Amazon Pay PHP SDK 3.7.1

amzn · Mar 23, 2021 · 37882f2 · 37882f2
1 parent 87229f6
commit 37882f2
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 5 deletions.
diff --git a/AmazonPay/Client.php b/AmazonPay/Client.php
@@ -23,7 +23,7 @@
 
 class Client implements ClientInterface, LoggerAwareInterface
 {
-    const SDK_VERSION = '3.7.0';
+    const SDK_VERSION = '3.7.1';
     const MWS_VERSION = '2013-01-01';
     const MAX_ERROR_RETRY = 3;
 
@@ -316,16 +316,21 @@ public function getUserInfo($accessToken)
 
         // To make sure double encoding doesn't occur decode first and encode again.
         $accessToken = urldecode($accessToken);
-        $url          = $this->profileEndpoint . '/auth/o2/tokeninfo?access_token=' . $this->urlEncode($accessToken);
+        $url          = $this->profileEndpoint . '/auth/o2/tokeninfo';
 
         $httpCurlRequest = new HttpCurl($this->config);
+        $httpCurlRequest->setAccessToken($accessToken);
+        $httpCurlRequest->setHttpHeader();
 
         $response = $httpCurlRequest->httpGet($url);
         $data       = json_decode($response);
 
         // Ensure that the Access Token matches either the supplied Client ID *or* the supplied App ID
         // Web apps and Mobile apps will have different Client ID's but App ID should be the same
         // As long as one of these matches, from a security perspective, we have done our due diligence
+        if (!isset($data->aud)) {
+            throw new \Exception('The tokeninfo API call did not succeed');
+        }
         if (($data->aud != $this->config['client_id']) && ($data->app_id != $this->config['app_id'])) {
             // The access token does not belong to us
             throw new \Exception('The Access Token belongs to neither your Client ID nor App ID');

diff --git a/AmazonPay/HttpCurl.php b/AmazonPay/HttpCurl.php
@@ -102,7 +102,7 @@ public function httpGet($url, $userAgent = null)
 
         // Setting the HTTP header with the Access Token only for Getting user info
         if ($this->header) {
-            $this->headerArray[] = 'Authorization: bearer ' . $this->accessToken;
+            $this->headerArray[] = 'x-amz-access-token : ' . $this->accessToken;
         }
 
         $response = $this->execute($ch);

diff --git a/CHANGES.txt b/CHANGES.txt
@@ -1,3 +1,6 @@
+3.7.1 - March 2021
+- Fixed Secuity issue - Sending access token via HTTP header instead of query string in URL for GetUserInfo API
+
 3.7.0 - January 2021
 - Added additional attribute (expect_immediate_authorization) to ConfirmOrderReference. This value can be set to true or false (Boolean). See Amazon Pay Strong Customer Authentication (SCA) Upgrade Integration Guide for more information.
 

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -1,6 +1,6 @@
 *-*-**-***-*****-********-*************
 Amazon Pay SDK (PHP)
-Copyright 2013-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 Licensed under the Apache License, Version 2.0 (the "License"); 
 *-*-**-***-*****-********-*************
 

diff --git a/composer.json b/composer.json
@@ -2,7 +2,7 @@
    "name": "amzn/amazon-pay-sdk-php",
    "type": "library",
    "description": "Amazon Pay SDK (PHP)",
-   "version": "3.7.0",
+   "version": "3.7.1",
    "keywords": [
       "amazon",
       "pay",