trustly · jolind93 · Jul 8, 2025
diff --git a/src/main/java/com/trustly/api/client/DefaultJsonRpcSigner.java b/src/main/java/com/trustly/api/client/DefaultJsonRpcSigner.java
@@ -95,13 +95,13 @@ private <T extends IData> String createSignature(String method, String uuid, T d
   }
 
   @Override
-  public <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request) throws TrustlySignatureException {
+  public <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request, JsonNode dataNode) throws TrustlySignatureException {
 
     String uuid = (request.getParams() == null) ? null : request.getParams().getUuid();
     String signature = (request.getParams() == null) ? null : request.getParams().getSignature();
     D data = (request.getParams() == null) ? null : request.getParams().getData();
 
-    this.verify(request.getMethod(), uuid, signature, data, null);
+    this.verify(request.getMethod(), uuid, signature, data, dataNode);
   }
 
   @Override

diff --git a/src/main/java/com/trustly/api/client/JsonRpcSigner.java b/src/main/java/com/trustly/api/client/JsonRpcSigner.java
@@ -15,7 +15,7 @@ public interface JsonRpcSigner {
 
   <T extends IResponseResultData> JsonRpcResponse<T> sign(JsonRpcResponse<T> response);
 
-  <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request) throws TrustlySignatureException;
+  <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request, JsonNode dataNode) throws TrustlySignatureException;
 
   <T extends IResponseResultData> void verify(JsonRpcResponse<T> response, JsonNode nodeResponse) throws TrustlySignatureException;
 }
diff --git a/src/main/java/com/trustly/api/client/NotificationArgs.java b/src/main/java/com/trustly/api/client/NotificationArgs.java
@@ -26,7 +26,10 @@ public interface NotificationFailHandler {
   @Valid
   private final D data;
 
+  @Getter
   private final String method;
+
+  @Getter
   private final String uuid;
 
   private final NotificationOkHandler onOK;

diff --git a/src/main/java/com/trustly/api/client/TrustlyApiClient.java b/src/main/java/com/trustly/api/client/TrustlyApiClient.java
@@ -720,12 +720,19 @@ private <D extends IFromTrustlyRequestData> void handleNotification(
     NotificationFailHandler onFailed
   ) throws IOException, TrustlyValidationException, TrustlySignatureException {
 
+    // Get the JsonNode for the data field for verifying later
+    JsonNode jsonToken = this.objectMapper.readTree(jsonString);
+    JsonNode dataToken = null;
+    if (jsonToken.at("/params/data") != null) {
+      dataToken = jsonToken.at("/params/data");
+    }
+
     JavaType javaRequestType = this.objectMapper.getTypeFactory().constructParametricType(NotificationRequest.class, meta.getDataClass());
     NotificationRequest<D> rpcRequest = this.objectMapper.readValue(jsonString, javaRequestType);
 
     // Verify the notification (RpcRequest from Trustly) signature.
     try {
-      this.signer.verify(rpcRequest);
+      this.signer.verify(rpcRequest, dataToken);
     } catch (TrustlySignatureException ex) {
       throw new TrustlySignatureException(
         "Could not validate signature of notification from Trustly. Is the public key for Trustly the correct one, for test or production?",

diff --git a/src/main/java/com/trustly/api/domain/common/AbstractAccountDataAttributes.java b/src/main/java/com/trustly/api/domain/common/AbstractAccountDataAttributes.java
@@ -138,9 +138,21 @@ public class AbstractAccountDataAttributes extends AbstractRequestParamsDataAttr
   String unchangeableNationalIdentificationNumber;
 
   /**
+   * @deprecated (see ReturnToAppURL)
    * If you are using Trustly from within your native iOS app, this attribute should be sent so that we can redirect the users back to your
    * app in case an external app is used for authentication (for example Mobile Bank ID in Sweden).
    */
+  @Deprecated
   @JsonProperty("URLScheme")
   String urlScheme;
+
+  /**
+   * When rendering the Trustly Checkout in a native app you are required to pass your application’s url as an attribute to the order
+   * initiation request. By doing so, Trustly can redirect users back to your app after using external identification apps such as
+   * Mobile BankID: Please visit this link for more info. It must not be included for transactions that are not originating from an app.
+   * NOTE! This value is only used for redirecting users back to the native app within the flows.
+   * See also SuccessURL and FailURL descriptions.
+   */
+  @JsonProperty("ReturnToAppURL")
+  String returnToAppURL;
 }
diff --git a/src/main/java/com/trustly/api/domain/notifications/CancelNotificationData.java b/src/main/java/com/trustly/api/domain/notifications/CancelNotificationData.java
@@ -30,4 +30,10 @@ public class CancelNotificationData extends AbstractFromTrustlyRequestData<Empty
 
   @JsonProperty("timestamp")
   String timestamp;
+
+  @JsonProperty("lastorderstep")
+  String lastOrderStep;
+
+  @JsonProperty("orderstatuses")
+  String orderStatuses;
 }
diff --git a/src/test/java/com/trustly/api/NoOpJsonRpcSigner.java b/src/test/java/com/trustly/api/NoOpJsonRpcSigner.java
@@ -22,7 +22,7 @@ public <T extends IResponseResultData> JsonRpcResponse<T> sign(JsonRpcResponse<T
   }
 
   @Override
-  public <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request) {
+  public <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request, JsonNode dataNode) {
 
   }
-Original file line number
+Diff line change
@@ Expand Up @@
       }
       @Override
-      public <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request) {
+      public <D extends IRequestParamsData, P extends IRequestParams<D>> void verify(IRequest<P> request, JsonNode dataNode) {
       }
@@ Expand Down @@