Update 2020.03.26

Author: tiagosampaio

composer.lock

@@ -23,7 +23,7 @@
 
 class Client implements ClientInterface, LoggerAwareInterface
 {
-    const SDK_VERSION = '3.6.0';
+    const SDK_VERSION = '3.7.1';
     const MWS_VERSION = '2013-01-01';
     const MAX_ERROR_RETRY = 3;
 
@@ -316,16 +316,21 @@ public function getUserInfo($accessToken)
 
         // To make sure double encoding doesn't occur decode first and encode again.
         $accessToken = urldecode($accessToken);
-        $url          = $this->profileEndpoint . '/auth/o2/tokeninfo?access_token=' . $this->urlEncode($accessToken);
+        $url          = $this->profileEndpoint . '/auth/o2/tokeninfo';
 
         $httpCurlRequest = new HttpCurl($this->config);
+        $httpCurlRequest->setAccessToken($accessToken);
+        $httpCurlRequest->setHttpHeader();
 
         $response = $httpCurlRequest->httpGet($url);
         $data       = json_decode($response);
 
         // Ensure that the Access Token matches either the supplied Client ID *or* the supplied App ID
         // Web apps and Mobile apps will have different Client ID's but App ID should be the same
         // As long as one of these matches, from a security perspective, we have done our due diligence
+        if (!isset($data->aud)) {
+            throw new \Exception('The tokeninfo API call did not succeed');
+        }
         if (($data->aud != $this->config['client_id']) && ($data->app_id != $this->config['app_id'])) {
             // The access token does not belong to us
             throw new \Exception('The Access Token belongs to neither your Client ID nor App ID');
@@ -361,7 +366,7 @@ private function setParametersAndPost($parameters, $fieldMappings, $requestParam
             }
 
             // Ensure that no unexpected type coercions have happened
-            if ($param === 'capture_now' || $param === 'confirm_now' || $param === 'inherit_shipping_address' || $param === 'request_payment_authorization') {
+            if ($param === 'capture_now' || $param === 'confirm_now' || $param === 'inherit_shipping_address' || $param === 'request_payment_authorization' || $param === 'expect_immediate_authorization') {
                 if (!is_bool($value)) {
                     throw new \Exception($param . ' value ' . $value . ' is of type ' . gettype($value) . ' and should be a boolean value');
                 }
@@ -622,7 +627,7 @@ public function getOrderReferenceDetails($requestParameters = array())
      * @optional requestParameters['created_end_time'] - [String] (Date/Time ISO8601) Limited to 31 days
      * @optional requestParameters['sort_order'] - [String] (Ascending/Descending)
      * @optional requestParameters['mws_auth_token'] - [String]
-     * @optional requestParameters['status_list'] - [Array]
+     * @optional requestParameters['order_status_list'] - [Array]
      */
     public function listOrderReference($requestParameters = array())
     {
@@ -791,6 +796,7 @@ public function setOrderAttributes($requestParameters = array())
      * @optional requestParameters['authorization_amount'] - [String]
      * @optional requestParameters['currency_code'] - [String]
      * @optional requestParameters['mws_auth_token'] - [String]
+     * @optional requestParameters['expect_immediate_authorization'] - [Boolean] Default value is false
      */
     public function confirmOrderReference($requestParameters = array())
     {
@@ -805,7 +811,8 @@ public function confirmOrderReference($requestParameters = array())
             'failure_url'               => 'FailureUrl',
             'authorization_amount'      => 'AuthorizationAmount.Amount',
             'currency_code'             => 'AuthorizationAmount.CurrencyCode',
-            'mws_auth_token'            => 'MWSAuthToken'
+            'mws_auth_token'            => 'MWSAuthToken',
+            'expect_immediate_authorization' => 'ExpectImmediateAuthorization'
         );
 
         if (isset($requestParameters['authorization_amount']) && !isset($requestParameters['currency_code'])) {

vendor/amzn/amazon-pay-sdk-php/AmazonPay/Client.php

@@ -156,6 +156,7 @@ public function setOrderAttributes($requestParameters = array());
      * @optional requestParameters['authorization_amount'] - [String]
      * @optional requestParameters['currency_code'] - [String]
      * @optional requestParameters['mws_auth_token'] - [String]
+     * @optional requestParameters['expect_immediate_authorization'] - [Boolean] Default value is false
      */
     public function confirmOrderReference($requestParameters = array());
 

vendor/amzn/amazon-pay-sdk-php/AmazonPay/ClientInterface.php

@@ -102,7 +102,7 @@ public function httpGet($url, $userAgent = null)
 
         // Setting the HTTP header with the Access Token only for Getting user info
         if ($this->header) {
-            $this->headerArray[] = 'Authorization: bearer ' . $this->accessToken;
+            $this->headerArray[] = 'x-amz-access-token : ' . $this->accessToken;
         }
 
         $response = $this->execute($ch);

vendor/amzn/amazon-pay-sdk-php/AmazonPay/HttpCurl.php

@@ -1,3 +1,9 @@
+3.7.1 - March 2021
+- Fixed Secuity issue - Sending access token via HTTP header instead of query string in URL for GetUserInfo API
+
+3.7.0 - January 2021
+- Added additional attribute (expect_immediate_authorization) to ConfirmOrderReference. This value can be set to true or false (Boolean). See Amazon Pay Strong Customer Authentication (SCA) Upgrade Integration Guide for more information.
+
 3.6.0 - November 2019
 - Add GetMerchantNotificationConfiguration API call
 - Add SetMerchantNotificationConfiguration API call

vendor/amzn/amazon-pay-sdk-php/CHANGES.txt

@@ -1,6 +1,6 @@
 *-*-**-***-*****-********-*************
 Amazon Pay SDK (PHP)
-Copyright 2013-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 Licensed under the Apache License, Version 2.0 (the "License"); 
 *-*-**-***-*****-********-*************
 

vendor/amzn/amazon-pay-sdk-php/NOTICE.txt

@@ -335,8 +335,8 @@ $requestParameters['notification_configuration_list'] = $notificationConfigurati
 // $requestParameters['notification_configuration_list'] = array('https://dev.null/ipn' => array('ALL'));
 
 // if you are calling on behalf of another merhcant using delegated access, be sure to set the merchant ID and auth token:
-// $requestParameters['merchant_id'] = 'A3URCZVLDMDI45';
-// $requestParameters['mws_auth_token'] = 'amzn.mws.d6ac8f2d-6a5f-b06a-bc12-1d0dbf4ca63d';
+// $requestParameters['merchant_id'] = 'THE_MERCHANT_ID';
+// $requestParameters['mws_auth_token'] = 'THE_MWS_AUTH_TOKEN';
 
 $response = $client->setMerchantNotificationConfiguration($requestParameters);
 if ($response->toArray()['ResponseStatus'] !== '200') {
@@ -387,6 +387,7 @@ and the amount captured by making the `capture` API call after the shipment is c
 | Platform ID         	     | `platform_id`         	    | no        | Platform ID of the Solution provider                                                                      |
 | Custom Information  	     | `custom_information`  	    | no        | Any custom string                                                                                         |
 | MWS Auth Token      	     | `mws_auth_token`      	    | no        | MWS Auth Token required if API call is made on behalf of the seller                                       |
+| ExpectImmediateAuthorization      	     | `expect_immediate_authorization`      	    | no        | Setting value to true, will make OrderReferenceObject to be closed automatically in case no authorization is triggered within 60 minutes                                      |
 
 ```php
 // Create an array that will contain the parameters for the charge API call

vendor/amzn/amazon-pay-sdk-php/README.md

@@ -2,7 +2,7 @@
    "name": "amzn/amazon-pay-sdk-php",
    "type": "library",
    "description": "Amazon Pay SDK (PHP)",
-   "version": "3.6.0",
+   "version": "3.7.1",
    "keywords": [
       "amazon",
       "pay",

vendor/amzn/amazon-pay-sdk-php/composer.json

@@ -362,7 +362,8 @@ public function testConfirmOrderReferenceWithAllSCA()
             'success_url'               => 'SuccessUrl',
             'failure_url'               => 'FailureUrl',
             'authorization_amount'      => 'AuthorizationAmount.Amount',
-            'currency_code'             => 'AuthorizationAmount.CurrencyCode'
+            'currency_code'             => 'AuthorizationAmount.CurrencyCode',
+            'expect_immediate_authorization' => 'ExpectImmediateAuthorization'
         );
 
         $action = 'ConfirmOrderReference';
@@ -389,7 +390,8 @@ public function testConfirmOrderReferenceWithAllButCurrencyCodeSCA()
             'mws_auth_token'            => 'MWSAuthToken',
             'success_url'               => 'SuccessUrl',
             'failure_url'               => 'FailureUrl',
-            'authorization_amount'      => 'AuthorizationAmount.Amount'
+            'authorization_amount'      => 'AuthorizationAmount.Amount',
+            'expect_immediate_authorization' => 'ExpectImmediateAuthorization'
         );
 
         $action = 'ConfirmOrderReference';
@@ -415,7 +417,8 @@ public function testConfirmOrderReferenceWithUrlSCA()
             'amazon_order_reference_id' => 'AmazonOrderReferenceId',
             'mws_auth_token'            => 'MWSAuthToken',
             'success_url'               => 'SuccessUrl',
-            'failure_url'               => 'FailureUrl'
+            'failure_url'               => 'FailureUrl',
+            'expect_immediate_authorization' => 'ExpectImmediateAuthorization'
         );
 
         $action = 'ConfirmOrderReference';
@@ -457,6 +460,33 @@ public function testConfirmOrderReferenceWithoutSCA()
         $this->assertEquals($apiParametersString, $expectedStringParams);
     }
 
+    /*
+    * Test to validate ConfirmOrderReference API with ExpectImmediateAuthorization optional value as null
+    * It is expected to accept only Boolean value (i.e true or false)
+    */
+    public function testConfirmOrderReferenceWithExpectImmediateAuthorizationValueAsNull() {
+        $client = new Client($this->configParams);
+        $fieldMappings = array(
+            'merchant_id'               => 'SellerId',
+            'amazon_order_reference_id' => 'AmazonOrderReferenceId',
+            'mws_auth_token'            => 'MWSAuthToken',
+            'success_url'               => 'SuccessUrl',
+            'failure_url'               => 'FailureUrl',
+            'authorization_amount'      => 'AuthorizationAmount.Amount',
+            'expect_immediate_authorization' => 'ExpectImmediateAuthorization'
+        );
+        $action = 'ConfirmOrderReference';
+        $parameters = $this->setParametersAndPost($fieldMappings, $action);
+        $apiCallParams = $parameters['apiCallParams'];
+        $apiCallParams['expect_immediate_authorization'] = null;
+        try{
+            $response = $client->confirmOrderReference($apiCallParams);
+        }
+        catch (\Exception $expected) {
+            $this->assertRegExp('/should be a boolean value/i', strval($expected));
+        }
+    }
+
     public function testCancelOrderReference()
     {
         $client = new Client($this->configParams);
@@ -1227,7 +1257,7 @@ private function setParametersAndPost($fieldMappings, $action)
         $expectedParameters['Action'] = $action;
 
         foreach ($fieldMappings as $parm => $value) {
-            if ($parm === 'capture_now' || $parm === 'confirm_now' || $parm === 'inherit_shipping_address' || $parm === 'request_payment_authorization') {
+            if ($parm === 'capture_now' || $parm === 'confirm_now' || $parm === 'inherit_shipping_address' || $parm === 'request_payment_authorization' || $parm === 'expect_immediate_authorization') {
                 $expectedParameters[$value] = true;
                 $apiCallParams[$parm] = true;
             } elseif ($parm === 'order_item_categories') {

vendor/amzn/amazon-pay-sdk-php/tst/unit/ClientTest.php

@@ -18,9 +18,9 @@
     "require": {
         "php": ">=5.5",
         "guzzlehttp/guzzle": "^5.3.3|^6.2.1|^7.0",
-        "guzzlehttp/psr7": "^1.4.1",
-        "guzzlehttp/promises": "^1.0",
-        "mtdowling/jmespath.php": "^2.5",
+        "guzzlehttp/psr7": "^1.7.0",
+        "guzzlehttp/promises": "^1.4.0",
+        "mtdowling/jmespath.php": "^2.6",
         "ext-pcre": "*",
         "ext-json": "*",
         "ext-simplexml": "*"