Use of stripcslashes breaks Amazon/Pay/API/Client::generateButtonSignature

[jdart]

I tried using this library today and was getting errors like below when clicking the checkout button in the browser:

Error Code: InvalidSignatureError

I was following the documentation here. After struggling with this issue I tried removing the call to stripcslashes on the line below.

https://github.com/amzn/amazon-pay-api-sdk-php/blob/master/Amazon/Pay/API/Client.php#L404

Without stripcslashes it looked like $hashedButtonRequest = self::AMAZON_SIGNATURE_ALGORITHM . "\n" . $this->hexAndHash($payload);. With that change suddenly my checkouts were working. I also found that mangling the value passed to payloadJSON with stripcslashes got things working as an alternative to editing the library.

Anyway, the stripcslashes seems to be causing issues.

[shangamesh]

Hi Thanks for the issue,
We need to use stripcslashes($payload) to unescape sequences in payload but it will not cause any issue in terms of creating signature. Let us know about complete error/issues faced from your side

[jdart]

So this works for me, note I have to escape the payload before turning it into a js string

<?php

require '../vendor/autoload.php';

use Amazon\Pay\API\Client;

$publicKeyId = '...';

$payload =  json_encode([
    'storeId' => '...',
    'webCheckoutDetails' => [
        'checkoutReviewReturnUrl' => 'https://.../review',
    ],
]);

$client = new Client([
    'private_key' => file_get_contents('...pem'),
    'public_key_id' => $publicKeyId,
    'region' => 'US',
]);

$signature = $client->generateButtonSignature($payload);

?>
<html>
    <body>
    <div id="AmazonPayButton"></div>
    <script src="https://static-na.payments-amazon.com/checkout.js"></script>
    <script type="text/javascript" charset="utf-8">
        amazon.Pay.renderButton('#AmazonPayButton', {
            // set checkout environment
            merchantId: '...',
            publicKeyId: <?php echo json_encode($publicKeyId) ?>,
            ledgerCurrency: 'USD',
            checkoutLanguage: 'en_US',
            placement: 'Cart',
            buttonColor: 'Gold',
            createCheckoutSessionConfig: {
                payloadJSON: <?php echo json_encode(stripcslashes($payload)) ?>, // <--- the interesting bit
                signature: <?php echo json_encode($signature) ?>,
            }
        });
    </script>
    </body>
</html>

But this doesn't

<?php

require '../vendor/autoload.php';

use Amazon\Pay\API\Client;

$publicKeyId = '...';

$payload =  json_encode([
    'storeId' => '...',
    'webCheckoutDetails' => [
        'checkoutReviewReturnUrl' => 'https://.../review',
    ],
]);

$client = new Client([
    'private_key' => file_get_contents('...pem'),
    'public_key_id' => $publicKeyId,
    'region' => 'US',
]);

$signature = $client->generateButtonSignature($payload);

?>
<html>
    <body>
    <div id="AmazonPayButton"></div>
    <script src="https://static-na.payments-amazon.com/checkout.js"></script>
    <script type="text/javascript" charset="utf-8">
        amazon.Pay.renderButton('#AmazonPayButton', {
            // set checkout environment
            merchantId: '...',
            publicKeyId: <?php echo json_encode($publicKeyId) ?>,
            ledgerCurrency: 'USD',
            checkoutLanguage: 'en_US',
            placement: 'Cart',
            buttonColor: 'Gold',
            createCheckoutSessionConfig: {
                payloadJSON: <?php echo json_encode($payload) ?>, // <--- no strip cslashes
                signature: <?php echo json_encode($signature) ?>,
            }
        });
    </script>
    </body>
</html>