Riskified · mrtristan · May 27, 2021
diff --git a/Riskified.SDK/Notifications/NotificationHandler.cs b/Riskified.SDK/Notifications/NotificationHandler.cs
@@ -94,8 +94,8 @@ public void ReceiveNotifications()
                     bool acionSucceeded = false;
                     try
                     {
-                        var notificationData = HttpUtils.ParsePostRequestToObject<OrderWrapper<Notification>>(request,_authToken);
-                        OrderNotification n = new OrderNotification(notificationData);
+                        OrderNotification n = NotificationParser.ParseListenerRequest(request, _authToken);
+
                         responseString =
                                 string.Format(
                                     "<HTML><BODY>Merchant Received Notification For Order {0} with status {1} and description {2}</BODY></HTML>",

diff --git a/Riskified.SDK/Notifications/NotificationParser.cs b/Riskified.SDK/Notifications/NotificationParser.cs
@@ -0,0 +1,24 @@
+using System.Net;
+using Riskified.SDK.Model;
+using Riskified.SDK.Model.Internal;
+using Riskified.SDK.Utils;
+
+namespace Riskified.SDK.Notifications
+{
+    public static class NotificationParser
+    {
+        public static string HmacHeaderName => HttpUtils.HmacHeaderName;
+
+        public static OrderNotification ParseListenerRequest(HttpListenerRequest request, string authToken)
+        {
+            var notificationData = HttpUtils.ParsePostRequestToObject<OrderWrapper<Notification>>(request, authToken);
+            return new OrderNotification(notificationData);
+        }
+
+        public static OrderNotification ParseRequestComponents(string hmacHeader, string requestBody, string authToken)
+        {
+            var notificationData = HttpUtils.ParsePostRequestComponentsToObject<OrderWrapper<Notification>>(hmacHeader, requestBody, authToken);
+            return new OrderNotification(notificationData);
+        }
+    }
+}
diff --git a/Riskified.SDK/Orders/OrdersGateway.cs b/Riskified.SDK/Orders/OrdersGateway.cs
@@ -1,5 +1,4 @@
 using System;
-using System.Linq;
 using Riskified.SDK.Exceptions;
 using Riskified.SDK.Model;
 using Riskified.SDK.Utils;

diff --git a/Riskified.SDK/Utils/HttpUtils.cs b/Riskified.SDK/Utils/HttpUtils.cs
@@ -20,7 +20,7 @@ internal enum HttpBodyType
     internal static class HttpUtils
     {
         private const string ShopDomainHeaderName = "X-RISKIFIED-SHOP-DOMAIN";
-        private const string HmacHeaderName = "X-RISKIFIED-HMAC-SHA256";
+        internal const string HmacHeaderName = "X-RISKIFIED-HMAC-SHA256";
         private const int ServerApiVersion = 2;
 
         private static readonly string AssemblyVersion;
@@ -233,7 +233,7 @@ internal class ErrorMessage
         /// <returns>An object of type T containing data parsed from the request</returns>
         /// <exception cref="RiskifiedAuthenticationException">On missing/bad HMAC signature that doesn't match the given auth token</exception>
         /// <exception cref="RiskifiedTransactionException">On parsing error from string into the relevant object of type T</exception>
-        public static T ParsePostRequestToObject<T>(HttpListenerRequest request,string authToken) where T : class
+        internal static T ParsePostRequestToObject<T>(HttpListenerRequest request,string authToken) where T : class
         {
             if (!request.HasEntityBody)
             {
@@ -243,21 +243,32 @@ public static T ParsePostRequestToObject<T>(HttpListenerRequest request,string a
             T obj = JsonStringToObject<T>(postData);
             return obj;
         }
+
+        internal static T ParsePostRequestComponentsToObject<T>(string hmacHeader, string requestBody, string authToken) where T : class
+        {
+            if (!AuthorizeContent(hmacHeader, requestBody, authToken))
+            {
+                throw new RiskifiedAuthenticationException("Request HMAC signature was either missing or incorrect");
+            }
+            return JsonStringToObject<T>(requestBody);
+        }
 
         private static string AuthorizeAndExtractContent(HttpListenerRequest request, string authToken)
         {
             if (!string.IsNullOrEmpty(request.Headers[HmacHeaderName]))
             {
-                Stream s = request.InputStream;
-                string postData = ExtractStreamData(s);
-                if (string.Equals(request.Headers[HmacHeaderName], CalcHmac(postData, authToken), StringComparison.Ordinal))
+                var s = request.InputStream;
+                var postData = ExtractStreamData(s);
+                if (AuthorizeContent(request.Headers[HmacHeaderName], postData, authToken))
                 {
                     return postData;
                 }
             }
             throw new RiskifiedAuthenticationException("Request HMAC signature was either missing or incorrect");
         }
 
+        private static bool AuthorizeContent(string expectedSignature, string postData, string authToken) => string.Equals(expectedSignature, CalcHmac(postData, authToken), StringComparison.Ordinal);
+
         private static string ExtractStreamData(Stream stream)
         {
             if (stream != null)