xendit-payment/XenditWebhookHandler.inc.php at main · ashvisualtheme/xendit-payment · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<?php

/**
 * @file plugins/paymethod/xendit/XenditWebhookHandler.inc.php
 *
 * Copyright (c) 2025 AshVisual Theme
 * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
 *
 * @class XenditWebhookHandler
 * @ingroup plugins_paymethod_xendit
 *
 * @brief Class to handle incoming webhooks from Xendit.
 */

class XenditWebhookHandler {
    /** @var XenditPaymentPlugin */
    protected $_plugin;

    /** @var Journal */
    protected $_journal;

    /**
     * Constructor
     *
     * @param XenditPaymentPlugin $plugin
     * @param Journal $journal
     */
    public function __construct($plugin, $journal) {
        $this->_plugin = $plugin;
        $this->_journal = $journal;
    }

    /**
     * Verify the webhook callback token from Xendit.
     *
     * @return bool
     */
    public function verify() {
        $webhookSecret = $this->_plugin->getSetting($this->_journal->getId(), 'webhookSecret');
        $callbackToken = null;

        if (isset($_SERVER['HTTP_X_CALLBACK_TOKEN'])) {
            $callbackToken = $_SERVER['HTTP_X_CALLBACK_TOKEN'];
        } elseif (function_exists('getallheaders')) {
            $headers = array_change_key_case(getallheaders(), CASE_LOWER);
            if (isset($headers['x-callback-token'])) {
                $callbackToken = $headers['x-callback-token'];
            }
        }

        if (!$webhookSecret || !$callbackToken) {
            return false;
        }

        $isValid = hash_equals($webhookSecret, $callbackToken);
        if (!$isValid) {
            return false;
        }
        return true;
    }

    /**
     * Parse the incoming JSON payload from Xendit.
     *
     * @return stdClass|null
     */
    public function parsePayload() {
        $jsonPayload = file_get_contents('php://input');

        $data = json_decode($jsonPayload);

        if (json_last_error() !== JSON_ERROR_NONE) {
             return null;
        }
        return $data;
    }

    /**
     * Get the external ID from the webhook data.
     *
     * @param stdClass $data
     * @return string|null
     */
    public function getPaymentId($data) {
        if (isset($data->event) && $data->event === 'invoice.paid') {
            if (isset($data->data) && isset($data->data->status) && $data->data->status === 'PAID') {
                return $data->data->external_id;
            } else {
                return null;
            }
        }

        if (!isset($data->event) && isset($data->status) && $data->status === 'PAID') {
            if (isset($data->external_id)) {
                return $data->external_id;
            } else {
                return null;
            }
        }

        return null;
    }
}