Amazon FPS sends you outbound notifications in the form of GET and POST on your
ReturnURL and IPN endpoints respectively. When you handle these notifications, we
recommend you to validate the signature to ensure that the notification actually
originated from us. You can validate the signature using signature version 2 with a
server-side call to the VerifySignature API. In this call, you
send the entire URL including the HTTP parameters received to FPS VerifySignature
API and it will return a Boolean that indicates whether the signature was validated.
Samples using this API to validate the signature are included in the
src/com/amazonaws/ipnreturnurlvalidation folder. Their usage is described below.
Directory | Overview |
---|---|
src/Amazon/FPS | All sources including code samples that demonstrate making FPS calls. |
src/Amazon/IpnReturnUrlValidation | All sources including code samples that demonstrate validation of ipn and return url notifications. |
$utils = new Amazon_FPS_SignatureUtilsForOutbound(); //Parameters present in return url. $params["expiry"] = "10/2013"; $params["tokenID"] = "Q5IG5ETFCEBU8KBLTI4JHINQVL6VAJVHICBRR49AKLPIEZH1KB1S8C7VHAJJMLJ3"; $params["status"] = "SC"; $params["callerReference"] = "1253247023946cMcrTRrjtLjNrZGNKchWfDtUEIGuJfiOBAAJYPjbytBV"; $params["signatureMethod"] = "RSA-SHA1"; $params["signatureVersion"] = "2"; $params["certificateUrl"] = "https://fps.amazonaws.com/certs/090909/PKICert.pem"; $params["signature"] = "H4NTAsp3YwAEiyQ86j5B53lksv2hwwEaEFxtdWFpy9xX764AZy/Dm0RLEykUUyPVLgqCOlMopay5" . "Qxr/VDwhdYAzgQzA8VCV8x9Mn0caKsJT2HCU6tSLNa6bLwzg/ildCm2lHDho1Xt2yaBHMt+/Cn4q" . "I5B+6PDrb8csuAWxW/mbUhk7AzazZMfQciJNjS5k+INlcvOOtQqoA/gVeBLsXK5jNsTh09cNa7pb" . "gAvey+0DEjYnIRX+beJV6EMCPZxnXDGo0fA1PENLWXIHtAoIJAfLYEkVbT2lva2tZ0KBBWENnSjf" . "26lMZVokypIo4huoGaZMp1IVkImFi3qC6ipCrw=="; $urlEndPoint = "http://www.mysite.com/call_pay.jsp"; //Your return url end point. print "Verifying return url signed using signature v2 ....\n"; //return url is sent as a http GET request and hence we specify GET as the http method. //Signature verification does not require your secret key print "Is signature correct: " . $utils->validateRequest($params, $urlEndPoint, "GET") . "\n";
$utils = new Amazon_FPS_SignatureUtilsForOutbound(); //Parameters present in ipn. $params["transactionId"] = "14DRG2JGR7LK4J54P544DKKNDLQFFZLE323"; $params["transactionDate"] = "1251832057"; $params["status"] = "INITIATED"; $params["notificationType"] = "TransactionStatus"; $params["callerReference"] = "callerReference=ReferenceStringJYI1251832057319108"; $params["operation"] = "PAY"; $params["transactionAmount"] = "USD 1.00"; $params["buyerName"] = "BuyerName-SsUo3oDjHx"; $params["paymentMethod"] = "CC"; $params["paymentReason"] = "DescriptionString-1251832057319108"; $params["recipientEmail"] = "recipientemail@amazon.com"; $params["signatureMethod"] = "RSA-SHA1"; $params["signatureVersion"] = "2"; $params["certificateUrl"] = "https://fps.amazonaws.com/certs/090909/PKICert.pem"; $params["signature"] = "vKXXCbtxvSkRR+Zn8YNW6DNGpbi474h2iM4L+xaOi16kYKdYpuGbvKyXQ36uTZTVHdUGAAcvpXFL" . "wDfnTcqcckr2IUElrVJKQeT0WeWR+IqmABwSRGo+YqjzPNISSNXNzg6LFhouhUvmmwY15X3YgXfc" . "ERN5IhPwv04YkyCLPCA9P0/QgD8Jum/hc9jj0HYjj3s3MuuQ3yoIhf2x+2CBZRm5lslRqnoF/8OJ" . "1ZHmAHt9VvQSZ+QC3fwJgeqzJPAvtuOm930BP6hPYZVhXE5w7ByLt0qLk1ZFE/vzQ4io4vOyie6W" . "bhp5+AuNyAs+QrGMYO8VZruZJfkZO4b6QOgV2A=="; $urlEndPoint = "http://www.mysite.com/ipn.jsp"; //Your url end point receiving the ipn. print "Verifying IPN signed using signature v2 ....\n"; //IPN is sent as a http POST request and hence we specify POST as the http method. //Signature verification does not require your secret key print "Is signature correct: " . $utils->validateRequest($params, $urlEndPoint, "POST") . "\n";
Summary of the steps to use Server side validation for Return URL and IPN:
1 |
Capture the notification on your IPN endpoint |
2 |
Pass all the parameters to the validateRequest method of SignatureUtilsForOutbound |
3 |
Capture the boolean returned by the validateRequest method and process the IPN or discard based on its value |