Authorize.Net API questions and help with your payment integration.
Authorize.Net API questions and help with your payment integration.
02-26-2019 03:24 PM
02-26-2019 03:32 PM
I completely agree with the fix will need to be done for the finger print post to them but since I can see their hash data with the silent post back I was starting there, when I get that to work I was moving to fix the finger print that I post to them. I know this is a bit backwards but I hate the 99 error code messages with no details to even look at as to why it errored.
02-26-2019 08:16 PM
02-27-2019 05:35 AM
Thank you! I'd love some. Mostly just to confirm what that hashed string is since if I know that is right then I focus on my server side scripting (coldfusion) on what it's doing wrong.
02-27-2019 02:16 PM
Here it is:
Your string is all of those 30 values in the response, enclosed in carets. Here is the php list that I used. In this exact order (reading left to right, top to bottom) my hash matches. Note that this is just a piece of the code I used and at this point I had not attached response values to them. You can ignore the =>' ' as this is php syntax for empty array values (later on in my code I add the values to each key, i.e. 'x_amount' => '80.00'). You can cross reference my list of fields with yours if that is helpful. I haven't compared what I have, line by line, with what you have. This will get you the verification piece.
$response = array( 'x_trans_id'=>'','x_test_request'=>'','x_response_code'=>'', 'x_auth_code'=>'','x_cvv2_resp_code'=>'', 'x_cavv_response'=>'', 'x_avs_code'=>'','x_method'=>'','x_account_number'=>'','x_amount'=>'', 'x_company'=>'','x_first_name'=>'','x_last_name'=>'','x_address'=>'', 'x_city'=>'','x_state'=>'','x_zip'=>'','x_country'=>'','x_phone'=>'', 'x_fax'=>'','x_email'=>'','x_ship_to_company'=>'', 'x_ship_to_first_name'=>'','x_ship_to_last_name'=>'', 'x_ship_to_address'=>'','x_ship_to_city'=>'', 'x_ship_to_state'=>'', 'x_ship_to_zip'=>'','x_ship_to_country'=>'', 'x_invoice_num'=>'');
I ran the following from your post (didn't use currency on the verification test)
<form action="https://test.authorize.net/gateway/transact.dll" method="post"> <input type="HIDDEN" name="x_fp_sequence" value="123"> <input type="HIDDEN" name="x_fp_timestamp" value="<?=$timeStamp;?>"> <input type="HIDDEN" name="x_fp_hash" value="<?=$digest;?>"> <input type="HIDDEN" name="x_login" value="<?=$login;?>"> <input type="HIDDEN" name="x_show_form" value="PAYMENT_FORM"> <input type="HIDDEN" name="x_amount" value="<?=$amount;?>"> <input type="HIDDEN" name="x_method" value="CC"> <input type="HIDDEN" name="x_type" value="AUTH_CAPTURE"> <input type="HIDDEN" name="x_invoice_num" value="28897"> <input type="HIDDEN" name="x_description" value="this is a test"> <input type="HIDDEN" name="x_cust_id" value="12234"> <input type="HIDDEN" name="x_company" value="Testing"> <input type="HIDDEN" name="x_first_name" value="tfn"> <input type="HIDDEN" name="x_last_name" value="fln"> <input type="HIDDEN" name="x_address" value="123 test"> <input type="HIDDEN" name="x_city" value="somewhere"> <input type="HIDDEN" name="x_state" value="mn"> <input type="HIDDEN" name="x_zip" value="55744"> <input type="HIDDEN" name="x_phone" value="111-111-1111"> <input type="HIDDEN" name="x_email" value="firstname.lastname@example.org"> <input type="HIDDEN" name="x_po_num" value=""> <input type="HIDDEN" name="x_duplicate_window" value="28800"> <input type="HIDDEN" name="x_country" value="US"> <input type="HIDDEN" name="x_header_html_payment_form" value=""> <input type="HIDDEN" name="x_footer_html_payment_form" value="If you have any difficulty or questions please call customer support at "> <input type="HIDDEN" name="x_customer_ip" value="10.1.1.136"> <input type="HIDDEN" name="header_html" value=""> <input type="HIDDEN" name="return_url" value=""> <input type="hidden" name="x_test_request" value="TRUE"> <input type="SUBMIT" value="Click here to pay with a credit card securely on-line"> </form>
The html value attributes enclosed in < and ? are php variables. You can insert your own values there, for login, timestamp, etc. I changed sequence to 123. On my dummy hosted form, I clicked the box to add the billing info to the shipping info. Here is the resulting string:
For the fingerprint piece, this is the correct string:
"$login^$sequence^$timeStamp^$amount^$currency"; //or if you don't use currency $string = "$login^$sequence^$timeStamp^$amount^";
all of these strings have been tested and work. The double quotes " " that enclose the variables are php syntax to indicate the value is to be passed as a string. You will use the equivalent in coldfusion. The printed string is this: 9785858855^123^1551233723^80.00^USD, where you replace 9785858855 with your API login, and you replace 1551233723 with your timestamp.
This should get you there. If you follow this and have problems, you want to look two places, 1: your hashing function, and 2: your signature key. The strings have been tested and will work in any language, assuming you use the proper syntax for that language. sha512 is sha512, independent of any programming language. For your signature key, it is a little tricky. You have to convert to binary, and in some languages, you have to convert to a byte array. In php the byte array step isn't necessary. To the best of my knowledge you have to convert to binary in any language you use.
I think this will solve your issue. Good luck to you. I'll be on later tonight or tomorrrow.
02-27-2019 03:07 PM - edited 02-27-2019 03:17 PM
Good Evening @Renaissance
I am happy to report that my signiture to auth.net is working great! Which that is a simple string BUT I still can't get it to match what I get back from sandbox silent post. I even go so far as to clear all the customer names, addresses on the payment for so the only data is x_trans_id, x_test_request, X_AUTH_CODE, x_account_number, x_amount, and x_invoice_num which results in a string that looks like
hash that with my sandbox secret key 3C1EB299A018A14705F20F658AB976B54C2AB964C97D7B8B131D1A94DE56BBF746E6DEC29208E774AAA92BAC77386EDA45078C491A96A251E89929BB8D2DC07B
and I've tried
^0^false^1^000000^^^p^CC^XXXX0027^0.01^^^^^^^^^^^^^^^^^^^^28903^ just in case the x_test_request data was the problem
however sandbox auth.net post to us
which clearly doesn't match either option,
02-27-2019 05:41 PM
Are you manually constructing this string, based on what you send in the request? What you want to do is have it done dynamically based on the response. So the response comes in, you capture it with a programming script and then your programming script constructs the string and performs the hash validation. So the logic (not the actual programming script) would go like this-
-You capture the response.
-The relevant values are extracted and used to construct the string.
-You perform the hash using the string and signature key
-You compare your hash to the auth.net hash
-If the hash matches, you do one thing say for instance mark an order as paid, record transId, etc.
-If the hash doesn't match you don't mark the order as paid bc the response wasn't from auth.net. You may choose to have a db table where the ip address of the unverified entity posting to your url is stored.
The reason I ask is it looks to me like you're plugging your own values in. If you take the ^p^ from your string and make it ^P^ you will get the exact same hash. I just did on my first try. If you automate things you have no risk of the string being constructed differing from the string used to perform the hash given in the response. Any difference whatsoever will cause your entire hash not to match. P to p will make every single character different.
02-28-2019 04:53 AM
Good Morning @Renaissance
LOL aah no it's created based on the post back data I've recieve from auth.net. I've been a systems developer for over 20 years working with AWS (s3 especially), auth.net, and even developed many APIs my self..I'm very fluent in hashed signatures and how they work. in my test file I just output my string that I am hashing that I copy pasted.
soo if I hear what your saying is they convert the data to upper case THEN hash. Okay let me try that.
02-28-2019 06:56 AM
02-28-2019 08:41 AM
I am having exactly the same problem. I use SIM/Silent Post method. I have no problem creating a fingerprint, but when AuthorizeNet performing a silent post x_SHA2_Hash supplied by AuthorizeNet does not match the hash I generate. I generate the hash exactly the same way as described by Xero here (https://community.developer.authorize.net/t5/Integration-and-Testing/Working-php-hash-verification/t...).
Here is my prehash text:
Here is my hash key (aka signature key)
Here is hash I generated using signature key and prehashed text
and here is what AuthorizeNet supplies in x_SHA2_Hash
What am I missing?