Search code examples
authenticationbluesnap

How to validate bluesnap ipn security header?

I have configured the IPN security header in the IPN setting page.

Now I need to validate the bls-signature using the headers and body of the request on my server side. I can’t find in the documentation any mention of how the signature is computed using the HMAC-SHA256:

  • What headers are used for the creation of the input value for the HMAC-SHA256?
  • How to parse the headers/body for the creation of the input value for the HMAC-SHA256?
  • How the headers and body are combined to create the input value for the HMAC-SHA256?
  • What encoding is used for the conversion of the input value to bytes for the HMAC-SHA256?

I am desperate to find the answer, I hope someone here may know it.

Solution

  • I got a response from Bluesnap support.

    this is the updated documentation for the Authentication of the IPN:

    Optional: If you want to authenticate that an IPN originated from BlueSnap, you can add an encryption key by using the Generate Key button to create one or by entering your own key in the field. You can use this feature to validate the authenticity of the message:

    i. Using this feature adds two custom headers, bls-signature and bls-ipn-timestamp, to your IPN requests.

    ii. The value of bls-signature is the signature of the bls-timestamp concatenated with the IPN body in HMAC-SHA-256 using the encryption key.

    for example:

    2023-05-15 13:02:57.878HereYouPutTheIPNBody