Opened 2 years ago
Last modified 2 years ago
#1 assigned task
INTERSWITCH QTB PAYMENT GATEWAY INTEGRATION
Reported by: | benedict emenaogu | Owned by: | benedict emenaogu |
---|---|---|---|
Priority: | major | Keywords: | |
Cc: |
Description
Dear Henrik,
Adebayo Razaq of Interswitch Merchants Support, has advised you to proceed with the integration.
Below are the relevant credentials;
Merchant Credentials
Merchant code
MX76823
Pay item ID
Default_Payable_MX76823
Data ref
n/0ul8aYgC8g56wjKeRx3v0kK9r2rDxhKnmw7c8rryg=
API/SDK Integration
Client ID
IKIADF43A697D6EE991D1D0FAE1A1FB6672997E8D4E2
Secret key
1O/dKvTXE4nfXgdsa8+rzgY7i1dbBFObq45qqu7EweY=
Documentation on how to integrate can be accessed via the URL below;
https://docs.interswitchgroup.com/docs/web-checkout
Please join the slack channel to get real time support as you commence integration; https://join.slack.com/t/iswdevelopercommunity/shared_invite/zt-1kbuhwumr-16yXhfj2yHq0eql7iHV4Fw
I have just joined .
You will have to sign up first then come back to re-click on the link for direct access to the isw developers community .
Please also take note of the correction in both Account names ;
2.
i. BIG TENT FOUNDATION Account Details :
ACCOUNT NAME: Big Tent Foundation for Charity, Enlightenment and Empowerment
BANK: ECOBANK Nigeria
ACCOUNT NUMBER: 0010078210
i.e
institution_acct = '0010078210'
institution_bank_id = '47'
0010079822: USD INFLOW ONLY
0010079853: USD CASH ONLY
ii. WAEAC Account Details :
ACCOUNT NAME: West Africa e-Academy Limited Kofa Plus
BANK: ZENITH BANK Nigeria
ACCOUNT NUMBER: 1017032875
i.e
provider_acct = '1017032875'
provider_bank_id = '117'
5071347159 USD
Regards,
ben
Attachments (1)
Change history (98)
comment:1 Changed 2 years ago by
Type: | task → defect |
---|
comment:2 Changed 2 years ago by
Type: | defect → task |
---|
comment:3 follow-up: 5 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
comment:4 Changed 2 years ago by
These are the URLs we are using for WebPAY (= CollegePAY??):
POST_ACTION = 'https://webpay.interswitchng.com/paydirect/pay'
#POST_ACTION = 'https://sandbox.interswitchng.com/webpay/pay'
HOST = 'webpay.interswitchng.com'
#HOST = 'sandbox.interswitchng.com'
URL = '/paydirect/api/v1/gettransaction.json'
#URL = '/webpay/api/v1/gettransaction.json'
These are the URLs we are using for PAYDirect:
PAYDIRECT_HOST = 'orion.interswitchng.com'
PAYDIRECT_URL = '/bookonhold/bookonhold.asmx'
Can we use both payment methods?
comment:5 Changed 2 years ago by
This is the documentation which I used:
The implementation engineer shared and advised you use the documentation below
https://docs.interswitchgroup.com/docs/web-checkout
Regards,
benedict emenaogu
aka ben emenaogu
comment:6 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:7 follow-up: 8 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
The implementation engineer shared and advised you use the documentation below
This documentation is more or less useless. We are Python developers. And as I wrote, I can't implement a new payment method. WebPAY and PAYDirect are still working. Interswitch must enable these payment channels for us. All what we need are Product Id and MAC Key. Then we will send a POST request to
https://webpay.interswitchng.com/paydirect/pay
and retrieve the transaction status from
https://webpay.interswitchng.com/api/v1/gettransaction.json
Regards, Henrik
comment:8 follow-up: 10 Changed 2 years ago by
All what we need are Product Id and MAC Key. Then we will send a POST request to
https://webpay.interswitchng.com/paydirect/pay
and retrieve the transaction status from
https://webpay.interswitchng.com/api/v1/gettransaction.json
I have requested for the Product Id and MAC Key and waiting
to receive it from the implementation engineer .
Regards,
ben
comment:9 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:10 Changed 2 years ago by
I have requested for the Product Id and MAC Key and waiting
to receive it from the implementation engineer .
The implementation engineer said the newly registered merchant (i.e The Big Tent Foundation) cannot use these endpoints
(https://webpay.interswitchng.com/paydirect/pay and https://webpay.interswitchng.com/api/v1/gettransaction.json)
because they are for the old webpay that Quickteller business now speaks to the new webpay method .
So he advised we use the new web pay channel by following this documentation https://docs.interswitchgroup.com/docs/web-checkout
Regards,
ben
comment:11 follow-ups: 12 13 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Neither on the test server nor on the live server the provided merchant id of pay item id is accepted. I tried to send the folowing POST requests:
<form method='post' action='https://webpay-ui.k8.isw.la/collections/w/pay'> <input name='merchant_code' value='MX76823' /> <input name='pay_item_id' value='Default_Payable_MX76823' /> <input name='site_redirect_url' value='https://example.com/payment-response' /> <input name='txn_ref' value='sample_txn_ref_123' /> <input name='amount' value='10000' /> <input name='currency' value='566' /> <input type='submit' value='Make Payment' /> </form> <form method='post' action='https://newwebpay.interswitchng.com/collections/w/pay'> <input name='merchant_code' value='MX76823' /> <input name='pay_item_id' value='Default_Payable_MX76823' /> <input name='site_redirect_url' value='https://example.com/payment-response' /> <input name='txn_ref' value='sample_txn_ref_123' /> <input name='amount' value='10000' /> <input name='currency' value='566' /> <input type='submit' value='Make Payment' /> </form>
The JSON response is always:
%7B%22responseCode%22%3A%22Z4%22%2C%22responseDescription%22%3A%22MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST%22%2C%22siteRedirectUrl%22%3A%22https%3A%2F%2Fexample.com%2Fpayment-response%22%2C%22amount%22%3A0%2C%22surcharge%22%3A0%2C%22payableId%22%3A0%2C%22paymentId%22%3A0%2C%22logoUrl%22%3A%22https%3A%2F%2Fmufasa.interswitchng.com%2Fp%2Fwebpay%2Flogos%2Fdefault.png%22%2C%22displayModeType%22%3A%22PAGE%22%2C%22merchantTransactionReference%22%3A%22sample_txn_ref_123%22%7D
MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIS
I am stuck.
Regards, Henrik
comment:13 Changed 2 years ago by
MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIS
I am stuck.
Is this response not because you are neither on the test server nor on the live server ?
should i relay this to the implementation engineer ?
for their possible assistance?
Regards,
ben
comment:14 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:15 follow-up: 16 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Is this response not because you are neither on the test server nor on the live server ?
This is a misunderstanding. Both servers refuse my request. Both are replying with MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIS
should i relay this to the implementation engineer ?
Yes please
Regards, Henrik
comment:16 follow-up: 18 Changed 2 years ago by
Yes please
I have done so and will feedback once he responds.
Regards,
Ben
comment:17 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:18 Changed 2 years ago by
I have done so and will feedback once he responds.
kindly use the sample code as provided in the documentation (edited)
<html> <head> <title>Ekene Webpay test</title> </head> <body> <div class="checkout-container"> <form id="submit-form"> <button type="submit">Pay</button> </form> <script type="text/javascript" src="https://qa.interswitchng.com/collections/public/javascripts/inline-checkout.js"></script> </div> </body> </html> <script> var submitForm = document.getElementById("submit-form"); submitForm.addEventListener("submit", submitHandler); function submitHandler(event) { event.preventDefault(); var redirectUrl = location.href; var paymentRequest = { merchant_code: "MX15510", pay_item_id: "Default_Payable_MX15510", txn_ref: "781234543542678", amount: "30000", currency: 566, site_redirect_url: location.href, onComplete: paymentCallback, mode: "TEST" }; /* if (customerName != "") { paymentRequest.cust_name = customerName;} if (customerId != "") { paymentRequest.cust_id = customerId;} */ window.webpayCheckout(paymentRequest);} function paymentCallback(response) { console.log(response); } </script>
He said what he sent (above) is a sample code you can use
Regards,
Ben
comment:19 follow-up: 20 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
He said what he sent (above) is a sample code you can use
For security reasons we do not use such third-party Javascript. Therefore I decided to use Option 2, the Web Redirect method. The POST requests can be easily created, either as html file in a text editor or using Postman. The Web Redirect method always returns MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST, also for the data provided above.
They need to explain this!
Regards, Henrik
comment:20 follow-up: 22 Changed 2 years ago by
They need to explain this!
they asked me to send them
the merchant code and payment item you are using
i sent these;
merchant_code ='MX76823'
pay_item_id' value='Default_Payable_MX76823'
He also asked that i share the url you are passing this to
so i sent these;
post' action='https://webpay-ui.k8.isw.la/collections/w/pay'>
post' action='https://newwebpay.interswitchng.com/collections/w/pay'>
awaiting his feedback
Regards,
Ben
comment:21 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:22 Changed 2 years ago by
awaiting his feedback
The test environment was down
however he shared a sample code for the live environment
that way our merchant code will work
<html> <head> <title>Ekene Webpay test</title> </head> <body> <div class="checkout-container"> <form id="submit-form"> <button type="submit">Pay</button> </form> <script type="text/javascript" src="https://newwebpay.interswitchng.com/inline-checkout.js"></script> </div> </body> </html> <script> var submitForm = document.getElementById("submit-form"); submitForm.addEventListener("submit", submitHandler); function submitHandler(event) { event.preventDefault(); var redirectUrl = location.href; var paymentRequest = { merchant_code: "MX60799", pay_item_id: "MX60799_MERCHANT_APP", txn_ref: "78123454354261", amount: "30000", currency: 566, site_redirect_url: location.href, onComplete: paymentCallback, mode: "LIVE" }; /* if (customerName != "") { paymentRequest.cust_name = customerName;} if (customerId != "") { paymentRequest.cust_id = customerId;} */ window.webpayCheckout(paymentRequest);} function paymentCallback(response) { console.log(response); } </script>
Regards,
Ben
comment:23 follow-up: 24 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
however he shared a sample code for the live environment
Again, for security reasons we do not use third-party embedded Javascript code. Therefore I decided to use option 2.
that way our merchant code will work
It doesn't work. Neither on the live system nor on the test system. The response to our POST requests is: MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST
Regards,
Henrik
comment:24 Changed 2 years ago by
It doesn't work. Neither on the live system nor on the test system. The response to our POST requests is: MERCHANT_OR_PAYMENT_ITEM_DOES_NOT_EXIST
Relayed these and have asked them to advise on how we can possibly get a correct response to our POST requests
Regards,
Ben
comment:25 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:26 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
It's really strange, they provide a documentation with an example which does not work:
https://docs.interswitchgroup.com/docs/web-checkout Option 2 - Web Redirect
You can easily verify this by submitting this POST request. The response is an empty html page with some Javascript code.
Regards, Henrik
comment:27 Changed 2 years ago by
Hello Ben
That's really amazing. I just tested the POST request again. Now it's working! It seems that they have fixed the problem last night. And as always, we were not told. No excuse at all. It's always the customers who are to blame. This is my 15 years experience with Interswitch technicians. I am sorry to say that.
Regards,
Henrik
comment:28 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:29 follow-up: 30 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Next problems:
- The live system is working now (https://newwebpay.interswitchng.com/collections/w/pay) but not their test system https://webpay-ui.k8.isw.la/collections/w/pay. So how shall I test the software?
- The 'here' link is not working:
"As you can see in the form above, the site_redirect_url value you provide will be the URL that we will call when the user is done completing the transaction. The list of the response parameters can be found here"
I need the response codes.
Regards, Henrik
comment:30 follow-up: 32 Changed 2 years ago by
1.The live system is working now
Glad to hear this ..At least we now have a direction.
So how shall I test the software?
The test system might probably have gone down again .
I have reported this to them and expecting feedback.
I need the response codes.
will revert once they respond as well
Regards,
ben
comment:31 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:32 follow-up: 33 Changed 2 years ago by
The test system might probably have gone down again .
I have reported this to them and expecting feedback.
The implementation Engineer just responded that the test url is down at the moment.
so he is asking if we can use the Production platform.
Are you familiar with the Production platform he is referring to ?
Regards,
ben
comment:33 Changed 2 years ago by
He just shared these
<form method='post' action='https://newwebpay.interswitchng.com/collections/w/pay'>
<input name='merchant_code' value='MX60799' />
<input name='pay_item_id' value='MX60799_MERCHANT_APP' />
<input name='site_redirect_url' value='https://example.com/payment-response' />
<input name='txn_ref' value='sample_txn_ref_1235' />
<input name='amount' value='10000' />
<input name='currency' value='566' />
<input type='submit' value='Make Payment' />
</form>
that is the option 2
it currently speaks to our live environment for test transactions you can use an actual card
please don't make any substantial payment with it as it is actually going to make a debit
it is just for test purposes if it meets your requirements we can work on getting your own live credentials to substitute with
Regards,
ben
comment:34 follow-up: 37 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Hello Ben,
I wrote the following in my mail to Hector Etomi today:
We have to test our software extensively and need a test system for automatized functional and unit testing. This test system (with a dummy merchant code and dummy transactions which can be requeried) must always be available. It seems Interswitch shuts down this system most of the time. This is a no-go.
The next problem is a broken link on Interswitch's online documentation website. I've already pointed this out to Ben.
Last but not least, how is the web checkout gateway secured? Particularly the "Confirming Transaction Status" method to requery payments/transactions is completely unsecured. It seems that everybody can request these transaction data. How does Interswitch protect their system from unauthorized data retrieval?
Did they also replay to my last question?
so he is asking if we can use the Production platform.
Using the production system for testing? Please recall that our software is open source and everybody can see the source code of our tests including all parameters and transaction data.
The tests include: (1) Sending a POST request to the gateway, (2) testing the various response codes coming from the gateway after a possible redirect, (2) making a payment on the payment platform and finally (3) confirming the transaction status of the payment. How can we test this with the production system? Only (3) can be tested my means of a real payment of a real person. Do they really provide such data from the production system?
Regards,
Henrik
comment:35 follow-up: 38 Changed 2 years ago by
We wrote our comments at the same time. So let me answer the question:
please don't make any substantial payment with it as it is actually going to make a debit
You mean a real payment of 100 Naira and then requery this payment so that we can test at least (3)?
we can work on getting your own live credentials to substitute with
We already have a mearchant code and payment id. This is all what we need according to the documentation.
comment:36 Changed 2 years ago by
In order to illustrate what I mean by automatized testing:
These are the tests for the CollegePay? and PAYDirect platforms.
comment:37 follow-up: 40 Changed 2 years ago by
Did they also replay to my last question?
No. They only said that the test url was down .
so he is asking if we can use the Production platform.
Yes.
Do they really provide such data from the production system?
He is yet to respond
Regards,
ben
comment:38 Changed 2 years ago by
You mean a real payment of 100 Naira and then requery this payment so that we can test at least (3)?
Yes.
We already have a merchant code and payment id. This is all what we need according to the documentation.
I believe the merchant code and payment id are what he is referring to as "our own live credentials"
Regards,
ben
comment:39 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:40 follow-up: 47 Changed 2 years ago by
Do they really provide such data from the production system?
He has responded;
Ensuring that this payment method is totally safe. He has also suggested that i have a chat with one of the gateways business guys to schedule a call with the product team to get through all our security concerns and guide us to what product best suites our case.
I implore you to proceed with the implementation/test while i engage the gateways business guys and product team regarding our security concerns and what product best suites our case.
Regards,
ben
comment:41 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Okay, I tried to make a 100 Naira payment. Paying with the Visa card on the documentation site results in the following JSON response:
{"responseCode":"Z82","responseDescription":"Merchant has not been configured for bin","logId":"2bd8ed2e-122f-49be-b6c5-27688c0d8d73","isRedirect":false,"responseTag":"CARD_NOT_CONFIGURED","additionalInfo":[{"infoTitle":"BIN","infoData":"40"}]}
Paying with the Verve card works! But, I am asked to enter an OTP which had been send to a Nigerian phone number 234806*7521 which is not mine. So I cannot finalize the payment.
Regards,
Henrik
comment:42 Changed 2 years ago by
I am asked to enter an OTP
Oh, I just see that the OTP is given on the website.
Changed 2 years ago by
Attachment: | 6f4a9a3-Verve_card_API_docs.png added |
---|
comment:44 follow-up: 48 Changed 2 years ago by
Maybe you can try yourself:
5060 9905 8000 0217 499
Exp. 03/50
CVV 111
PIN 1111
OTP 123456
(see file attached above)
comment:45 follow-up: 51 Changed 2 years ago by
Next very interesting phenomenon: When trying to confirm a non-existing transation on the live system, the response always is:
'Token Authorization Not Successful. Incorrect Token Supplied'
That means they have a security feature to protect the webservice against unauthorized access, but this feature and the required parameters are not described in their documentation.
comment:46 follow-up: 52 Changed 2 years ago by
Probably I was wrong. I requeried the transaction from yesterday with "Invalid OTP provided". So it seems that this transaction does really exist in their system. But what does "Incorrect Token Supplied" mean. I thought OTP meany "one-time password"?! Questions upon questions, all not answered in their documentation.
comment:47 Changed 2 years ago by
Do they really provide such data from the production system?
had to recall this, just to keep you abreast with my conversations with them yesterday on this query.
I asked "Please is the test url up now ?"
He responded "the test url is not up yet"
I asked "so how else can test or what next do you advise we do ?"
He responded "that is why i setup that production environment but
you are insisting we use test, i can't give you a timeline for that"
Regards,
ben
comment:48 Changed 2 years ago by
Maybe you can try yourself:
5060 9905 8000 0217 499
Exp. 03/50
CVV 111
PIN 1111
OTP 123456
(see file attached above)
He asked how the test went, so I relayed and asked him to try it out himself.
He said we should "understand that the environment you are using is a LIVE environment hence the test card will not work.
that they are working on the test environment but
wants us to kindly do a 1 naira transactions with an actual verve card or mastercard or visa card to test the api
while they work on getting the test environment up to prevent time delay to our project.
Awaiting your feedback on this .
Regards,
ben
comment:49 follow-ups: 50 53 Changed 2 years ago by
wants us to kindly do a 1 naira transactions with an actual verve card
As I wrote above: "Invalid OTP provided"
comment:50 Changed 2 years ago by
Replying to Henrik Bettermann:
wants us to kindly do a 1 naira transactions with an actual verve card
As I wrote above: "Invalid OTP provided"
using 1 Naira on the 3 cards not 100 Naira ?
comment:51 Changed 2 years ago by
That means they have a security feature to protect the webservice against unauthorized access, but this feature and the required parameters are not described in their documentation.
That's indeed a very interesting phenomenon and getting to know that they have a security feature to protect the webservice against unauthorized access,resolves our security concerns/worries of the platform.
Security should be an integral feature of every sensitive platform its baffling that this feature and the required parameters were not described in their documentation.
comment:52 Changed 2 years ago by
But what does "Incorrect Token Supplied" mean? I thought OTP meany "one-time password"?!
Awaiting their response ..
comment:53 Changed 2 years ago by
Replying to Henrik Bettermann:
wants us to kindly do a 1 naira transactions with an actual verve card
As I wrote above: "Invalid OTP provided"
He said the card above is a test card so the otp there will fail on production
which is where you are using to test right now .
so if you can use an actual live card to do a test transaction of 1 naira an otp should be sent to you and then you can provide that otp
Regards,
ben
comment:54 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:55 follow-up: 56 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
so if you can use an actual live card
I shall use my own credit card? I am sorry, I'd like to avoid that. Instead, they should just send the details of successful transaction in their system: merchantcode, transactionreference, amount. Then I will use these data for testing.
Regards, Henrik
comment:56 follow-up: 58 Changed 2 years ago by
Replying to Henrik Bettermann:
so if you can use an actual live card
I shall use my own credit card? I am sorry, I'd like to avoid that. Instead, they should just send the details of successful transaction in their system: merchantcode, transactionreference, amount. Then I will use these data for testing.
I have relayed to them and expecting feedback
comment:57 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:58 Changed 2 years ago by
Replying to benedict emenaogu:
Replying to Henrik Bettermann:
so if you can use an actual live card
I shall use my own credit card? I am sorry, I'd like to avoid that. Instead, they should just send the details of successful transaction in their system: merchantcode, transactionreference, amount. Then I will use these data for testing.
I have relayed to them and expecting feedback
I have informed them of the successful transaction/payment
so the implementation engineer asked that we confirm
that this integration method works for us
So kindly confirm
Regards,
ben
comment:59 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Yes, the integration method seems to work, although I could not test the various responses. Furthermore, the Confirm Transaction method is totally unsecured. A simple GET request will bring up the transaction data:
This should be secured e.g. with a keyed-hash message authentication code (MAC).
Regards,
Henrik
comment:60 Changed 2 years ago by
Hello Henrik,
They want you to substitute the merchant code and payment item code with our's
that way the live environment will settle to our position .
Regards,
Ben
comment:61 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:62 follow-up: 63 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
They want you to substitute the merchant code and payment item code with our's
that way the live environment will settle to our position .
I used 'ours', the ones which you mentioned in the description of this ticket.
Regards, Henrik
comment:63 follow-up: 64 Changed 2 years ago by
I used 'ours', the ones which you mentioned in the description of this ticket.
Thanks.
Regards,
ben
comment:64 Changed 2 years ago by
I used 'ours', the ones which you mentioned in the description of this ticket.
The implementation engineer wants to know if the substitution worked
Please confirm you have implemented .
Regards,
ben
comment:65 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:66 follow-up: 67 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Please confirm you have implemented .
As I said, I used the merchant code MX76823 and the payment id Default_Payable_MX76823. I hink they are the live parameters which seem to work. At least we have made a successful payment.
However, the GET method below can be used by any person in the www. So everybody can call the gettransaction function. The merchant code is public. The transaction id is computed by Kofa and is more or less a timestamp. Thus a bot can easily find out how much money has been transferred by Interswitch to the Big Tent Foundation. This is not secure at all.
Regards, Henrik
comment:67 Changed 2 years ago by
However, the GET method below can be used by any person in the www. So everybody can call the gettransaction function. The merchant code is public. The transaction id is computed by Kofa and is more or less a timestamp. Thus a bot can easily find out how much money has been transferred by Interswitch to the Big Tent Foundation. This is not secure at all.
the Implementation engineer responded saying;
"i can understand your issue with this although i am looking for an alternative"
He also went on to confirm that the "Confirm WebCheckout? Transaction" is just to confirm transaction status and that it doesn't have any sensitive information that can be used against us and it should be called from backend.
He said the "Confirm WebCheckout? Transaction" performs the same function the "Requery CollegePAY History" button does.
and that our payment item id is not part of the request and without it no one can use our gateway.
he suggested that we don't make the call from the front end.
I then made him to understand that it is visible to everyone and can be used by a BOT or other malicious intruders and also asked him the following questions ;
- What if the call is made from the front end ?
will it not spool amount and trans_ref from the customer's transaction ?
- what do you mean by "but your payment item id is not part of the request and without it no one can use your gateway"
he answered by saying that "the only informations there would be merchant code and asked
what can a malicious entity use that for?
answer 2. i mean that for someone to make a call to use your payment gateway they need payment item id and it is not a part of the get transactions call.
however there is if i use your gateway to collect money elsewhere it will be settled to you.
your concern with the platform is safety and i am telling you that the information that is sent and received as the information therein are merchant code, transaction reference and amount
I asked him if it is possible for this "GET transaction" to be secured with a keyed-hash message authentication code (MAC) as we earlier mentioned ?
He said it is not possible.
i then inquired about the other alternative he said he is looking for,
"what i was looking into doesn't work this is the way that works today
if an update is made we will update you guys" his response .
Regards,
ben
comment:68 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:69 Changed 2 years ago by
He shared a documentation to achieve the split instruction aspect
https://sandbox.interswitchng.com/docbase/docs/webpay/new-webpay/split-payment/
comment:70 follow-up: 71 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
He shared a documentation
Documentation chaos: This is a completely different documentation. Web Pay and Web Checkout are the same?? I don't think so. Web Checkout does not require a MAC key. Also the parameters are different. Even the URLs of the gettransaction methods are different.
Web Checkout:
https://webpay.interswitchng.com/collections/api/v1/gettransaction.json
https://qa.interswitchng.com/collections/api/v1/gettransaction.json?merchantcode={merchantcode}&transactionreference={reference}&amount={amount}
merchantcode == productId ????? Is this really the same function?
And furthermore, I have no idea how to configure the split payment configuration. I have neither any aliases nor percentages. split_accounts is also not part of the Payment Request Parameters list of of the Web Checkout platform.
What a mess!
Regards, Henrik
comment:71 Changed 2 years ago by
Documentation chaos: This is a completely different documentation. Web Pay and Web Checkout are the same?? I don't think so. Web Checkout does not require a MAC key. Also the parameters are different. Even the URLs of the gettransaction methods are different.
Web Checkout:
https://webpay.interswitchng.com/collections/api/v1/gettransaction.json
https://qa.interswitchng.com/collections/api/v1/gettransaction.json?merchantcode={merchantcode}&transactionreference={reference}&amount={amount}
https://sandbox.interswitchng.com/webpay/api/v1/gettransaction.json?productId=6205&transactionreference=001211343476456&amount=304500
merchantcode == productId ????? Is this really the same function?
In response to our escalation on the "GET transaction" security issues;
- They admitted you were right about the merchantCode being public.
"However, it’s the combination of transaction ref, amount and merchant code that is used to return a successful requery response.
The transaction ref is sent by you and can be anything you want it to be".
- They also strongly advise that the requery call is ALWAYS done from the backend and not the fronted.
- they introduced the option of "a mac validation" which can be enabled on our profile.
that is,if you prefer to have an extra layer of security on the reuqery call, but it’s also going to affect the initial redirect call because you’re going to have to also pass a hash in that request as well.
And furthermore, I have no idea how to configure the split payment configuration.
Please you have to decide the web checkout method of your choice
as we can't commence the split payment configuration or move forward until you make that decision .
Regards,
ben
comment:72 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:73 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
They also strongly advise that the requery call is ALWAYS done from the backend and not the fronted.
That's what we are doing, always!
they introduced the option of "a mac validation" which can be enabled on our profile.
Okay, they should enable it and send me a documentation how to implement this on the Web Checkout system.
And furthermore, I have no idea how to configure the split payment configuration.
I have an idea but I need a documentation for the Web Checkout payment gateway. The one they sent to me was for Web Pay system which seems to be very different.
Regards,
Henrik
comment:74 follow-up: 75 Changed 2 years ago by
For the split payment configuration I also need aliases and percentages.
comment:75 follow-up: 77 Changed 2 years ago by
I have an idea but I need a documentation for the Web Checkout payment gateway. The one they sent to me was for Web Pay system which seems to be very different.
These are the docs you need:
Web checkout- https://docs.interswitchgroup.com/docs/web-checkout
Split Payments - https://docs.interswitchgroup.com/docs/split-payments
Request Hash Calculation: https://sandbox.interswitchng.com/docbase/docs/webpay-direct-paydirect-web/transaction-payment-leg/request-hash-calculation/
Response Hash Calculation: https://sandbox.interswitchng.com/docbase/docs/webpay-direct-paydirect-web/transaction-confirmation-leg/hash-computation/
For the split payment configuration I also need aliases and percentages.
As for questions around the aliases, our platform is fully self-service. You can create the accounts and aliases as described in the split document, and you can dynamically send your split instruction (percentage or amount) with each transaction request.
He requested we share our merchant code to enable them create a mac key for it and enable hash validation.
Done that already .
Regards,
ben
comment:76 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:77 Changed 2 years ago by
He requested we share our merchant code to enable them create a mac key for it and enable hash validation.
Done that already .
Here are test details:
Merchant_code: MX111690
Pay_item_id: Default_Payable_MX111690
Mac Key: ACS9yokAioPVIpSfT431uc1w3jzBVvZqprR4QhXvpMlm9kB6dh7lZXsDVNj3N0Vt0eoVnXqbgl3ecyYmpQax3oCh1CNCWbAJcYorOvu7n8hWAfmbjkYtma2ODckJEkDv
In calculating the hash, you don’t need to send the product_id. You can simply send the hash as Sha512Hash (txn_ref + merchant_code + amount + mackKey).
You can login to https://business.quickteller.com and switch to test mode and create as many accounts and aliases you want.
Regards,
ben
comment:78 follow-up: 79 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Merchant_code: MX111690
This is a merchant code for testing? And also the Mac Key is for testing only? If so, how can I test if I don't know a valid transaction on the test system. I thought the test server is down?! I only have a valid transaction reference number for the production system.
You can login to https://business.quickteller.com and switch to test mode and create as many accounts and aliases you want.
I shall create these aliases and connect them with the bank accounts which you mentioned in the description of this ticket? But I don't have a user name and password for the Quickteller platform.
Regards,
Henrik
comment:79 follow-up: 88 Changed 2 years ago by
If so, how can I test if I don't know a valid transaction on the test system. I thought the test server is down?! I only have a valid transaction reference number for the production system.
You are right you cant test without a valid transaction on the test system
I will find out if the test server is still down and also request for a valid transaction on the test system
I shall create these aliases and connect them with the bank accounts which you mentioned in the description of this ticket? But I don't have a user name and password for the Quickteller platform.
to login to https://business.quickteller.com
Email: florence@…
P.word: GodisGreat_100%&
Regards,
ben
comment:80 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:81 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
to login to https://business.quickteller.com
Okay, but do you have any idea where I can configure aliases?
comment:82 follow-up: 86 Changed 2 years ago by
I found it. The aliases are: "Big Tent Foundation for Charity," (including a comma) and "West Africa e-Academy Limited Ko". I would like to change them. They are too long.
comment:83 Changed 2 years ago by
I can't change the parameters without OTP which has been sent to a mobile phone.
comment:84 follow-up: 87 Changed 2 years ago by
I configured the split payments in Kofa as follows:
[ {"alias":"bigtentfdn","percentage":"95","description":"donation","isPrimary":"true"}, {"alias":"waeac","percentage":"5","description":"waeac"}, ]
Is this okay?
comment:85 Changed 2 years ago by
But this is already the live system configuration. The test portal is not working.
comment:86 Changed 2 years ago by
I found it. The aliases are: "Big Tent Foundation for Charity," (including a comma) and "West Africa e-Academy Limited Ko". I would like to change them. They are too long.
They are too long because those are their Bank Account names which was created when the both accounts were opened . I hope changing them will not have any effect on transactions/payments.it shouldn't anyway.
comment:87 Changed 2 years ago by
I configured the split payments in Kofa as follows:
[ {"alias":"bigtentfdn","percentage":"95","description":"donation","isPrimary":"true"}, {"alias":"waeac","percentage":"5","description":"waeac"}, ]Is this okay?
As earlier communicated, Interswitch charge is called "gateway fee"
and waeac fee should be called "technology fee"
Please confirm you have effected the change from "waeac fee" to "technology fee" as requested.
comment:88 follow-up: 92 Changed 2 years ago by
You are right you cant test without a valid transaction on the test system
I will find out if the test server is still down and also request for a valid transaction on the test system
Am still expecting a response from them on these.
comment:89 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:90 follow-up: 91 Changed 2 years ago by
Split payment is activated on the production system. You can test with a 100N payment.
comment:91 Changed 2 years ago by
Split payment is activated on the production system. You can test with a 100N payment.
confirmed.
Thanks .
comment:92 Changed 2 years ago by
Replying to benedict emenaogu:
You are right you cant test without a valid transaction on the test system
I will find out if the test server is still down and also request for a valid transaction on the test system
Am still expecting a response from them on these.
Below is the mac key for the test via the production system as the test system is still down:
uS6U18pC6GFKCpJoZH6J6jlOmR81FSrHkjBRpMaaydNQtywuG0hdB02J56MCqLV8rmzeAkhiaQR2nNcX3EPJePl5ppidImeKSzdunhddQh61UGpZPiS2CxMdAem8ueA1
Regards,
ben
comment:93 follow-up: 94 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
In calculating the hash, you don’t need to send the product_id. You can simply send the hash as Sha512Hash (txn_ref + merchant_code + amount + mackKey).
What's wrong with the following string?
p6709347986663MX7682310000uS6U18pC6GFKCpJoZH6J6jlOmR81FSrHkjBRpMaaydNQtywuG0hdB02J56MCqLV8rmzeAkhiaQR2nNcX3EPJePl5ppidImeKSzdunhddQh61UGpZPiS2CxMdAem8ueA1
I am always getting the response 'invalid hash'.
Do we use the same string for both methods: transaction payment and transaction confirmation? The documentation says that they are different.
Would it be possible to simplify the string construction? It would be very fine to use the following string:
txn_ref + merchant_code + mackKey
as we do for the College Pay system. Then hash computation is less error-prone.
comment:94 Changed 2 years ago by
Would it be possible to simplify the string construction? It would be very fine to use the following string:
txn_ref + merchant_code + mackKey
Will find out if using the suggested string can be possible,
but if its possible, can this be implemented on production test system since it is the only viable test option?
Here's to confirm that the hash/mac key validation has been disabled as requested,
split instruction tested and perfect thus the portal now useable .
Thank you !
Regards,
ben
comment:95 Changed 2 years ago by
Owner: | changed from benedict emenaogu to Henrik Bettermann |
---|
comment:96 follow-up: 97 Changed 2 years ago by
Owner: | changed from Henrik Bettermann to benedict emenaogu |
---|
Mac validation is disabled. We have to test it on the test system and not the production system. So I am waiting for the production system to run. Regards, Henrik
Have they changed their API again?? Have they changed their documentation again? We have already implemented two different types of payments:
The integration of such payment channels is very complicated and takes a lot of time. Please contact Interswitch and ask which of the above ones I should use.
This is the documentation which I used:
https://sandbox.interswitchng.com/docbase/
https://sandbox.interswitchng.com/docbase/docs/collegepay-web/
https://sandbox.interswitchng.com/docbase/docs/paydirect/
https://sandbox.interswitchng.com/bookonhold/bookonhold.asmx?op=FetchBookingDetails
Regards,
Henrik