Clickbank IPN version 6 PHP / Laravel

Question

I am trying to create an IPN listener for Clickbank but so far i have not been successful.

I used the code example listed on the clickbank site: https://support.clickbank.com/entries/22803622-Instant-Notification-Service

    <?php
// NOTE: the mcrypt libraries need to be installed and listed as an available extension in
// your phpinfo() to be able to use this method of decryption.
$secretKey = "YOUR SECRET KEY"; // secret key from your ClickBank account
 // get JSON from raw body...
$message = json_decode(file_get_contents('php://input'));
// Pull out the encrypted notification and the initialization vector for
// AES/CBC/PKCS5Padding decryption
$encrypted = $message->{'notification'};
$iv = $message->{'iv'};
error_log("IV: $iv");
// decrypt the body...
$decrypted = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128,
                                 substr(sha1($secretKey), 0, 32),
                                 base64_decode($encrypted),
                                 MCRYPT_MODE_CBC,
                                 base64_decode($iv)), "\0..\32");
error_log("Decrypted: $decrypted");
// convert the decrypted string to a JSON object...
$order = json_decode($decrypted);
// Ready to rock and roll - If the decoding of the JSON string wasn't successful,
// then you can assume the notification wasn't encrypted with your secret key.
?>

For ipn v4 i managed to get a verified confirmation for the ipn tester, and save the output in my logs. But for v6, i can't even save the output to the log files. It seems like clickbank is not even sending anything. Their documentation is vague, i'm wondering if this code should be working in the first place.

Does anybody have experience with this? Should i return anything other than response 200?

Thanks in advance.

Answer 1

There are couple of things you can do which worked pretty well with my code. (1) PHP Version - If you are on PHP 7+ then try changing it to PHP 5.6 (2) Use $HTTP_RAW_POST_DATA instead of file_get_contents (I know file_get_contents is better but use alternative when its not working)

Here is the code to try, $secretKey = "Your Secrety Key";

// get JSON from raw body...
//$message = json_decode(file_get_contents('php://input'));

$message = $HTTP_RAW_POST_DATA;
$message = json_decode($message, true);
$messageString = http_build_query($message);    //converts associative array in to string
error_log("message string: $messageString");
$encrypted = $message['notification'];
$iv = $message['iv'];
error_log("IV: $iv");

// decrypt the body...
$decrypted = trim(openssl_decrypt(base64_decode($encrypted),'AES-256-CBC',substr(sha1($secretKey), 0, 32),OPENSSL_RAW_DATA, base64_decode($iv)), "\0..\32");

error_log("Decrypted: $decrypted");

////UTF8 Encoding, remove escape back slashes, and convert the decrypted string to a JSON object...
$sanitizedData = utf8_encode(stripslashes($decrypted));
$jsonDecodeData = json_decode($decrypted, true);
$jsonDecodeDataString = http_build_query($jsonDecodeData);

Answer 2

<?php

function ipnVerification() {
    $secretKey="YOUR SECRET KEY";
    $pop = "";
    $ipnFields = array();
    foreach ($_POST as $key => $value) {
        if ($key == "cverify") {
            continue;
        }
        $ipnFields[] = $key;
    }
    sort($ipnFields);
    foreach ($ipnFields as $field) {
        // if Magic Quotes are enabled $_POST[$field] will need to be
        // un-escaped before being appended to $pop
        $pop = $pop . $_POST[$field] . "|";
    }
    $pop = $pop . $secretKey;
    $calcedVerify = sha1(mb_convert_encoding($pop, "UTF-8"));
    $calcedVerify = strtoupper(substr($calcedVerify,0,8));
    return $calcedVerify == $_POST["cverify"];
}

?>

You can use this to get your IPN verified. It will work very well