Support notification signature validation

[judgej]

The notification message comes with a signature in the header, for example:

X-Anet-Signature: sha512=8EB900743516AC9415516FF0A1813BB38FBB5CCE6D4256B3FC56BD1FE661258F8CEF6AED0899B9095DFB66596E3F71340CD7A0BB44930618D383266242C70499

This should be used to validate the notification has not been tampered with.

Some details:

• https://support.authorize.net/s/article/What-is-a-Signature-Key
• https://developer.authorize.net/api/reference/features/webhooks.html#Verifying_the_Notification

The documentation does lack some details about how the notification is actually verified. I think the SDK is probably the main source of information for this.

[judgej]

Without tests, the main functionality is available.

Where signatures are validated in notification handlers is a little unclear in Omnipay across the drivers. It cannot be done in message instantiation, as the constructor does not have access to the gateway parameters (these are set using initialize() after instantiation. It could be done at that point, however, throwing an exception here means there is no object to inspect and log when debugging.

The approach I have taken, is to assert the signature validity at the point the transaction result is fetched - all the methods in the NotificationInterface. Until that point, the object will be instantiated, you can extract the raw and parsed data, and can manually do a check isSignatureValid().