Support HMAC SHA-512 hash rather than md5 (urgent)

[judgej]

This has kind of crept up unnoticed by me, as I've been busy on other things. Sorry.

The md5 hash is being removed by the end of January 2019. All hashes must now be calculated using SHA-256 hashes. This will be a major version release, where the hashSecret must be replaced with a new key to work, and md5 support is removed completely.

Details on the upgrade here:

https://developer.authorize.net/support/hash_upgrade/

Note: I'm now using release 3.1.0 in production against the DPM API and it is working okay for me. Ultimately DPM, SIM and CIM are all deprecated and will no longer be supported by Authorize.Net at some point in the future, so everyone will need to plan on how to switch over to the generic API API. I'm working on this implementation, but other examples may exist.

[alberto1el]

thank you @judgej I did see that email from authorize.net and wasn't sure if any change was required.

[judgej]

Also noticed the DPM and SIM callbacks do not do a signature check on what is received from the gateway. I think when this was first written, there were no signatures at all. Then there was an md5 signature, and we didn't notice the change, and now that is being withdrawn in preference for the SHA-512 signature (which we don't use anyway - we should though).

TBH the documentation is pretty poorly managed, with mistakes and stuff missing all over the place, so it is easy to miss changes as they happen. Try to find your way to the webhook details from the new API reference? Yes, there are webhooks, and it's not even obvious. I can't find the details without stepping back into Google search. Stuff missing - I was trying to add the driving license model to the payment, and it's not in the docs at all. Makes me wonder what else is missing. Mind, many gateway docs are like this. It's frustrating.

[OnBelayWebSolutions]

@judgej Does this change affect the CIM gateway as well?

[judgej]

@OnBelayWebSolutions Good question, and I honestly don't know. I've never used CIM so have little experience with it. It has just been along for the ride with the other APIs.

If you set a transactionKey as a part of your CIM setup, then it possibly does. This page helps to understand whether you need to upgrade, and CIM is not mentioned, so it likely won't affect you:

https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD5-to-HMAC-SHA512-and-how

[alberto1el]

I was thinking the same about CIM, and then I thought that well... if the sandbox environment is working shouldn't that be proof that prod should also work?

[judgej]

It gives you 99% confidence, but you never know what differences there are between the sandbox and production. For a start, changes are always rolled out to the sandbox before production, so production does already lag behind the sandbox gateway.

[OnBelayWebSolutions]

@alberto1el Perhaps; ideally they would upgrade the sandbox before the production so that developers can fix issues beforehand but not sure if they do that.

What puts me to rest is the opening sentence from the Do I need To Upgrade-page:

"If you are using our Server Integration Method (SIM) with our Hosted Payment Form, or if you are using the Direct Post Method (DPM), you will need to upgrade ... "

I am only using the Customer Information Manager (CIM) - and since it is not mentioned in the article at all I would be pretty upset if it stopped working end of January.