2

I've made a successful payments with Amazon Login and Pay Express (based on the demo here: https://github.com/amzn/pay-with-amazon-express-demo/tree/master/php).

However, when the user successfully makes a purchase they're redirected back to my site return success url with a bunch of params describing what they bought and a signature for the request provided by Amazon.

I've tried code given below to calculate the original signature for validation returned signature from Amazon but this code does not generate a matching signature to what Amazon is sending in the return url.

ExpressSuccess.php

<?php
echo ("<pre>");
print_r($_GET);
echo ("</pre>");

/* begin signature validation */
$merchantId  = "************"; // SellerID
$accessKey   = "*****************"; // MWS Access Key
$secretKey   = "***********************"; // MWS Secret Key
$lwaClientId = "***********************"; // Login With Amazon Client ID

/* Add http:// or https:// before your Return URL
 * The webpage of your site where the buyer should be redirected to after the payment is made
 * In this example you can link it to the Result.php, which checks for the success or failure of the payment
 * and routes it to the appropriate URL defined
 */
$returnURL   = "http://localhost/demo/pay-with-amazon/ExpressSuccess.php";
$cancelReturnURL = "http://localhost/demo/pay-with-amazon/ExpressCancel.php";

$signatureReturned = $_GET['signature'];
$parameters = $_GET;
unset($parameters['signature']);

if(isset($parameters['sellerOrderId'])) {
    $parameters['sellerOrderId'] = rawurlencode($parameters['sellerOrderId']);
}
uksort($parameters, 'strcmp');

$parseUrl = parse_url($returnURL);    
$stringToSign = "GET\n" . $parseUrl['host'] . "\n" . $parseUrl['path'] . "\n";

foreach ($parameters as $key => $value) {
    $queryParameters[] = $key . '=' . str_replace('%7E', '~', rawurlencode($value));
}
$stringToSign .= implode('&', $queryParameters);

$signatureCalculated = base64_encode(hash_hmac("sha256", $stringToSign, $secretKey, true));
$signatureCalculated = str_replace('%7E', '~', rawurlencode($signatureCalculated));

if ($signatureReturned == $signatureCalculated) {
    echo "Signature was successfully validated.";
} else {
    echo "Signature does not match.";
}
?>

If anybody has any idea where I'm doing wrong, please let me know.

Thanks !!

Vikash Kumar
  • 1,091
  • 9
  • 16
  • It's `$signatureReturned` and `$signatureCalculated` in same format? Because for me Amazon Pay API si returning `$signatureReturned` `rawurlencode`-d 2x. Like -> `\rawurlencode(\rawurlencode('string'));` – iiic Jun 09 '17 at 07:30

0 Answers0