@@ -251,17 +251,17 @@ public function handle_update_order( WP_REST_Request $request ) {
251251 $ response = array (
252252 'success ' => false ,
253253 );
254-
254+ $ path = $ request ->get_route ();
255+
256+ if ($ path == "/tribe/tickets/v1/commerce/paystack/order/webhook " ){
257+ return $ this ->handle_webhook ( $ request );
258+ }
255259 $ order_id = $ request ->get_param ( 'reference ' );
260+ $ order = tec_tc_get_order ($ order_id );
256261
257- $ order = tec_tc_orders ()->by_args ( array (
258- 'status ' => tribe ( Pending::class )->get_wp_slug (),
259- 'gateway_order_id ' => $ order_id ,
260- ) )->first ();
261-
262- if ( ! $ order ) {
263- return new WP_Error ( 'tec-tc-gateway-paystack-nonexistent-order-id ' , $ messages ['nonexistent-order-id ' ], $ order );
264- }
262+ if (!$ order ) {
263+ return new WP_Error ('tec-tc-gateway-paystack-nonexistent-order-id-d ' , $ messages ['nonexistent-order-id ' ], $ order );
264+ }
265265
266266 $ transaction_status = $ request ->get_param ( 'status ' );
267267 $ transaction_id = $ request ->get_param ( 'transaction ' );
@@ -320,17 +320,25 @@ public function handle_update_order( WP_REST_Request $request ) {
320320
321321 public function handle_webhook ( WP_REST_Request $ request ) {
322322 // only a post with paystack signature header gets our attention
323- if ( ( strtoupper ( $ _SERVER ['REQUEST_METHOD ' ]) != 'POST ' ) || ! array_key_exists ( 'x-paystack-signature ' , $ _SERVER ) ) {
324- exit ();
323+ if ( ( strtoupper ( $ _SERVER ['REQUEST_METHOD ' ]) != 'POST ' ) || ! array_key_exists ( 'HTTP_X_PAYSTACK_SIGNATURE ' , $ _SERVER ) ) {
324+ return new WP_Error ( ' tec-tc-gateway-paystack-unauthorized-webhookk ' , $ messages [ ' unauthorized-webhook ' ], $ input ); exit ();
325325 }
326+ $ response = array (
327+ 'success ' => false ,
328+ );
326329
327330 // Retrieve the request's body
328331 $ input = @file_get_contents ( "php://input " );
329332 $ client = tribe ( Client::class );
330-
333+ $ decodedInput = json_decode ($ input );
334+ $ jsonString = json_encode ($ decodedInput , JSON_UNESCAPED_SLASHES );
335+ $ jsonString = stripslashes ($ jsonString );
331336 // validate event do all at once to avoid timing attack
332- if ( $ _SERVER ['HTTP_X_PAYSTACK_SIGNATURE ' ] !== hash_hmac ( 'sha512 ' , $ input , $ client ->get_barer_key () ) ) {
333- exit ();
337+ $ secret = $ client ->get_barer_key (); // Replace with your actual secret key
338+ $ hash = hash_hmac ('sha512 ' , $ jsonString , $ secret );
339+ $ paystackSignature = $ _SERVER ['HTTP_X_PAYSTACK_SIGNATURE ' ] ?? '' ;
340+ if ( $ paystackSignature !== $ hash ) {
341+ return new WP_Error ( 'tec-tc-gateway-paystack-unauthorized-webhook ' , $ messages ['unauthorized-webhook ' ], 'invalid-signature ' );
334342 }
335343
336344 http_response_code ( 200 );
@@ -339,14 +347,11 @@ public function handle_webhook( WP_REST_Request $request ) {
339347 // Do something - that will not take long - with $event
340348 $ event = json_decode ( $ input );
341349
342- if ( isset ( $ event ->event ) && in_array ( $ event ->event , array ( ' transfer.success ' , 'charge.success ' ) ) ) {
350+ if ( isset ( $ event ->event ) && in_array ( $ event ->event , array ('charge.success ' ) ) ) {
343351 if ( isset ( $ event ->data ) && isset ( $ event ->data ->reference ) && isset ( $ event ->data ->status ) && '' !== $ event ->data ->reference ) {
344-
345- $ order = tec_tc_orders ()->by_args ( array (
346- 'status ' => tribe ( Pending::class )->get_wp_slug (),
347- 'gateway_order_id ' => $ event ->data ->reference ,
348- ) )->first ();
349-
352+ $ order_id = $ event ->data ->reference ;
353+ $ order = tec_tc_get_order ($ order_id );
354+ $ response ['order_id ' ] = $ order_id ;
350355 if ( ! $ order ) {
351356 return new WP_Error ( 'tec-tc-gateway-paystack-nonexistent-order-id ' , $ messages ['nonexistent-order-id ' ], $ order );
352357 }
@@ -359,28 +364,33 @@ public function handle_webhook( WP_REST_Request $request ) {
359364 if ( 'success ' === $ event ->data ->status ) {
360365 // Flag the order as Completed.
361366 tribe ( Order::class )->modify_status (
362- $ order -> ID ,
367+ $ order_id ,
363368 Completed::SLUG ,
364369 array (
365370 'gateway_transaction_id ' => $ event ->data ->reference ,
366371 'gateway_response ' => $ gateway_repsone ,
367372 )
368373 );
374+ $ response ['success ' ] = true ;
375+ $ response ['order_status ' ] = 'complete ' ;
369376 } else if ( 'failed ' === $ event ->data ->status ) {
370377
371378
372379 // Flag the order as Completed.
373380 tribe ( Order::class )->modify_status (
374- $ order -> ID ,
381+ $ order_id ,
375382 Denied::SLUG ,
376383 array (
377384 'gateway_transaction_id ' => $ event ->data ->reference ,
378385 'gateway_response ' => $ gateway_repsone ,
379386 )
380387 );
388+ $ response ['success ' ] = true ;
389+ $ response ['order_status ' ] = 'denied ' ;
381390 }
382391 }
383392 }
393+ return new WP_REST_Response ( $ response );
384394 exit ();
385395 }
386396
0 commit comments