From 981858f251b2ba1d844f8509946e80a74b938f48 Mon Sep 17 00:00:00 2001
From: Juan Pablo Vial <jpvialb@incoviba.cl>
Date: Tue, 3 Jun 2025 21:53:49 -0400
Subject: [PATCH] HMAC implementation for signature validation

---
 app/setup/settings/urls.php               |  3 ++-
 app/src/Service/HMAC.php                  | 17 ++++++++++++++
 app/src/Service/Venta/MediosPago/Toku.php | 27 +++++++++++++++++------
 3 files changed, 39 insertions(+), 8 deletions(-)
 create mode 100644 app/src/Service/HMAC.php

diff --git a/app/setup/settings/urls.php b/app/setup/settings/urls.php
index b634238..5b908c0 100644
--- a/app/setup/settings/urls.php
+++ b/app/setup/settings/urls.php
@@ -45,7 +45,8 @@ return [
                 '/api/external' => [
                     '/toku/success' => [
                         'validator' => Incoviba\Service\Venta\MediosPago\Toku::class,
-                        'token' => $container->get('TOKU_TOKEN')
+                        'token' => $container->get('TOKU_TOKEN'),
+                        'secret' => $container->get('TOKU_WEBHOOK_SECRET'),
                     ]
                 ],
             ]
diff --git a/app/src/Service/HMAC.php b/app/src/Service/HMAC.php
new file mode 100644
index 0000000..e523c0d
--- /dev/null
+++ b/app/src/Service/HMAC.php
@@ -0,0 +1,17 @@
+<?php
+namespace Incoviba\Service;
+
+use Incoviba\Common\Ideal;
+
+class HMAC extends Ideal\Service
+{
+    public static function validate(string $timestamp, string $requestSignature, string $requestId, string $secret): bool
+    {
+        $message = "{$timestamp}.{$requestId}";
+        $encodedSecret = mb_convert_encoding($secret, 'UTF-8');
+        $encodedMessage = mb_convert_encoding($message, 'UTF-8');
+        $hmacObject = hash_hmac('sha256', $encodedMessage, $encodedSecret);
+        $computedSignature = base64_encode($hmacObject);
+        return hash_equals($computedSignature, $requestSignature);
+    }
+}
\ No newline at end of file
diff --git a/app/src/Service/Venta/MediosPago/Toku.php b/app/src/Service/Venta/MediosPago/Toku.php
index 8885461..997619a 100644
--- a/app/src/Service/Venta/MediosPago/Toku.php
+++ b/app/src/Service/Venta/MediosPago/Toku.php
@@ -1,6 +1,7 @@
 <?php
 namespace Incoviba\Service\Venta\MediosPago;
 
+use Incoviba\Service\HMAC;
 use InvalidArgumentException;
 use Psr\Http\Message\ServerRequestInterface;
 use Incoviba\Service\Venta\MediosPago\Toku\{Customer,Subscription,Invoice};
@@ -11,6 +12,7 @@ use Incoviba\Exception\ServiceAction\Read;
 use Incoviba\Model;
 use Incoviba\Model\Persona;
 use Incoviba\Model\Venta\Propietario;
+use Throwable;
 
 class Toku extends Ideal\Service
 {
@@ -407,12 +409,23 @@ class Toku extends Ideal\Service
             return false;
         }
 
-        $tracestate = explode(';', substr($request->getHeaderLine('Tracestate'), strlen('dd=')));
-        $ptid = substr(array_find($tracestate, fn($item) => str_starts_with($item, 't.tid:')), strlen('t.tid:'));
-        $datadogTags = explode(',', $request->getHeaderLine('X-Datadog-Tags'));
-        $tid = array_find($datadogTags, fn($item) => str_contains($item, 'p.tid='));
-        $tid = substr($tid, strpos($tid, 'p.tid=') + strlen('p.tid='));
-
-        return $tid === $ptid;
+        $tokuSignature = $request->getHeaderLine('Toku-Signature');
+        try {
+            list($timestamp, $signature) = array_map(function($elem) {
+                return explode('=', $elem)[1];
+            }, explode(',', $tokuSignature));
+            $body = $request->getBody()->getContents();
+            $json = json_decode($body, true);
+            if (!is_array($json)) {
+                return false;
+            }
+            if (!array_key_exists('id', $json)) {
+                return false;
+            }
+            $eventId = $json['id'];
+            return HMAC::validate($timestamp, $signature, $eventId, $tokenConfig['secret']);
+        } catch (Throwable $throwable) {
+            return false;
+        }
     }
 }