OrahKokos/coinpayments-ipn

Verifying URL encoded body

Opened this issue · 7 comments

Hello,

the IPN body is a url-encoded form. I tried passing it as a string to the SDK to verify the signature, but the SDK indicates that it requires an object. I am confused on the format it expects.

Thanks in advance,
Drew.

Hey Drew,
Thanks for the feedback.
This ipn lib, should be updated to typescript, so problems like this are no longer encountered.
Will update this soon.

Thanks for the update. IPN documentation was the one thing I felt that coinpayments lacked, and as a developer I found it very difficult to verify the IPNs with my own code. There are very few libraries that offer HMAC signature checking, and the ones that do still did not work. How is the body encoded or formatted when its signature is created? Is it just the raw text of the URL encoded form?

I understand that this library is being updated to support URL encoded bodies, but despite that, I would appreciate more clarification/insight into how the form payload is manipulated before being signed. I am using cloudflare workers for my backend which requires me to use WebCrypto. For this reason, any insight into how I can manually verify the HMAC would be appreciated.

Hey @DrewRidley,
Pretty much everything is said in the official doc: https://www.coinpayments.net/merchant-tools-ipn
This lib is just one little function: https://github.com/OrahKokos/coinpayments-ipn/blob/master/lib/index.js#L14
So it just returns a boolean, verifing if the payload received is in fact coming from coinpayments servers.

If you are managing multiple accounts the best i could suggest to you is to play around with:

  • IPN URL - Crate Transaction/Deposit
  • Use "custom" fields to fill them up with some non-sensitive metadata for internal systems.

Hope this helps.

Thanks for the clarification. I was stumped up on how the payload is verified because I was generating an HMAC signature of the request 'body' and it did not match to the HMAC coinpayments generated. For this reason I wondered if the request headers were included in the HMAC signature, or if it was just the request body itself.

You just fetch HMAC from header and use it on the body only.
The only thing which i can see going wrong in your case, outside of simple mistakes is some encoding problem.
There is some glue here: https://github.com/OrahKokos/coinpayments-ipn/blob/master/lib/index.js#L24
There might be some more oddities which I was not aware of, which would make this a bug.

Could you please describe your setup roughly (no sensitive info plox)? Will try to emulate the same test case