Appearance
Security & Validation
About 373 wordsAbout 1 min
Important Architecture Note
In this integration, CRM acts as the Client and Your System acts as the Server. The CRM will make HTTPS requests to the URL you configured. Since the API implementation is hosted on your side, security validation is strictly your responsibility.
To ensure that requests received by your server are genuinely from the CRM and have not been tampered with, you must validate the key and signature headers included in every request.
Authentication Headers
Every request sent by the CRM to your system will include the following HTTP headers:
| HTTP Header | Description |
|---|---|
key | The API Key generated/entered in Back Office > External Wallet Integration |
signature | calculated using the algorithm below, required in Any POST/PATCH/PUT API that contains a request body |
Validating the Signature
You should implement middleware on your server to recalculate the signature using the received data and your API Key, then compare it with the signature header provided in the request.
Signature Algorithm
- Set the request or return data as set M, and sort the parameters of non-empty parameter values in the set M according to the ASCII code of the parameter name from smallest to largest (dictionary order), using the URL key-value pair format (ie key1=value1&key2=value2... ) It is spliced into a string (String A).
- After the character transferred, splice API Key to obtain the string to be encrypted (StringB), perform SHA-1 operation on StringB, transfer the obtained value as a hexadecimal string, and finally convert all characters of the obtained string to uppercase to obtain the signature.
Note
The encrypted set M is all the parameters of the request, including fields with empty values. However, it is recommended to exclude empty fields in the request body first.
Sample JavaScript code to obtain the signature
js
let query = Object.keys(data)
.sort()
.reduce((result, key) => result + key + '=' + data[key] + '&', "")
.slice(0, -1);
let sign = crypto.createHash('sha1').update(query + key).digest('hex').toUpperCase();python
query = '&'.join([f"{key}={data[key]}" for key in sorted(data)])
sign = hashlib.sha1((query + key).encode('utf-8')).hexdigest().upper()