The latest articles on Forem by Aisha A (@zfbtravel). https://forem.com/zfbtravel https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2760923%2F5da42cdb-6760-4cfa-9029-ff1689db7b1e.png https://forem.com/zfbtravel en Aisha A Sat, 25 Jan 2025 04:58:27 +0000 https://forem.com/zfbtravel/implementing-bayarcash-payment-api-with-ruby-validate-checksum-ppg https://forem.com/zfbtravel/implementing-bayarcash-payment-api-with-ruby-validate-checksum-ppg <p>If you’ve ever had to integrate a payment platform, you know the struggle can sometimes feel real when the company doesn't provide a doc in your preferred language. Recently, I helped ZFB Travel, a <a href="https://zfbtravel.com" rel="noopener noreferrer">travel agency in Kuala Lumpur</a> with Ruby on Rails backend, implement <a href="https://api.webimpian.support/bayarcash" rel="noopener noreferrer">BayarCash</a>, a local Malaysian payment platform. While the documentation provided a PHP example, there was no Ruby version, which left me as a Rails developer scratching head.</p> <p>Let’s break this down step by step so you can validate a BayarCash checksum in Rails.</p> <h3> The PHP Example </h3> <p>BayarCash’s documentation gives a PHP implementation for generating a checksum. Here’s the snippet they provide:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$secretKey</span> <span class="o">=</span> <span class="s1">'xxxxx'</span><span class="p">;</span> <span class="c1">// Your API secret key from BayarCash portal</span> <span class="nv">$payloadData</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">"payment_channel"</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span> <span class="s2">"order_number"</span> <span class="o">=&gt;</span> <span class="s2">"ORD-0060"</span><span class="p">,</span> <span class="s2">"amount"</span> <span class="o">=&gt;</span> <span class="s2">"60.00"</span><span class="p">,</span> <span class="s2">"payer_name"</span> <span class="o">=&gt;</span> <span class="s2">"Mohd Ali"</span><span class="p">,</span> <span class="s2">"payer_email"</span> <span class="o">=&gt;</span> <span class="s2">"mohd.ali@gmail.com"</span> <span class="p">];</span> <span class="nb">ksort</span><span class="p">(</span><span class="nv">$payloadData</span><span class="p">);</span> <span class="c1">// Sort the payload data by key</span> <span class="nv">$payloadString</span> <span class="o">=</span> <span class="nb">implode</span><span class="p">(</span><span class="s1">'|'</span><span class="p">,</span> <span class="nv">$payloadData</span><span class="p">);</span> <span class="c1">// Concatenate values with '|'</span> <span class="nv">$checksum</span> <span class="o">=</span> <span class="nb">hash_hmac</span><span class="p">(</span><span class="s1">'sha256'</span><span class="p">,</span> <span class="nv">$payloadString</span><span class="p">,</span> <span class="nv">$secretKey</span><span class="p">);</span> <span class="c1">// Generate HMAC SHA256 checksum</span> </code></pre> </div> <p>It’s fairly straightforward: sort the payload, join the values with a pipe (<code>|</code>), and generate the checksum using HMAC SHA256. </p> <p>But here’s the problem: if you’re working in Ruby, translating this into Ruby isn’t as intuitive as it seems. </p> <h3> Rails: Validating the Checksum </h3> <p>If you’re part of any local Rails groups, you might’ve seen people struggling with this. Some spend hours debugging this part of the integration. That’s why I’m sharing a clean solution to validate the BayarCash checksum in Ruby on Rails. </p> <p>Here’s how you can do it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># Your BayarcashService class</span> <span class="k">def</span> <span class="nf">valid_checksum?</span><span class="p">(</span><span class="n">params</span><span class="p">)</span> <span class="c1"># Extract the received checksum</span> <span class="n">received_checksum</span> <span class="o">=</span> <span class="n">params</span><span class="p">[</span><span class="s1">'checksum'</span><span class="p">]</span> <span class="c1"># Define the payload data in the exact order specified</span> <span class="n">payload_data</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">'record_type'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'record_type'</span><span class="p">],</span> <span class="s1">'transaction_id'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'transaction_id'</span><span class="p">],</span> <span class="s1">'exchange_reference_number'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'exchange_reference_number'</span><span class="p">],</span> <span class="s1">'exchange_transaction_id'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'exchange_transaction_id'</span><span class="p">],</span> <span class="s1">'order_number'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'order_number'</span><span class="p">],</span> <span class="s1">'currency'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'currency'</span><span class="p">],</span> <span class="s1">'amount'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'amount'</span><span class="p">],</span> <span class="s1">'payer_name'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'payer_name'</span><span class="p">],</span> <span class="s1">'payer_email'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'payer_email'</span><span class="p">],</span> <span class="s1">'payer_bank_name'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'payer_bank_name'</span><span class="p">],</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'status'</span><span class="p">],</span> <span class="s1">'status_description'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'status_description'</span><span class="p">],</span> <span class="s1">'datetime'</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'datetime'</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Sort the payload data by keys (similar to PHP's ksort)</span> <span class="n">sorted_payload</span> <span class="o">=</span> <span class="n">payload_data</span><span class="p">.</span><span class="nf">sort</span><span class="p">.</span><span class="nf">to_h</span> <span class="c1"># Create payload string by joining values with '|'</span> <span class="n">payload_string</span> <span class="o">=</span> <span class="n">sorted_payload</span><span class="p">.</span><span class="nf">values</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="s1">'|'</span><span class="p">)</span> <span class="c1"># Generate HMAC-SHA256 checksum</span> <span class="n">generated_checksum</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">HMAC</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">(</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">Digest</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="s1">'sha256'</span><span class="p">),</span> <span class="no">SECRET_KEY</span><span class="p">,</span> <span class="n">payload_string</span> <span class="p">)</span> <span class="c1"># Compare checksums (case-insensitive)</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">SecurityUtils</span><span class="p">.</span><span class="nf">secure_compare</span><span class="p">(</span> <span class="n">generated_checksum</span><span class="p">.</span><span class="nf">downcase</span><span class="p">,</span> <span class="n">received_checksum</span><span class="p">.</span><span class="nf">downcase</span> <span class="p">)</span> <span class="k">rescue</span> <span class="o">=&gt;</span> <span class="n">e</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">logger</span><span class="p">.</span><span class="nf">error</span> <span class="s2">"Checksum validation error: </span><span class="si">#{</span><span class="n">e</span><span class="p">.</span><span class="nf">message</span><span class="si">}</span><span class="s2">"</span> <span class="kp">false</span> <span class="k">end</span> </code></pre> </div> <ol> <li> <strong>Sorting the Payload</strong>: Like PHP’s <code>ksort</code>, Rails doesn’t have an out-of-the-box method to sort hashes by keys. Use <code>hash.sort.to_h</code> to get the same effect. </li> <li> <strong>String Formatting</strong>: Join the sorted hash values with a pipe (<code>|</code>) to match BayarCash’s requirements. </li> <li> <strong>Checksum Generation</strong>: Use <code>OpenSSL::HMAC.hexdigest</code> with the SHA256 algorithm and your secret key to generate the checksum. </li> <li> <strong>Secure Comparison</strong>: Comparing checksums securely ensures there’s no risk of timing attacks. Rails’ <code>ActiveSupport::SecurityUtils.secure_compare</code> is perfect for this. </li> </ol> <h3> Wrapping Up </h3> <p>With this implementation, you’ll be able to validate BayarCash checksums in your Rails app confidently. This approach not only saves you hours of debugging but also makes your integration seamless and secure. Let’s make Rails development smoother, one integration at a time! </p> ruby rails php payment