# Migration v30

Breaking change on `validatePaymentSignature`

## What do you need to do?
While investigating issues with zuora, we discovered that you can currently tamper with the data in the iframe and target any valid gateway.  
We have worked with zuora and membership and the best way around this issue is to validate the gateway name with the signature.  

More context here:
- https://financialtimes.atlassian.net/wiki/spaces/AC/pages/edit-v2/7883850665
- https://financialtimes.atlassian.net/browse/ACQ-1537
- Zuora support ticket: https://support.zuora.com/hc/en-us/requests/348146

The callback endpoint will need to pass the gateway name back to membership when calling validatePaymentSignature()

## Changes

In `src/subscription.ts`:
```javascript
-	public async validatePaymentSignature(signature: PaymentSignature): Promise<PaymentSignatureResponse> {
+	public async validatePaymentSignature(signatureOptions: PaymentSignature): Promise<PaymentSignatureResponse> {
```

Parameter `signature` was misleading (implied it was just the signature field, while it's actually an object), so it's now renamed to `signatureOptions`.

`signature` was: 
```javascript
export interface PaymentSignature {
	token: string;
	pageId: string;
	tenantId: string;
	signature: string;
}
```

`signatureOptions` is now: 
```javascript
export interface PaymentSignature {
	token: string;
	pageId: string;
	tenantId: string;
	signature: string;
	paymentGateway: string;
	userId?: string;
}
```

Note: `paymentGateway` will be available in the callback query params under `field_passthrough4`.


For anyone curious the related code in membership is here:

Payload
https://github.com/Financial-Times/zuora-payment-method-svc/blob/9fb0d799f6ef64bb219b84387c2702d17bff4c31/zuora-payment-method-svc/src/main/java/com/ft/membership/zuorapaymentmethodsvc/models/requests/HostedPageValidationRequest.java

Used in validateSignature here
https://github.com/Financial-Times/zuora-payment-method-svc/blob/9fb0d799f6ef64bb219b84387c2702d17bff4c31/zuora-payment-method-svc/src/main/java/com/ft/membership/zuorapaymentmethodsvc/controllers/HostedPagesValidationController.java#L48
