Hello,
I've come across an unusual scenario where the validity of a signature is contingent on the amount provided. In summary, if the authAmount in the returned webhook body is in the format #.## (e.g., 1.01 or 2.01), the signature verification is successful. However, if authAmount is in the format *.# or * (e.g., 1.1 or 2), the signature verification fails.
Here's an example of a webhook with an amount of 1.1:
Sandbox Environment (Live Mode)
My Signature Key:
A6214F6105625D5ED957CF02E749BB440DBD4E418533D219CAD26AECD104BFFE7F47DBBE5C81927CCA484AE7722BE82CE57FB5318EDE02122277A2FE90EE68EB
Webhook Notification Body:
json
Copy code
{"notificationId":"570f7282-687a-42b7-903b-48e487d7694d","eventType":"net.authorize.payment.authcapture.created","eventDate":"2023-12-12T12:45:09.3492643Z","webhookId":"a585ea29-a370-495a-bd83-f9be7160f260","payload":{"responseCode":1,"avsResponse":"P","authAmount":1.1,"merchantReferenceId":"2M4zHFzshYBudvgIZ11B","entityName":"transaction","id":"120011377052"}}
My Local Hash Result:
sha512=0B031880F04DD8D6C98F06A234032575B19393716F7FCE84C62D4901F257D29808DF520CEFCD0225FE4374697769B6A2ED336B463031EA861C73F3396357A605
x-anet-signature:
sha512=8E3D41B0191A9A1E668FB729F350B73C6BBB81D676070FE7CFF001CA2543ABA91BD16A4374A0F6FA4542659728C7DAF79D7EC901FEC582FC2DA3263A2D604DCF
As you can see, the result hash is different. However, if I manually change the body from "authAmount":1.1 to "authAmount":1.10 (although this is not what the client side should do), the hash becomes:
Manually Changed Hash:
sha512=8E3D41B0191A9A1E668FB729F350B73C6BBB81D676070FE7CFF001CA2543ABA91BD16A4374A0F6FA4542659728C7DAF79D7EC901FEC582FC2DA3263A2D604DCF
This hash matches the x-anet-signature header.
Could someone provide assistance in resolving this situation?
Thanks in advance.
