/** * Validate the M3 request by ensuring the request was properly signed * with the M3 secret key. The verification algorithm is as follows: * <ol> * <li>Ensure the request has a signature string (found in the context)</li> * <li>Sort all request parameters via PHP ksort() method</li> * <li>Build a single string with request parameter "name=value" pairs</li> * <li>Append to the string the M3 secret key that is configured in the server</li> * <li>Calculate an MD5 hashcode for the string</li> * <li>Verify that the MD5 hashcode matches the signature string passed in with the request</li> * </ol> */ public function validateSig() { $_sig = $this->getContext()->getSig(); $_request = $this->getContext()->getInitialRequest(); $_secret = M3_Util_Settings::getM3SecretKey(); if (!isset($_sig) || empty($_sig)) { throw new Exception('M3 request rejected - it is missing a signature'); } ksort($_request); $_str = ''; foreach ($_request as $_k => $_v) { if ($_k != 'sig') { $_str .= "{$_k}={$_v}"; } } $_str .= $_secret; $_md5sig = md5($_str); if ($_md5sig != $_sig) { $_emsg = 'M3 request rejected - incorrect signature'; error_log("{$_emsg}: _str=[{$_str}], _md5sig=[{$_md5sig}], _sig=[{$_sig}]"); throw new Exception($_emsg); } return; }
protected function initClient() { unset($this->client); $this->client = new M3_Client_RestClient(M3_Util_Settings::getRestServerUrl(), M3_Util_Settings::getM3SecretKey(), null); $this->assertTrue(isset($this->client)); }