Resend all the incoming POST data received in Mojolicious to a PHP script

[NachoBracho]

Hi, I am very frustrated trying to connect to a certain API using Mojolicious/Perl.

Its just a signature verification, but I have given up. So my only solution to get things done is a PHP script that happens to work hosted in another machine.

I need to RESEND all the incoming POST data received in Mojolicious to that PHP script (also as POST data). I thought that something like this should work, but I doesn’t. I receive the output of the PHP script, but POST data do not arrive to it:

my $isVerified = $ua->post('https://example.com/verify.php' => $self->req)->result->body;

I really appreciate the trick to do that!!!! (Non-blocking will came later…, of course)

Thank you in advance!

---

Anyway, here is the frustrating API, just in case someone has done this before. Everything in the API is PHP biased, but there are examples for Python, Ruby, Java, etc. as usual, so I tried to mimic the process using Perl. It looks easy at first glance.

https://developer.paddle.com/webhook-reference/verifying-webhooks

The API sends all the parameters for a sales transaction. One of the parameters is the signature to certify all the received parameters of the transacion. So, to verify the signature, that parameter must be removed before the verification.

The error I get in the end is "Signature longer than key". If I apply the base64_decode for the incoming signature (wich seems unnecesary for Mojolicious, I think) that error is gone, but it still doesn't work. Also, I read here and there that the ksort funcion in PHP must also be replicated, but this is a secondary problem.

Here it is my last try:

sub receivePayment ($self) {

my $hash  = $self->req->params->to_hash;

	my $publicKey = '-----BEGIN PUBLIC KEY-----
MY/PUBLIC/KEY/GOES/HERE==
-----END PUBLIC KEY-----';

	# The signature is one of the parameters
    my $p_signature = $hash->{'p_signature'};

	# Remove the signature parameter from the hash
 	delete $hash->{'p_signature'};
 	
	# Sort and serialize the hash with all the parameters minus the signature	
	$Data::Dumper::Sortkeys = 1;
	my $serializedFields =  Dumper sort($hash);

	# Public key
	my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($publicKey);
 	$rsa_pub->use_sha1_hash();

	$isVerifed = $rsa_pub->verify($serializedFields, $p_signature));

  $self->render( json => { serverResponse => $isVerifed } );

}

[rabbiveesh]

I'm fairly certain you should be serializing to json, first of all. Second of all, you for sure have to manually decode the base64.

…

On Mon, Feb 22, 2021, 22:27 NachoBracho ***@***.***> wrote: Hi, I am very frustrated trying to connect to a certain API using Mojolicious/Perl. Its just a signature verification, but I have given up. So my only solution to get things done is a PHP script that happens to work hosted in another machine. I need to RESEND all the incoming POST data received in Mojolicious to that PHP script (also as POST data). I thought that something like this should work, but I doesn’t. I receive the output of the PHP script, but POST data do not arrive to it: my $isVerified = $ua->post('https://example.com/verify.php' => $self->req)->result->body; I really appreciate the trick to do that!!!! (Non-blocking will came later…, of course) Thank you in advance! ------------------------------ Anyway, here is the frustrating API, just in case someone has done this before. Everything in the API is PHP biased, but there are examples for Python, Ruby, Java, etc. as usual, so I tried to mimic the process using Perl. It looks easy at first glance. https://developer.paddle.com/webhook-reference/verifying-webhooks The API sends all the parameters for a sales transaction. One of the parameters is the signature to certify all the received parameters of the transacion. So, to verify the signature, that parameter must be removed before the verification. The error I get in the end is "Signature longer than key". If I apply the base64_decode for the incoming signature (wich seems unnecesary for Mojolicious, I think) that error is gone, but it still doesn't work. Also, I read here and there that the ksort funcion in PHP must also be replicated, but this is a secondary problem. Here it is my last try: sub receivePayment ($self) { my $hash = $self->req->params->to_hash; my $publicKey = '-----BEGIN PUBLIC KEY----- MY/PUBLIC/KEY/GOES/HERE== -----END PUBLIC KEY-----'; # The signature is one of the parameters my $p_signature = $hash->{'p_signature'}; # Remove the signature parameter from the hash delete $hash->{'p_signature'}; # Sort and serialize the hash with all the parameters minus the signature $Data::Dumper::Sortkeys = 1; my $serializedFields = Dumper sort($hash); # Public key my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($publicKey); $rsa_pub->use_sha1_hash(); $isVerifed = $rsa_pub->verify($serializedFields, $p_signature)); $self->render( json => { serverResponse => $isVerifed } ); } — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1717>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFURPKW3FTAPPJOA5J4V5SDTAK44LANCNFSM4YBGCDWQ> .

[rabbiveesh]

looks like I was wrong. You need to do PHP serializing. Take a look at PHP::Serialization for that.

[NachoBracho]

Hi, thank you! Serialization is the second problem. Every value must be serialized as a string, but PHP::Serialization maintain the inherent type (integer, date, etc.).

As this point is not Mojolicious related, I asked for ideas about serialization at StackOverflow: https://stackoverflow.com/questions/66331974/i-need-to-serialize-in-perl-with-php-format.

Now I am decoding the signature parameter as base64. No errors, but I don't know if it is ok because I need to solve the serialization step.