Validating callbacks

Opening firewalls for callbacks

Callbacks from checkout sessions will be sent from one of these IPs:

34.241.230.119
34.242.13.162

If you're using a firewall, traffic from this IP should be let through.

Validating payload with signature

Use POST /v1/admin/signature to create a secret.

Callbacks from Dintero will now include a header named Dintero-Signature, and your backend can now implement signature verification for this.

Example code for validating signature

To validate the signature received in the Dintero-Signature header

Note that spaces in query parmeters must be encoded with + (not %20) before the signature is created
The query parameters must be sorted

const assert = require("node:assert/strict");
const crypto = require("node:crypto");
const account_id = "T12345678";
const secret = "apikeysecret";

const createSignature = (requestUrl, method, timestamp) => {
    const dataUrl = new URL(requestUrl);
    const { hostname, pathname } = dataUrl;

    const params = dataUrl.searchParams;
    params.sort();

    const query = params.toString();
    const payload =
        `${timestamp}\n${account_id}\n${method}` +
        `\n${hostname}\n${pathname}\n${query}`;
    const signature = crypto
        .createHmac("sha256", secret)
        .update(payload, "utf8")
        .digest("hex");
    return `t=${timestamp},` + `v0-hmac-sha256=${signature}`;
};

const verifySignature = (signatureHeader, method, requestUrl) => {
    const parts = signatureHeader.split(",");
    const timestamp = parseInt(parts[0].split("=")[1]);
    assert.ok(
        // expire after 5 minutes
        timestamp < Math.floor(new Date().getTime() / 1000 + 5 * 60 * 60),
    );

    const trusted = Buffer.from(
        createSignature(requestUrl, method, timestamp),
        "ascii",
    );
    const untrusted = Buffer.from(signatureHeader, "ascii");
    assert.ok(crypto.timingSafeEqual(trusted, untrusted));
    console.log("signature valid");
};

How to view the callback sent and recieved

Sometimes, small unforeseen difficulties might occur when implementing the signature check. For example, if you succesfully create a transaction from a checkout session but the signature check fails on the recieved callback, this might be for you.

To provide a better overview of the request sent and response received, the Backoffice platform offers a view at the bottom of each individual transaction page. This view includes any callbacks sent and received.

2. Click on Payments

Step 2 - Click on Payments

3. Choose a transaction that has a delivered callback.

We will be using an example transaction. Step 3 - Click on a transaction

4. Scroll down to the bottom of the page until you find the Requests view.

If the Request view is not visible, no callbacks have been sent.
Step 4 - Navigate to Requests view

5. You can also expand each request and see further information.

For example, the URL and query parameters as well as the request and response object. Step 5 - View Request details

Opening firewalls for callbacks​

Validating payload with signature​

Example code for validating signature​

How to view the callback sent and recieved​

1. Login to backoffice.dintero.com​

2. Click on Payments​

3. Choose a transaction that has a delivered callback.​

4. Scroll down to the bottom of the page until you find the Requests view.​

5. You can also expand each request and see further information.​