

Owner: changed from benedict emenaogu to Henrik Bettermann

comment:96 Changed 2 years ago by Henrik Bettermann

Owner: changed from Henrik Bettermann to benedict emenaogu

Mac validation is disabled. We have to test it on the test system and not the production system. So I am waiting for the production system to run. Regards, Henrik

comment:97 in reply to:  96 Changed 2 years ago by benedict emenaogu

ok.

Note: See TracTickets for help on using tickets.