The Merchant needs to set up your refund web hook URL(key, value) in the Paybull merchant panel at https://app.paybull.com/merchant/apisetting . For refund, refund_webhook_key key should be sent with the refund request parameter. Paybull validates that the key exists in the database while making a refund request. At refund approval, it is sent a POST request to a merchant refund web hook url with following parameters given below.
Type | Params | Sample Value |
---|---|---|
KEY | invoice_id | 8iu75g |
KEY | order_id | 15767887576675 |
KEY | amount | 10.50 |
KEY | status | Completed |
KEY | hash_key | 5uUVKijz5im5FfStic2wVX4gG8ngRfMS3H+FvAauQvOc1nAnh9GZ9T6zyxV5WUnQP2F |
In Refund Approval, Paybull sends a post request to the web hook url . The problem with these links is that they can be accessed by an anonymous person. To prevent this problem, it is recommended to validate the request using hash key, since it is added some parameters to the links such as status, invoice_id, order_id, amount and hash_key with the request parameters.
function validateHashKey($hash_key, $secret_key){
$status = '';
$amount = $invoice_id = $order_id = 0;
if (!empty($hash_key)) {
$hash_key = str_replace('__', '/', $hash_key);
$password = sha1($secret_key);
$components = explode(':', $hash_key);
if (count($components) >2) {
$iv = $components[0] ?? '';
$salt = $components[1] ?? '';
$salt = hash('sha256', $password . $salt);
$encrypted_msg = $components[2] ?? '';
$decrypted_msg = openssl_decrypt($encrypted_msg, 'aes-256-cbc', $salt, null, $iv);
if (strpos($decrypted_msg, '|') !== false){
$array = explode('|', $decrypted_msg);
$status = $array[0] ?? 0;
$amount = $array[1] ?? 0;
$invoice_id = $array[2] ?? '0';
$order_id = $array[3] ?? 0;
}
}
}
return [$status, $amount, $invoice_id, $order_id];
}
Here, $hash_key must be taken from a request and $secret_key is a merchant app secret that was provided from Paybull.