From 78fda63cfed66048c5526a7dc70cad296728be21 Mon Sep 17 00:00:00 2001
From: andy <andy.nguyen@xendit.co>
Date: Wed, 27 Jul 2022 08:48:41 +0700
Subject: [PATCH 1/5] Fix Weak Cryptography Implementation

---
 modules/gateways/xendit.php                  |  9 ++--
 modules/gateways/xendit/handler/submitcc.php | 57 --------------------
 modules/gateways/xendit/handler/updatecc.php |  5 +-
 modules/gateways/xendit/lib/CreditCard.php   | 11 +++-
 4 files changed, 19 insertions(+), 63 deletions(-)
 delete mode 100644 modules/gateways/xendit/handler/submitcc.php

diff --git a/modules/gateways/xendit.php b/modules/gateways/xendit.php
index f9e657f..5a5f421 100644
--- a/modules/gateways/xendit.php
+++ b/modules/gateways/xendit.php
@@ -14,6 +14,7 @@
 
 use WHMCS\Billing\Invoice;
 use Xendit\Lib\ActionBase;
+use Xendit\lib\CreditCard;
 use Xendit\Lib\Link;
 use Xendit\Lib\Model\XenditTransaction;
 use Xendit\Lib\Recurring;
@@ -118,7 +119,7 @@ function xendit_capture($params)
     }
 
     // Generate payload
-    $cc = new \Xendit\Lib\CreditCard();
+    $cc = new CreditCard();
     $payload = $cc->generateCCPaymentRequest($params);
 
     try {
@@ -195,6 +196,7 @@ function xendit_remoteinput($params)
     $secretKey = $params['xenditTestMode'] == 'on' ? $params['xenditTestSecretKey'] : $params['xenditSecretKey'];
 
     $xenditRequest = new XenditRequest();
+    $creditCard = new CreditCard();
 
     // Card settings
     try {
@@ -228,7 +230,7 @@ function xendit_remoteinput($params)
         'return_url' => $systemUrl . 'modules/gateways/callback/xendit.php',
         'payment_method_url' => $systemUrl . 'index.php?rp=/account/paymentmethods',
         'can_use_dynamic_3ds' => $canUseDynamic3ds,
-        'verification_hash' => sha1(
+        'verification_hash' => $creditCard->generateHash(
             implode('|', [
                 $publicKey,
                 $clientId,
@@ -286,6 +288,7 @@ function xendit_remoteupdate($params)
     }
 
     $xenditRequest = new XenditRequest();
+    $creditCard = new CreditCard();
 
     // Gateway Configuration Parameters
     $publicKey = $xenditRequest->getPublicKey();
@@ -327,7 +330,7 @@ function xendit_remoteupdate($params)
         'return_url' => $systemUrl . 'modules/gateways/callback/xendit.php',
         'payment_method_url' => $systemUrl . 'index.php?rp=/account/paymentmethods',
         'can_use_dynamic_3ds' => $canUseDynamic3ds,
-        'verification_hash' => sha1(
+        'verification_hash' => $creditCard->generateHash(
             implode('|', [
                 $publicKey,
                 $clientId,
diff --git a/modules/gateways/xendit/handler/submitcc.php b/modules/gateways/xendit/handler/submitcc.php
deleted file mode 100644
index cc9bc54..0000000
--- a/modules/gateways/xendit/handler/submitcc.php
+++ /dev/null
@@ -1,57 +0,0 @@
-<?php
-/**
- * Remote iFrame Demo Submit Handler.
- *
- * This sample file demonstrates how a payment gateway might process a
- * payment form submission from an iFrame displayed within WHMCS.
- *
- * In a real world scenario, this file/page would be hosted by the payment
- * gateway being implemented. On submission they would:
- *  * Validate the input
- *  * Create a token
- *  * Process the payment (if applicable)
- *  * Redirect back to WHMCS with the newly created token
- *
- * @see https://developers.whmcs.com/payment-gateways/remote-input-gateway/
- *
- * @copyright Copyright (c) WHMCS Limited 2019
- * @license http://www.whmcs.com/license/ WHMCS Eula
- */
-
-$publicKey = $_POST['public_key'] ?? '';
-$secretKey = $_POST['secret_key'] ?? '';
-$action = $_POST['action'] ?? '';
-$invoiceId = $_POST['invoice_id'] ?? '';
-$amount = $_POST['amount'] ?? '';
-$currencyCode = $_POST['currency'] ?? '';
-$customerId = $_POST['customer_id'] ?? '';
-$cardType = $_POST['xendit_card_type'] ?? '';
-$cardNumber = $_POST['xendit_card_number'] ?? '';
-$cardExpiryMonth = $_POST['xendit_card_exp_month'] ?? '';
-$cardExpiryYear = $_POST['xendit_card_exp_year'] ?? '';
-$cardCvv = $_POST['xendit_card_cvn'] ?? '';
-$customReference = $_POST['custom_reference'] ?? '';
-$returnUrl = $_POST['return_url'] ?? '';
-
-// Payment gateway performs input validation, creates a token, process the
-// payment (if applicable).
-
-// Redirect back to WHMCS.
-$redirectUri = $returnUrl . '?' . http_build_query([
-    'success' => true,
-    'action' => $action,
-    'invoice_id' => $invoiceId,
-    'customer_id' => $customerId,
-    'amount' => $amount,
-    'currency' => $currencyCode,
-    'transaction_id' => "",
-    'card_token' => $_POST['xendit_token'] ?? '',
-    'card_type' => $cardType,
-    'card_last_four' => substr($cardNumber, -4, 4),
-    'card_expiry_date' => $cardExpiryMonth . substr($cardExpiryYear, -2, 2),
-    'custom_reference' => $customReference,
-    'verification_hash' => $_POST['verification_hash'] ?? ''
-]);
-
-header('Location: ' . $redirectUri);
-exit;
diff --git a/modules/gateways/xendit/handler/updatecc.php b/modules/gateways/xendit/handler/updatecc.php
index 4a1010c..6c90784 100644
--- a/modules/gateways/xendit/handler/updatecc.php
+++ b/modules/gateways/xendit/handler/updatecc.php
@@ -28,7 +28,8 @@
 $verificationHash = $_POST['verification_hash'] ?? '';
 $canUseDynamic3ds = $_POST['can_use_dynamic_3ds'] ?? 0;
 
-$comparisonHash = sha1(
+$comparisonHash = hash(
+    'sha512',
     implode('|', [
         $publicKey,
         $customerId,
@@ -87,7 +88,7 @@
 </head>
 <body>
 
-<form method="post" id="frmUpdateCC" action="submitcc.php" style="margin:0 auto;width:80%;" autocomplete="on">
+<form method="post" id="frmUpdateCC" style="margin:0 auto;width:80%;" autocomplete="on">
     <input type="hidden" name="action" value="<?= $action ?>">
     <input type="hidden" name="amount" value="<?= $amount ?>">
     <input type="hidden" name="currency" value="<?= $currencyCode ?>">
diff --git a/modules/gateways/xendit/lib/CreditCard.php b/modules/gateways/xendit/lib/CreditCard.php
index 4543855..ad9b859 100644
--- a/modules/gateways/xendit/lib/CreditCard.php
+++ b/modules/gateways/xendit/lib/CreditCard.php
@@ -154,7 +154,7 @@ public function generateCCPaymentRequest(array $params = [], int $auth_id = null
      */
     public function compareHash(string $verificationHash, array $params = [])
     {
-        $comparisonHash = sha1(
+        $comparisonHash = $this->generateHash(
             implode('|', [
                 $params["publicKey"],
                 $params["customerId"],
@@ -230,4 +230,13 @@ public function saveCreditCardToken(array $params = [], bool $isNew = true)
             throw new \Exception($e->getMessage());
         }
     }
+
+    /**
+     * @param string $str
+     * @return false|string
+     */
+    public function generateHash(string $str)
+    {
+        return hash('sha512', $str);
+    }
 }

From 92b8962a890cf9b581bbea41f6789adb2c344a77 Mon Sep 17 00:00:00 2001
From: andy <andy.nguyen@xendit.co>
Date: Wed, 27 Jul 2022 09:26:49 +0700
Subject: [PATCH 2/5] Fix header redirect

---
 modules/gateways/xendit/lib/ActionBase.php | 22 ++++++++++++++++++++++
 modules/gateways/xendit/lib/Link.php       |  3 +--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/modules/gateways/xendit/lib/ActionBase.php b/modules/gateways/xendit/lib/ActionBase.php
index b7cf436..448258f 100644
--- a/modules/gateways/xendit/lib/ActionBase.php
+++ b/modules/gateways/xendit/lib/ActionBase.php
@@ -356,4 +356,26 @@ public function errorMessage(string $message = ''): string
     {
         return sprintf('<p class="alert alert-danger">%s</p>', $message);
     }
+
+    /**
+     * @param string $header
+     * @param string $content
+     * @return void
+     */
+    protected function sendHeader(string $header, string $content)
+    {
+        if (!headers_sent()) {
+            header(sprintf('%s: %s', $header, $content));
+        }
+    }
+
+    /**
+     * @param string $url
+     * @return void
+     */
+    public function redirectUrl(string $url)
+    {
+        $this->sendHeader("Location", $url);
+        exit();
+    }
 }
diff --git a/modules/gateways/xendit/lib/Link.php b/modules/gateways/xendit/lib/Link.php
index ae0e66d..d11fe25 100644
--- a/modules/gateways/xendit/lib/Link.php
+++ b/modules/gateways/xendit/lib/Link.php
@@ -125,8 +125,7 @@ public function getCallbackUrl(string $systemUrl): string
     protected function generateFormParam(array $params, string $invoiceUrl): string
     {
         if ($this->isRefererUrlFromCart()) {
-            header("Location: " . $invoiceUrl);
-            exit();
+            return $this->redirectUrl($invoiceUrl);
         }
 
         $postfields = array();

From fe2f2521cbbe0104cc241aab53e4b008ca884ba8 Mon Sep 17 00:00:00 2001
From: andy <andy.nguyen@xendit.co>
Date: Wed, 27 Jul 2022 10:15:38 +0700
Subject: [PATCH 3/5] fix typo

---
 modules/gateways/callback/xendit.php       | 2 +-
 modules/gateways/xendit.php                | 2 +-
 modules/gateways/xendit/lib/CreditCard.php | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/gateways/callback/xendit.php b/modules/gateways/callback/xendit.php
index 5df5da0..4b0f690 100644
--- a/modules/gateways/callback/xendit.php
+++ b/modules/gateways/callback/xendit.php
@@ -5,7 +5,7 @@
 require_once __DIR__ . '/../xendit/autoload.php';
 
 use Xendit\Lib\Callback;
-use Xendit\lib\CreditCard;
+use Xendit\Lib\CreditCard;
 use Xendit\Lib\XenditRequest;
 
 $callback = new Callback();
diff --git a/modules/gateways/xendit.php b/modules/gateways/xendit.php
index 5a5f421..7eb60ae 100644
--- a/modules/gateways/xendit.php
+++ b/modules/gateways/xendit.php
@@ -14,7 +14,7 @@
 
 use WHMCS\Billing\Invoice;
 use Xendit\Lib\ActionBase;
-use Xendit\lib\CreditCard;
+use Xendit\Lib\CreditCard;
 use Xendit\Lib\Link;
 use Xendit\Lib\Model\XenditTransaction;
 use Xendit\Lib\Recurring;
diff --git a/modules/gateways/xendit/lib/CreditCard.php b/modules/gateways/xendit/lib/CreditCard.php
index ad9b859..27c1a2c 100644
--- a/modules/gateways/xendit/lib/CreditCard.php
+++ b/modules/gateways/xendit/lib/CreditCard.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace Xendit\lib;
+namespace Xendit\Lib;
 
 class CreditCard extends \Xendit\Lib\ActionBase
 {

From e9d4d889a74087d19e01d554a83c260241be415a Mon Sep 17 00:00:00 2001
From: andy <andy.nguyen@xendit.co>
Date: Thu, 28 Jul 2022 00:53:29 +0700
Subject: [PATCH 4/5] Fix CC authentication and error message improvement

---
 modules/gateways/callback/xendit.php         | 22 +++++++++----------
 modules/gateways/xendit.php                  |  6 ++---
 modules/gateways/xendit/assets/js/xendit.js  | 23 ++++++--------------
 modules/gateways/xendit/handler/updatecc.php |  2 +-
 modules/gateways/xendit/lib/ActionBase.php   |  3 +++
 5 files changed, 25 insertions(+), 31 deletions(-)

diff --git a/modules/gateways/callback/xendit.php b/modules/gateways/callback/xendit.php
index 4b0f690..910dbe9 100644
--- a/modules/gateways/callback/xendit.php
+++ b/modules/gateways/callback/xendit.php
@@ -20,18 +20,18 @@
 // Create/Update credit card
 if ($action == 'updatecc' || $action == "createcc") {
     /*
-     * Make sure the 3DS authentication status = 1
+     * Make sure the CC authentication status = 1
      * That mean the CC token is valid to create the charge
      */
-//    if(!isset($postData['xendit_3ds_authentication_status']) || $postData['xendit_3ds_authentication_status'] == 0){
-//        logTransaction($gatewayParams['paymentmethod'], $postData, "3DS authentication failed");
-//        $creditCard->renderJson(
-//            [
-//                'error' => true,
-//                'message' => '3DS authentication failed.',
-//            ]
-//        );
-//    }
+    if(!isset($postData['xendit_cc_authentication_status']) || $postData['xendit_cc_authentication_status'] == 0){
+        logTransaction($gatewayParams['paymentmethod'], $postData, "CC authentication failed");
+        $creditCard->renderJson(
+            [
+                'error' => true,
+                'message' => 'CC authentication failed.',
+            ]
+        );
+    }
 
     /*
      * Make sure the credit card info has value
@@ -70,7 +70,7 @@
         $creditCard->renderJson(
             [
                 'error' => true,
-                'message' => 'Invalid Hash',
+                'message' => 'Invalid.',
             ]
         );
     }
diff --git a/modules/gateways/xendit.php b/modules/gateways/xendit.php
index 7eb60ae..70f9776 100644
--- a/modules/gateways/xendit.php
+++ b/modules/gateways/xendit.php
@@ -10,7 +10,7 @@
 require __DIR__ . '/xendit/autoload.php';
 
 // defines
-define('XENDIT_PAYMENT_GATEWAY_VERSION', '1.0.6');
+define('XENDIT_PAYMENT_GATEWAY_VERSION', '1.0.7');
 
 use WHMCS\Billing\Invoice;
 use Xendit\Lib\ActionBase;
@@ -203,7 +203,7 @@ function xendit_remoteinput($params)
         $cardSettings = $xenditRequest->getCardSettings();
         $canUseDynamic3ds = $cardSettings['can_use_dynamic_3ds'] ?? 0;
     } catch (\Exception $e) {
-        return (new ActionBase)->errorMessage($e->getMessage());
+        return $creditCard->errorMessage($e->getMessage());
     }
 
     // Client Parameters
@@ -300,7 +300,7 @@ function xendit_remoteupdate($params)
         $cardSettings = $xenditRequest->getCardSettings();
         $canUseDynamic3ds = $cardSettings['can_use_dynamic_3ds'] ?? 0;
     } catch (\Exception $e) {
-        return (new ActionBase)->errorMessage($e->getMessage());
+        return $creditCard->errorMessage($e->getMessage());
     }
 
     // Client Parameters
diff --git a/modules/gateways/xendit/assets/js/xendit.js b/modules/gateways/xendit/assets/js/xendit.js
index 04b982e..5d3304a 100644
--- a/modules/gateways/xendit/assets/js/xendit.js
+++ b/modules/gateways/xendit/assets/js/xendit.js
@@ -75,7 +75,7 @@ jQuery(function ($) {
             if (typeof err != 'undefined') {
                 failure_reason = err.message || err.error_code;
             } else {
-                failure_reason = 'We encountered an issue while processing the checkout. Please contact us. Code: 200035';
+                failure_reason = 'We encountered an issue while processing the update card. Please contact us. Code: 200035';
             }
             cc_xendit_form.validation.html(failure_reason);
             cc_xendit_form.form.append("<input type='hidden' class='xendit_cc_hidden_input' name='xendit_failure_reason' value='" + failure_reason + "'/>");
@@ -209,13 +209,9 @@ jQuery(function ($) {
             if(cc_xendit_form.canUseDynamic3DS()){
                 Xendit.card.threeDSRecommendation({'token_id': token_id}, cc_xendit_form.on3DSRecommendationResponse);
             }else{
-                let data = {'token_id': token_id, 'amount': '10000'};
-                Xendit.card.createToken(data, cc_xendit_form.onTokenizationResponse);
+                Xendit.card.createAuthentication({'token_id': token_id, 'amount': 0}, cc_xendit_form.on3DSAuthenticationResponse);
             }
 
-            // Check if it needs to use 3DS
-            Xendit.card.threeDSRecommendation({'token_id': token_id}, cc_xendit_form.on3DSRecommendationResponse);
-
             // Prevent form submitting
             return false;
         },
@@ -228,11 +224,11 @@ jQuery(function ($) {
             }
 
             if(response.should_3ds){
-                let data = {'token_id': $("input[name='xendit_token']").val(), 'amount': '10000'};
+                let data = {'token_id': $("input[name='xendit_token']").val(), 'amount': '0'};
                 Xendit.card.createAuthentication(data, cc_xendit_form.on3DSAuthenticationResponse);
                 return;
             }else{
-                cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_3ds_authentication_status' value='1'/>" );
+                cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_cc_authentication_status' value='1'/>" );
                 cc_xendit_form.form.submit();
                 return false;
             }
@@ -244,7 +240,7 @@ jQuery(function ($) {
                 return false;
             }
 
-            let threeDsAuthenticationSuccess = 0;
+            let ccAuthenticationSuccess = 0;
             if(response.status === 'IN_REVIEW' || response.status === 'CARD_ENROLLED' ){
                 $('body').append('<div class="three-ds-overlay" style="display: none;"></div>' +
                     '<div id="three-ds-container" style="display: none;">\n' +
@@ -255,20 +251,15 @@ jQuery(function ($) {
                 $("#three-ds-container").show();
                 return;
             }else if (response.status === 'APPROVED' || response.status === 'VERIFIED') {
-                threeDsAuthenticationSuccess = 1;
+                ccAuthenticationSuccess = 1;
                 $(".three-ds-overlay").hide();
                 $("#three-ds-container").hide();
             }
-
-            cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_3ds_authentication_status' value='"+ threeDsAuthenticationSuccess +"'/>" );
+            cc_xendit_form.form.append( "<input type='hidden' class='xendit_cc_hidden_input' name='xendit_cc_authentication_status' value='"+ ccAuthenticationSuccess +"'/>" );
             cc_xendit_form.form.submit();
             return;
         },
 
-        shouldAuthenticate: function (){
-            return $("input[name='should_authenticate']").val() == 1;
-        },
-
         canUseDynamic3DS: function (){
             return $("input[name='can_use_dynamic_3ds']").val() == 1;
         },
diff --git a/modules/gateways/xendit/handler/updatecc.php b/modules/gateways/xendit/handler/updatecc.php
index 6c90784..61851b7 100644
--- a/modules/gateways/xendit/handler/updatecc.php
+++ b/modules/gateways/xendit/handler/updatecc.php
@@ -40,7 +40,7 @@
     ])
 );
 if ($verificationHash !== $comparisonHash) {
-    die('Invalid hash.');
+    die('Invalid.');
 }
 
 if ($action === 'payment') {
diff --git a/modules/gateways/xendit/lib/ActionBase.php b/modules/gateways/xendit/lib/ActionBase.php
index 448258f..6fd123a 100644
--- a/modules/gateways/xendit/lib/ActionBase.php
+++ b/modules/gateways/xendit/lib/ActionBase.php
@@ -354,6 +354,9 @@ public function renderJson(array $data)
      */
     public function errorMessage(string $message = ''): string
     {
+        if (strpos($message, 'INVALID_API_KEY') !== false) {
+            $message = 'The API key is invalid.';
+        }
         return sprintf('<p class="alert alert-danger">%s</p>', $message);
     }
 

From d53aca3432fd31069a5f29bd5c28d06bd5ebc294 Mon Sep 17 00:00:00 2001
From: andy <andy.nguyen@xendit.co>
Date: Thu, 28 Jul 2022 00:54:57 +0700
Subject: [PATCH 5/5] Fix CC authentication and error message improvement

---
 modules/gateways/callback/xendit.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/gateways/callback/xendit.php b/modules/gateways/callback/xendit.php
index 910dbe9..9fcc265 100644
--- a/modules/gateways/callback/xendit.php
+++ b/modules/gateways/callback/xendit.php
@@ -23,7 +23,7 @@
      * Make sure the CC authentication status = 1
      * That mean the CC token is valid to create the charge
      */
-    if(!isset($postData['xendit_cc_authentication_status']) || $postData['xendit_cc_authentication_status'] == 0){
+    if (!isset($postData['xendit_cc_authentication_status']) || $postData['xendit_cc_authentication_status'] == 0) {
         logTransaction($gatewayParams['paymentmethod'], $postData, "CC authentication failed");
         $creditCard->renderJson(
             [