adyen.signers module

Signers are helpers to sign and verify Adyen requests & responses.

There are currently 2 type of signatures:

  • SHA-1, deprecated by Adyen but still used,
  • SHA-2 (256), preferred by Adyen.

Each signer follows different rules to sign payment request form, and to verify Adyen return response and Adyen notification.

Note

About the signature:

The data passed, in the form fields, is concatenated into a string, referred to as the “signing string”. The HMAC signature is then computed over using a key that is specified in the Adyen Skin settings (stored into the AbstractSigner.secret key).

The signature is passed along with the form data and once Adyen receives it they use the key to verify that the data has not been tampered with in transit.

The signing string should be packed into a binary format containing hex characters, and then base64-encoded for transmission.

class adyen.signers.AbstractSigner(secret_key)

Bases: object

Abstract base class that define the common interface.

A signer must expose three methods:

  • sign(): take form fields and return a dict of signature fields.

  • verify(): take a dict of fields and make sure there have an

    appropriate signature field.

  • compute_hash(): take a signature string and compute its hash value.

These methods are not implementd by the AbstractSigner, therefore subclasses must implement them.

compute_hash(signature)

Return a hash for the given signature string.

Parameters:signature (str) – A signature used to compute hash.
Returns:A hashed version of the signature using the secret_key and the defined hash algorithm.

Each implementation should simply use a different hash algorithm to sign the signature string. This method is not supposed to know how the signature string is built.

secret_key = None

Adyen Skin secret key

This secret key is used to sign payment request, and verify payment return response and payment notification.

sign(fields)

Sign the given form fields and return the signature fields.

Parameters:fields (dict) – The form fields used to perform a payment request
Returns:A dict of signature fields
Return type:dict

A payment request form must contains specific signature fields, depending on the selected sign method.

verify(fields)

Verify fields contains the appropriate signatures.

Parameters:fields (dict) – A dict of fields, given by a payment return response or by a payment notification.
Returns:True the fields contain valid signatures
Return type:boolean

Adyen can secure communication with merchant site using signatures:

  • merchantSig for the return URL,
  • additionalData.hmacSignature for notification,

And this method can be used for both, provided with all the fields as a flat dict.

The following example is taken from the Adyen documentation:

{
   "live":"false",
   "notificationItems": [
      {
         "notificationRequestItem": {
            "additionalData": {
               "hmacSignature":"SIGN_KEY"
            },
            "amount": {
               "value":1130,
               "currency":"EUR"
            },
            "pspReference":"7914073381342284",
            # ... other fields
         }
      }
   ]
}

The expected fields will be:

{
    'additionalData.hmacSignature': 'SIGN_KEY',
    'amount.value': 1130,
    'amount.currency': 'EUR',
    'pspReference: "7914073381342284"
    # ... other fields
}

This format correspond to the POST notification format.

class adyen.signers.HMACSha1(secret_key)

Bases: adyen.signers.AbstractSigner

Implement a HMAC signature with SHA-1 algorithm.

See also

The Adyen documentation about SHA-1 deprecated method for a general explanation. The delivery, billing and shopper signatures are explained in the Open Invoice documentation.

PAYMENT_BILLING_HASH_KEYS = ('billingAddress.street', 'billingAddress.houseNumberOrName', 'billingAddress.city', 'billingAddress.postalCode', 'billingAddress.stateOrProvince', 'billingAddress.country')

List of fields to sign billing address in payment request form.

PAYMENT_DELIVERY_HASH_KEYS = ('deliveryAddress.street', 'deliveryAddress.houseNumberOrName', 'deliveryAddress.city', 'deliveryAddress.postalCode', 'deliveryAddress.stateOrProvince', 'deliveryAddress.country')

List of fields to sign delivery address in payment request form.

PAYMENT_FORM_HASH_KEYS = ('paymentAmount', 'currencyCode', 'shipBeforeDate', 'merchantReference', 'skinCode', 'merchantAccount', 'sessionValidity', 'shopperEmail', 'shopperReference', 'recurringContract', 'allowedMethods', 'blockedMethods', 'shopperStatement', 'merchantReturnData', 'billingAddressType', 'deliveryAddressType', 'shopperType', 'offset')

List of fields to sign payment request form.

This is used to build the merchantSig signature. Note that the order of the fields matter to compute the hash with the SHA-1 algorithm.

PAYMENT_RETURN_HASH_KEYS = ('authResult', 'pspReference', 'merchantReference', 'skinCode', 'merchantReturnData')

List of fields used verify payment result on return URL.

These fields are given to tye payment return URL by Adyen. It is used to validate that the payment return URL has a valid merchantSig field.

PAYMENT_SHOPPER_HASH_KEYS = ('shopper.firstName', 'shopper.infix', 'shopper.lastName', 'shopper.gender', 'shopper.dateOfBirthDayOfMonth', 'shopper.dateOfBirthMonth', 'shopper.dateOfBirthYear', 'shopper.telephoneNumber')

List of fields to sign shopper data in payment request form.

compute_hash(signature)

Compute hash using the hashlib.sha1 algorithm.

See also

The AbstractSigner.compute_hash() method for usage.

sign(fields)

Sign the given form fields and return the signature fields.

See also

The AbstractSigner.sign() method for usage.

verify(fields)

Verify fields contains the appropriate signatures.

Warning

This version validate only the merchantSig signature, given to the payment return URL. Other signature fields are ignored (in particular for notification signature).

See also

The AbstractSigner.verify() method for usage.

class adyen.signers.HMACSha256(secret_key)

Bases: adyen.signers.AbstractSigner

Implement a HMAC signature with SHA-256 algorithm.

See also

The Adyen documentation about SHA-256 deprecated method for more information about the signature.

build_signature(fields)

Build the signature string used to generate a signed key.

The signature format is a specific concatenation of keys and values takenf from fields:

  • We sort by key the valid keys (see is_valid_key()),
  • Both keys and values are escaped (see signature_escape()),
  • Then keys are joined by :; same for the values,
  • And these two strings are joined by anoter :.

There is no such thing as a hard-coded defined order of keys: if a key is present, then it is used to sign the fields. This is much more simple than the signing mechanism using the SHA-1 algorithm.

compute_hash(signature)

Compute hash using the hashlib.sha256 algorithm.

See also

The AbstractSigner.compute_hash() method for usage.

sign(fields)

Sign the given form fields and return the signature fields.

See also

The AbstractSigner.sign() method for usage.

verify(fields)

Verify fields contains the appropriate signatures.

Warning

This version validate only the merchantSig signature, given to the payment return URL. Other signature fields are ignored (in particular for notification signature).

See also

The AbstractSigner.verify() method for usage.

adyen.signers.is_valid_key(key)

Return if a key can be used in the SHA-256 signature.

adyen.signers.signature_escape(value)

Escape field as required by Adyen.

See the Adyen documentation about using SHA-256 signature.