Refund WebHook

The Merchant needs to set up your refund web hook URL(key, value) in the Sipay merchant panel at https://app.Sipay.com.tr/merchant/apisetting . For refund, refund_web_hook_key key should be sent with the refund request parameter. Sipay validates that the key exists in the database while making a refund request. At refund approval, it is sent a POST request to a merchant refund web hook url with following parameters given below.

Type Params Sample Value
KEY invoice_id 8iu75g
KEY order_id 15767887576675
KEY amount 10.50
KEY status Completed
KEY hash_key 5uUVKijz5im5FfStic2wVX4gG8ngRfMS3H+FvAauQvOc1nAnh9GZ9T6zyxV5WUnQP2F

Refund WebHook Response Validation Using Hash Key

In Refund Approval, Sipay sends a post request to the web hook url . The problem with these links is that they can be accessed by an anonymous person. To prevent this problem, it is recommended to validate the request using hash key, since it is added some parameters to the links such as status, invoice_id, order_id, amount and hash_key with the request parameters.

function validateHashKey($hash_key, $secret_key){
    $status = '';
    $amount = $invoice_id = $order_id = 0;
    if (!empty($hash_key)) {
        $hash_key = str_replace('__', '/', $hash_key);
        $password = sha1($secret_key);
        $components = explode(':', $hash_key);
        if (count($components) >2) {
            $iv = $components[0] ?? '';
            $salt = $components[1] ?? '';
            $salt = hash('sha256', $password . $salt);
            $encrypted_msg = $components[2] ?? '';
            $decrypted_msg = openssl_decrypt($encrypted_msg, 'aes-256-cbc', $salt, null, $iv);
            if (strpos($decrypted_msg, '|') !== false){
                $array = explode('|', $decrypted_msg);
                $status = $array[0] ?? 0;
                $amount = $array[1] ?? 0;
                $invoice_id = $array[2] ?? '0';
                $order_id = $array[3] ?? 0;
            }
        }
    }
    return [$status, $amount, $invoice_id, $order_id];
}

Here, $hash_key must be taken from a request and $secret_key is a merchant app secret that was provided from Sipay.