Sunday, August 23, 2015

Working with Instamojo Payment Integration For Websites And Mobile Apps

Few week back was working with a company for a premium project for Hybrid mobile app development and came across a wonderful service named as instamojo payment service/gateway for selling service/physical goods/events and tickets and even more.we used this service for adding credit amount to the Hybrid mobile apps.And the service charge is too nominal fee i hope since i got paid Sample Rs.100 and the service charge was around Rs.2.And it was awesome to talk with the developers of instamojo since it is a startup company.

Reference :    

Prerequisites :

  • A Valid website or Mobile App to Integrate.
  • Fully Activated Instamojo Account.
     You should submit your Bank statement and PAN card for verification and Phone number to prove that you're a legitimate user.
  • Developer keys private/Oauth key and Hash Secret.
  • Little patience to set up everything around :)


We will see about initiating the Payment from our site along with the Web Hook request as well API service from Instamojo.Additional to this we will see how to implement the HMAC-SHA1 Integrity check for Safer transactions and protecting the user data over Network.

Initial Setup :

Create Instamojo Account here.And verify KYC by submitting your Bank Account Passbook photo snap and PAN Card with few more documents as instructed by get verified and it allows you to create links for new payment where you can sell your service or products over online.

After the approval process :

Create new Link for payment :

Instamojo Provides excellent features such as Events,Physical goods,service and membership plans and even more.with this they offer to index the link in search engine and they do SEO for the links you have created.

Follow the steps to create your own links: have a look at it.

So,from the Above Example snaps you can create your own service.The only thing here may be new is WebHook url,it is just a POST request made by the instamojo server to our server after every successful transactions made by the that we could update our database faster and provide service to the user who have paid without any delay.

Note : The Above Screenshots are just for depiction and may Contain Fake Data and you need to create it with correct information inorder to ensure payment goes correctly.
Dont share your WebHook URL in public may be someone can try making Bruteforce attacks by making POST request and attack your DATABASE.never reveal your Private/Ouath and Hash keys.

Setup Payment in Web or App :

Here you can setup two types of Payment integration within the site either by prefiling the user information and proceed to payment or just redirecting the user to Gateway where he fills the info and process the payment.

hereby we will see the just redirection to the Payment gateway and user fills the Payment information at the Processing time.Prefilling the form contains HMAC-SHA1 verification and verifying the integrity check of the transfered information over network.We will see this in Next Post.

Select Dashboard > Corresponding link > payment Button will show you this form and can customize it.
Note : if you want to remove powered by instamojo you need to pay them some credits in their market place seems.

paste the code in our web app or mobile app.Coming to the mobile app(HTML5 hybrid apps) just you have to do the transaction in in-app browsers and writing listeners function for url change you could detect the success of the payment and return back to your app.[for further clarification drop me a Mail or Hire me to set up payment gateway in Mobile Apps].

Handling Webhooks :

Most important part of this application is handling webhooks from Instamojo server with Integrity check of source and data for updating our payment database.

$filename = "/tmp/webhook_data.txt";
foreach($_POST as $key => $value)
    file_put_contents($filename, "$key: $value\n", FILE_APPEND);
file_put_contents($filename, "----------\n", FILE_APPEND);

The above code will just receive the payment data from the instamojo server when they try to post in our can be viewed when opening this file.This is really a bad approach of saving users data in flat file and we should check the REQUEST was made actually from INSTAMOJO server by checking Hash sum  calculation using our private key provided by instamojo.

A clear understanding : 

first of all instamojo with the users data they combine all data in alphabetical of the keys taking their values and adding '|' as concatenation and therefore combining all them as Strings.They calculate the hash with your private hash key.(You can get it here) and append it to the post request as sign as key and value as hash.

After reaching our server,for most step is to check for SQL injection attacks,Scan all POST variables and filter all variables.Then retrieve all key pair values from the request part.once again concatenate all the Values with '|' except the Sign part and recalculate the HMAC-SHA1 hash.

Compare both hash and if it is true,the request from instamojo server is legitimate one and you can trust the data and save it in your business Database.

I have implemented this in Node.js - HMAC-SHA1 verification - if you're interested drop me mail to get samples.

Note : Calculate the Hash as prescribed by the Instamojo( get the Complete guide here) or else it may lead to false value and ignoring valid customer data sometimes and lead to dual work and overhead.

Always try with all testcases in Development mode before moving to Production mode of app because,payment gateway can cause many troubles.Read more error codes from Instamojo website for better understanding.

Final Word :

Test all possible testcase in development mode itself and hadle all security checks in development mode and try with all testcase in webhooks,even a single loop hole can cause danger to your Customer data and business logics.

Thus instamojo made our life easy by integrating payments more simplified with pay with links as next post will be completely how to add custom data,prefilled form,HMAC-SHA1 check sum calculation for web and mobile apps.

for bugs/errors/hugs/comments/help/projects just drop me a mail to [email protected].or chat with me in G+ / Fb chat.Share is comments.