omniauth-swedbank 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '08dd6ff19fc5206753cdbaa5d52bd6e996bdc010c6a5ee5a2a1a3326c3b0377a'
-  data.tar.gz: e5f10b84a4bf54f2103b4b7ff2562e820934be35e390bae1e85dd4bd47703400
+  metadata.gz: 528ab8c0fad20b14c0e37c6c5ed9a027e801aebd8c365d88d3278a450f3f008b
+  data.tar.gz: afd969593c671e47716fe4ab9a8aec56f2d4af37ba2422e6f8c898830d6bd7fd
 SHA512:
-  metadata.gz: 624179716be3b0ffc26462e1fd11cdc9b532cde86ec059d2ba2fb927ec4ac06e1df436ee5dd43a6b1643bb3daffa522b1b3b8822090805ba514dd6acbfebaffd
-  data.tar.gz: a7f24969ca3acf4c424c2b65af68b5c46687ef4a722e95ffc9ae0bb971bc03cee8e31f08d5a8e27408bedc5652957624d2b57947adc77b7f9a800fe25b80b6c6
+  metadata.gz: c4cd649797d99a39ae36c9874866a37c0622091232059723196eecfb39be7b1002e38fcde0d762f053e5031df280118a4ecc914bd10c45bb3e7fec75d87737f2
+  data.tar.gz: a27486b76f6f6dcd109d86efa93756df72694a146c0fa962821a6cdb4a160fcef89897839a2b12c97b66e5cbdf2f12e34600ee792e209430241d6614a1e220f8

data/.github/workflows/ruby.yml

@@ -11,14 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.7', '3.0', '3.1', '3.2']
+        ruby-version: ["3.1", "3.2", "3.3", "3.4", "4.0"]
 
     steps:
-    - uses: actions/checkout@v4
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.ruby-version }}
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-    - name: Run tests
-      run: bundle exec rspec
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Run tests
+        run: bundle exec rspec

data/README.md

@@ -26,6 +26,10 @@ Or install it yourself as:
 
     $ gem install omniauth-rails_csrf_protection omniauth-swedbank
 
+## v009 Migration
+
+**Swedbank will shut down banklink protocol v008 on 2026-06-02.** See [Migration Guide](docs/migration_008_to_009.md) for details.
+
 ## Usage
 
 Here's a quick example, adding the middleware to a Rails app
@@ -37,13 +41,47 @@ Rails.application.config.middleware.use OmniAuth::Builder do
     File.read("path/to/private.key"),
     File.read("path/to/bank.crt"),
     ENV['SWEDBANK_SND_ID'],
-    ENV['SWEDBANK_REC_ID']
+    ENV['SWEDBANK_REC_ID'],
+    version: '009'
 end
 ```
 
+The `version` option defaults to `'008'` for backward compatibility. Set it to `'009'` when you're ready to migrate (requires a new bank certificate from [banklink.swedbank.com](https://banklink.swedbank.com/public/resources/bank-certificates/009)).
+
 ## Auth Hash
 
-Here's an example Auth Hash available in `request.env['omniauth.auth']`:
+### v009
+
+```ruby
+{
+  provider: 'swedbank',
+  uid: '374042-80367',
+  info: {
+    full_name: 'ARNIS RAITUMS',
+    country: 'LV'
+  },
+  extra: {
+    raw_info: {
+      VK_SERVICE: '3013',
+      VK_VERSION: '009',
+      VK_DATETIME: '2026-04-29T12:00:00+0300',
+      VK_SND_ID: 'SWEDBANK_LV',
+      VK_REC_ID: 'MPLMT',
+      VK_NONCE: '20170425114529204413',
+      VK_USER_NAME: 'ARNIS RAITUMS',
+      VK_USER_ID: '374042-80367',
+      VK_COUNTRY: 'LV',
+      VK_OTHER: '',
+      VK_TOKEN: '7',
+      VK_RID: '',
+      VK_MAC: 'qrEMRf6YV...',
+      VK_ENCODING: 'UTF-8'
+    }
+  }
+}
+```
+
+### v008 (deprecated)
 
 ```ruby
 {
@@ -61,7 +99,7 @@ Here's an example Auth Hash available in `request.env['omniauth.auth']`:
       VK_NONCE: '20170425114529204413',
       VK_INFO: 'ISIK:090482-12549;NIMI:DACE ĀBOLA',
       VK_MAC: 'qrEMRf6YV...',
-      VK_ENCODING: 'UTF-8
+      VK_ENCODING: 'UTF-8'
     }
   }
 }

data/docs/migration_008_to_009.md

@@ -0,0 +1,89 @@
+# Migration Guide: v008 to v009
+
+## Deadline
+
+Swedbank will shut down banklink protocol v008 on **2026-06-02**. After this date, all v008 authentication requests will be rejected by the bank.
+
+## What Changed in v009
+
+| Aspect | v008 | v009 |
+|--------|------|------|
+| Signing algorithm | SHA-1 | SHA-512 |
+| Request service code | 4002 | 4012 |
+| Response service code | 3003 | 3013 |
+| VK_SND_ID in response | HP | SWEDBANK_LV |
+| Bank certificate | Country-specific (LV) | Unified Baltic |
+| Min. key strength | 1024 bits | 2048 bits (recommended 4096) |
+| Response user data | VK_INFO (combined string) | VK_USER_NAME, VK_USER_ID, VK_COUNTRY, VK_OTHER, VK_TOKEN |
+| New request fields | - | VK_DATETIME, VK_RID |
+
+## Migration Steps
+
+### 1. Update the gem
+
+```bash
+bundle update omniauth-swedbank
+```
+
+With the default configuration (`version: '008'`), everything continues to work as before. You will see a deprecation warning in logs.
+
+### 2. Download the new bank certificate
+
+The v009 protocol uses a new unified Baltic certificate. Download it from:
+
+https://banklink.swedbank.com/public/resources/bank-certificates/009
+
+Replace your existing Swedbank public certificate file with the new one.
+
+### 3. Check your private key
+
+Your RSA private key must be at least **2048 bits** (recommended: **4096 bits**). Keys must be regenerated every **24 months**. Check your key size with:
+
+```bash
+openssl rsa -in your_private_key.pem -text -noout | head -1
+```
+
+If it shows less than 2048 bits or is older than 2 years, generate a new keypair. See [Keypair Change Instruction (PDF)](https://swedbank.lv/static/pdf/business/d2d/collection/keypair_change_instruction_LV.pdf) for detailed steps. Two options:
+
+- **Option A:** Use Swedbank's built-in keypair generator via the [support page](https://www.swedbank.lv/business/cash/banklink/integrate) (recommended). Log in, go to "My agreements", click "Update key" -> "Generate new key". Download and save the private key immediately — the bank does not store it.
+- **Option B:** Generate your own keypair and upload the public key via self-service or email it to cashmanagement@swedbank.lv.
+
+Note: When replacing keys, you can choose a transition period (up to 7 days) during which both old and new keys are valid.
+
+### 4. Update your provider configuration
+
+```ruby
+# Before (v008 - default)
+provider :swedbank,
+  File.read("path/to/private.key"),
+  File.read("path/to/old_bank.crt"),
+  ENV['SWEDBANK_SND_ID'],
+  ENV['SWEDBANK_REC_ID']
+
+# After (v009)
+provider :swedbank,
+  File.read("path/to/private.key"),
+  File.read("path/to/new_baltic_bank.crt"),
+  ENV['SWEDBANK_SND_ID'],
+  ENV['SWEDBANK_REC_ID'],
+  version: '009'
+```
+
+### 5. Update your callback handling (if applicable)
+
+If your application reads user data from the auth hash, note these changes:
+
+**v008:** User ID and name were parsed from the `VK_INFO` field (`ISIK:123456-12345;NIMI:John Doe`).
+
+**v009:** User data comes in separate fields:
+- `auth.uid` - reads from `VK_USER_ID` directly
+- `auth.info.full_name` - reads from `VK_USER_NAME` directly  
+- `auth.info.country` - new field from `VK_COUNTRY` (e.g., `LV`)
+- `auth.extra.raw_info` - contains all response parameters including `VK_TOKEN`, `VK_OTHER`, `VK_RID`
+
+If you only use `auth.uid` and `auth.info.full_name`, no changes are needed in your application code.
+
+## Reference
+
+- [Swedbank comparison PDF](https://www.swedbank.lv/static/business/banklink/LV_Authentication_008_vs_009_instruction.pdf)
+- [Bank certificates for v009](https://banklink.swedbank.com/public/resources/bank-certificates/009)

data/lib/omniauth/strategies/swedbank.rb

@@ -6,8 +6,10 @@ module OmniAuth
     class Swedbank
       include OmniAuth::Strategy
 
-      AUTH_SERVICE = '4002'
-      AUTH_VERSION = '008'
+      V008_AUTH_SERVICE = '4002'
+      V008_RESPONSE_SERVICE = '3003'
+      V009_AUTH_SERVICE = '4012'
+      V009_RESPONSE_SERVICE = '3013'
 
       def self.render_nonce?
          defined?(ActionDispatch::ContentSecurityPolicy::Request) != nil
@@ -26,40 +28,96 @@ module OmniAuth
 
       option :name, 'swedbank'
       option :site, 'https://www.swedbank.lv/banklink'
+      option :version, '008'
+
+      SUPPORTED_VERSIONS = %w[008 009].freeze
+
+      def version_009?
+        options.version == '009'
+      end
+
+      def invalid_version?
+        !SUPPORTED_VERSIONS.include?(options.version)
+      end
+
+      def auth_service
+        version_009? ? V009_AUTH_SERVICE : V008_AUTH_SERVICE
+      end
+
+      def response_service
+        version_009? ? V009_RESPONSE_SERVICE : V008_RESPONSE_SERVICE
+      end
+
+      def digest
+        version_009? ? OpenSSL::Digest::SHA512.new : OpenSSL::Digest::SHA1.new
+      end
 
       def stamp
         return @stamp if @stamp
         @stamp = Time.now.strftime('%Y%m%d%H%M%S') + SecureRandom.random_number(999999).to_s.rjust(6, '0')
       end
 
+      def datetime
+        @datetime ||= Time.now.strftime('%Y-%m-%dT%H:%M:%S%z')
+      end
+
+      def rid
+        ''
+      end
+
       def prepend_length(value)
         # prepend length to string in 0xx format
         [ value.to_s.length.to_s.rjust(3, '0'), value.dup.to_s.force_encoding('ascii')].join
       end
 
       def signature_input
-        [
-          AUTH_SERVICE,             # VK_SERVICE
-          AUTH_VERSION,             # VK_VERSION
-          options.snd_id,           # VK_SND_ID
-          options.rec_id,           # VK_REC_ID
-          stamp,                    # VK_NONCE
-          callback_url              # VK_RETURN
-        ].map{|v| prepend_length(v)}.join
+        fields = if version_009?
+          [
+            auth_service,       # VK_SERVICE
+            options.version,    # VK_VERSION
+            options.snd_id,     # VK_SND_ID
+            options.rec_id,     # VK_REC_ID
+            stamp,              # VK_NONCE
+            callback_url,       # VK_RETURN
+            datetime,           # VK_DATETIME
+            rid                 # VK_RID
+          ]
+        else
+          [
+            auth_service,       # VK_SERVICE
+            options.version,    # VK_VERSION
+            options.snd_id,     # VK_SND_ID
+            options.rec_id,     # VK_REC_ID
+            stamp,              # VK_NONCE
+            callback_url        # VK_RETURN
+          ]
+        end
+        fields.map{|v| prepend_length(v)}.join
       end
 
       def signature(priv_key)
-        Base64.encode64(priv_key.sign(OpenSSL::Digest::SHA1.new, signature_input))
+        Base64.encode64(priv_key.sign(digest, signature_input))
       end
 
       uid do
-        request.params['VK_INFO'].match(/ISIK:(\d{6}\-\d{5})/)[1]
+        if version_009?
+          request.params['VK_USER_ID']
+        else
+          request.params['VK_INFO'].match(/ISIK:(\d{6}\-\d{5})/)[1]
+        end
       end
 
       info do
-        {
-          full_name: request.params['VK_INFO'].match(/NIMI:(.+)/)[1]
-        }
+        if version_009?
+          {
+            full_name: request.params['VK_USER_NAME'],
+            country: request.params['VK_COUNTRY']
+          }
+        else
+          {
+            full_name: request.params['VK_INFO'].match(/NIMI:(.+)/)[1]
+          }
+        end
       end
 
       extra do
@@ -67,17 +125,22 @@ module OmniAuth
       end
 
       def callback_phase
+        if invalid_version?
+          return fail!(:unsupported_version_err,
+            ArgumentError.new("Unsupported banklink version '#{options.version}'. Supported: #{SUPPORTED_VERSIONS.join(', ')}"))
+        end
+
         begin
           pub_key = OpenSSL::X509::Certificate.new(options.public_key).public_key
         rescue => e
           return fail!(:public_key_load_err, e)
         end
 
-        if request.params['VK_SERVICE'] != '3003'
+        if request.params['VK_SERVICE'] != response_service
           return fail!(:unsupported_response_service_err)
         end
 
-        if request.params['VK_VERSION'] != '008'
+        if request.params['VK_VERSION'] != options.version
           return fail!(:unsupported_response_version_err)
         end
 
@@ -85,18 +148,35 @@ module OmniAuth
           return fail!(:unsupported_response_encoding_err)
         end
 
-        sig_str = [
-          request.params['VK_SERVICE'],
-          request.params['VK_VERSION'],
-          request.params['VK_SND_ID'],
-          request.params['VK_REC_ID'],
-          request.params['VK_NONCE'],
-          request.params['VK_INFO']
-        ].map{|v| prepend_length(v)}.join
+        sig_str = if version_009?
+          [
+            request.params['VK_SERVICE'],
+            request.params['VK_VERSION'],
+            request.params['VK_DATETIME'],
+            request.params['VK_SND_ID'],
+            request.params['VK_REC_ID'],
+            request.params['VK_NONCE'],
+            request.params['VK_USER_NAME'],
+            request.params['VK_USER_ID'],
+            request.params['VK_COUNTRY'],
+            request.params['VK_OTHER'],
+            request.params['VK_TOKEN'],
+            request.params['VK_RID']
+          ].map{|v| prepend_length(v)}.join
+        else
+          [
+            request.params['VK_SERVICE'],
+            request.params['VK_VERSION'],
+            request.params['VK_SND_ID'],
+            request.params['VK_REC_ID'],
+            request.params['VK_NONCE'],
+            request.params['VK_INFO']
+          ].map{|v| prepend_length(v)}.join
+        end
 
         raw_signature = Base64.decode64(request.params['VK_MAC'])
 
-        if !pub_key.verify(OpenSSL::Digest::SHA1.new, raw_signature, sig_str)
+        if !pub_key.verify(digest, raw_signature, sig_str)
           return fail!(:invalid_response_signature_err)
         end
 
@@ -104,19 +184,30 @@ module OmniAuth
       end
 
       def request_phase
+        if invalid_version?
+          return fail!(:unsupported_version_err,
+            ArgumentError.new("Unsupported banklink version '#{options.version}'. Supported: #{SUPPORTED_VERSIONS.join(', ')}"))
+        end
+
         begin
           priv_key = OpenSSL::PKey::RSA.new(options.private_key)
         rescue => e
           return fail!(:private_key_load_err, e)
         end
 
+        unless version_009?
+          warn "[DEPRECATION] omniauth-swedbank: Swedbank banklink v008 will be shut down on 2026-06-02. " \
+               "Please migrate to v009 by setting `version: '009'` in your provider config. " \
+               "See https://www.swedbank.lv/static/business/banklink/LV_Authentication_008_vs_009_instruction.pdf"
+        end
+
         set_locale_from_query_param
 
         form = OmniAuth::Form.new(:title => I18n.t('omniauth.swedbank.please_wait'), :url => options.site)
 
-        {
-          'VK_SERVICE' => AUTH_SERVICE,
-          'VK_VERSION' => AUTH_VERSION,
+        params = {
+          'VK_SERVICE' => auth_service,
+          'VK_VERSION' => options.version,
           'VK_SND_ID' => options.snd_id,
           'VK_REC_ID' => options.rec_id,
           'VK_NONCE' => stamp,
@@ -124,7 +215,14 @@ module OmniAuth
           'VK_MAC' => signature(priv_key),
           'VK_LANG' => resolve_bank_ui_language,
           'VK_ENCODING' => 'UTF-8'
-        }.each do |name, val|
+        }
+
+        if version_009?
+          params['VK_DATETIME'] = datetime
+          params['VK_RID'] = rid
+        end
+
+        params.each do |name, val|
           form.html "<input type=\"hidden\" name=\"#{name}\" value=\"#{escape(val)}\" />"
         end
 

data/lib/omniauth/swedbank/version.rb

@@ -1,5 +1,5 @@
 module Omniauth
   module Swedbank
-    VERSION = '0.3.0'
+    VERSION = '0.4.0'
   end
 end

data/omniauth-swedbank.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.7'
+  spec.required_ruby_version = '>= 3.1'
 
   spec.add_runtime_dependency 'omniauth', '~> 2.1'
   spec.add_runtime_dependency 'i18n'

data/spec/certs/response.v009.public.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICoTCCAYmgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlUZXN0
+IFYwMDkwHhcNMjYwNDI5MDkyNjQ5WhcNMjcwNDI5MDkyNjQ5WjAUMRIwEAYDVQQD
+DAlUZXN0IFYwMDkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtZLYp
+KJNe16Fp2S/EVyyz0aFdPhBwgn+707JW/a8EM1m0rryNUbwZpQqZ2wzmPy6r/D13
+UssJpGVg74+LQ8GZI+mgiL+U7nY95111XhOQ/B258i40HAwf3WFVqDKmigYxXU+O
+0hbuUwXmT7qP3sRNgNLChn6BFDV6c1f/TYkiSZrSj45HQsqDekCIZdy6CvzV8m5I
+JV3TJWshoEj4HPJI7YEkgjc3nzwUsKiLi9k6FsLSiveFBaky+mhYBlJUtET7KEwu
+raHw7LkCn1FoCSodgxeHF9IFCCyKTI7VKETB4w0TYLKCbMOjtON0ifCx+H/w8LwP
+YrhXTF6rjcdL3A9jAgMBAAEwDQYJKoZIhvcNAQENBQADggEBAErV4sBKLwmUvjOT
+S8Kjw+BwTf0NU/yOpQS1kCSTD5gn9OOqDirOQe7Yj1dyGWMDmfGy4Jw7xcMSRTTq
+TCKS7poTkFa8mXRPm+kFqw1Hy3U6/MsswZCBxiIkGEltKytXe+AdLVY2uM46/j6W
+D6Rt0vgcBcj//h2et4f8GDMs4s1ndKp8o0rnggSQCcgC2yLMNL8AdSxwHj7eGDiv
+cCWspZCXq7SGOoMC3jhhNOYt9WjH+/Aj/FXDRu2iguaG4I4qBGJSmY2i4WQT/XJv
+sXPCrHoN0oGrmzX/V5/20AEOhS6oBLCIMfBeR4iRAicUW9mUnVj+PqigZkXGSArB
+tkkI44U=
+-----END CERTIFICATE-----

data/spec/omniauth/strategies/swedbank_spec.rb

@@ -6,210 +6,434 @@ describe OmniAuth::Strategies::Swedbank do
 
   PRIVATE_KEY = File.read(File.join(RSpec.configuration.cert_folder, 'request.private.pem'))
   PUBLIC_KEY = File.read(File.join(RSpec.configuration.cert_folder, 'response.public.pem'))
-
-  let(:app){ Rack::Builder.new do |b|
-    b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
-    b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, PUBLIC_KEY, 'MY_SND_ID', 'MY_REC_ID')
-    b.run lambda{|env| [404, {}, ['Not Found']]}
-  end.to_app }
+  PUBLIC_KEY_V009 = File.read(File.join(RSpec.configuration.cert_folder, 'response.v009.public.pem'))
 
   let(:token){ Rack::Protection::AuthenticityToken.random_token }
 
   let(:last_response_nonce) { last_response.body.match(/name="VK_NONCE" value="([^"]*)"/)[1] }
   let(:last_response_mac) { last_response.body.match(/name="VK_MAC" value="([^"]*)"/)[1] }
 
-  context 'request phase' do
-    EXPECTED_VALUES = {
-      'VK_SERVICE' => '4002',
-      'VK_VERSION' => '008',
-      'VK_SND_ID' =>  'MY_SND_ID',
-      'VK_REC_ID' =>  'MY_REC_ID',
-      'VK_RETURN' =>  'http://example.org/auth/swedbank/callback'
-    }
-
-    before(:each) do
-      post(
-        '/auth/swedbank',
-        {},
-        'rack.session' => {csrf: token},
-        'HTTP_X_CSRF_TOKEN' => token
-      )
-    end
+  context 'v008 (default)' do
+    let(:app){ Rack::Builder.new do |b|
+      b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
+      b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, PUBLIC_KEY, 'MY_SND_ID', 'MY_REC_ID')
+      b.run lambda{|env| [404, {}, ['Not Found']]}
+    end.to_app }
+
+    context 'request phase' do
+      EXPECTED_VALUES_V008 = {
+        'VK_SERVICE' => '4002',
+        'VK_VERSION' => '008',
+        'VK_SND_ID' =>  'MY_SND_ID',
+        'VK_REC_ID' =>  'MY_REC_ID',
+        'VK_RETURN' =>  'http://example.org/auth/swedbank/callback'
+      }
+
+      before(:each) do
+        post(
+          '/auth/swedbank',
+          {},
+          'rack.session' => {csrf: token},
+          'HTTP_X_CSRF_TOKEN' => token
+        )
+      end
 
-    it 'displays a single form' do
-      expect(last_response.status).to eq(200)
-      expect(last_response.body.scan('<form').size).to eq(1)
-    end
+      it 'displays a single form' do
+        expect(last_response.status).to eq(200)
+        expect(last_response.body.scan('<form').size).to eq(1)
+      end
 
-    it 'has JavaScript code to submit the form after it is created' do
-      expect(last_response.body).to be_include('</form><script type="text/javascript">document.forms[0].submit();</script>')
-    end
+      it 'has JavaScript code to submit the form after it is created' do
+        expect(last_response.body).to be_include('</form><script type="text/javascript">document.forms[0].submit();</script>')
+      end
 
-    EXPECTED_VALUES.each_pair do |k,v|
-      it "has hidden input field #{k} => #{v}" do
-        expect(last_response.body.scan(
-          "<input type=\"hidden\" name=\"#{k}\" value=\"#{v}\"").size).to eq(1)
+      EXPECTED_VALUES_V008.each_pair do |k,v|
+        it "has hidden input field #{k} => #{v}" do
+          expect(last_response.body.scan(
+            "<input type=\"hidden\" name=\"#{k}\" value=\"#{v}\"").size).to eq(1)
+        end
       end
-    end
 
-    it 'has a 50 byte long nonce field value' do
-      expect(last_response_nonce.bytesize).to eq(20)
-    end
+      it 'has a 20 byte long nonce field value' do
+        expect(last_response_nonce.bytesize).to eq(20)
+      end
 
-    it 'has a correct VK_MAC signature' do
-      sig_str =
-        '0044002' + # VK_SERVICE
-        '003008' +  # VK_VERSION
-        '009MY_SND_ID' +  # VK_SND_ID
-        '009MY_REC_ID' +  # VK_REC_ID
-        "020#{last_response_nonce}" +  # VK_NONCE
-        "041#{EXPECTED_VALUES['VK_RETURN']}"  # V_RETURN
-
-      private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
-      expected_mac = Base64.encode64(private_key.sign(OpenSSL::Digest::SHA1.new, sig_str))
-      expect(last_response_mac).to eq(expected_mac)
-    end
+      it 'has a correct VK_MAC signature' do
+        sig_str =
+          '0044002' + # VK_SERVICE
+          '003008' +  # VK_VERSION
+          '009MY_SND_ID' +  # VK_SND_ID
+          '009MY_REC_ID' +  # VK_REC_ID
+          "020#{last_response_nonce}" +  # VK_NONCE
+          "041#{EXPECTED_VALUES_V008['VK_RETURN']}"  # V_RETURN
+
+        private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
+        expected_mac = Base64.encode64(private_key.sign(OpenSSL::Digest::SHA1.new, sig_str))
+        expect(last_response_mac).to eq(expected_mac)
+      end
 
-    context 'with default options' do
-      it 'has the default action tag value' do
-        expect(last_response.body).to be_include("action='https://www.swedbank.lv/banklink'")
+      it 'does not include VK_DATETIME field' do
+        expect(last_response.body).not_to include('name="VK_DATETIME"')
       end
 
-      it 'has the default VK_LANG value' do
-        expect(last_response.body).to be_include("action='https://www.swedbank.lv/banklink'")
+      it 'does not include VK_RID field' do
+        expect(last_response.body).not_to include('name="VK_RID"')
       end
-    end
 
-    context 'with custom options' do
-      let(:app){ Rack::Builder.new do |b|
-        b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
-        b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, PUBLIC_KEY, 'MY_SND_ID', 'MY_REC_ID',
-          site: 'https://test.lv/banklink')
-        b.run lambda{|env| [404, {}, ['Not Found']]}
-      end.to_app }
+      it 'outputs a deprecation warning' do
+        expect { post('/auth/swedbank', {}, 'rack.session' => {csrf: token}, 'HTTP_X_CSRF_TOKEN' => token) }
+          .to output(/DEPRECATION.*v008.*2026-06-02/).to_stderr
+      end
+
+      context 'with default options' do
+        it 'has the default action tag value' do
+          expect(last_response.body).to be_include("action='https://www.swedbank.lv/banklink'")
+        end
+
+        it 'has the default VK_LANG value' do
+          expect(last_response.body).to be_include("action='https://www.swedbank.lv/banklink'")
+        end
+      end
+
+      context 'with custom options' do
+        let(:app){ Rack::Builder.new do |b|
+          b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
+          b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, PUBLIC_KEY, 'MY_SND_ID', 'MY_REC_ID',
+            site: 'https://test.lv/banklink')
+          b.run lambda{|env| [404, {}, ['Not Found']]}
+        end.to_app }
+
+        it 'has the custom action tag value' do
+          expect(last_response.body).to be_include("action='https://test.lv/banklink'")
+        end
+      end
+
+      context 'with non-existant private key files' do
+        let(:app){ Rack::Builder.new do |b|
+          b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
+          b.use(OmniAuth::Strategies::Swedbank, 'missing-private-key-file.pem', PUBLIC_KEY, 'MY_SND_ID', 'MY_REC_ID')
+          b.run lambda{|env| [404, {}, ['Not Found']]}
+        end.to_app }
+
+        it 'redirects to /auth/failure with appropriate query params' do
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=private_key_load_err&strategy=swedbank')
+        end
+      end
 
-      it 'has the custom action tag value' do
-        expect(last_response.body).to be_include("action='https://test.lv/banklink'")
+      context 'with invalid version' do
+        let(:app){ Rack::Builder.new do |b|
+          b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
+          b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, PUBLIC_KEY, 'MY_SND_ID', 'MY_REC_ID',
+            version: '010')
+          b.run lambda{|env| [404, {}, ['Not Found']]}
+        end.to_app }
+
+        it 'fails with unsupported_version_err on request phase' do
+          post('/auth/swedbank', {}, 'rack.session' => {csrf: token}, 'HTTP_X_CSRF_TOKEN' => token)
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_version_err&strategy=swedbank')
+        end
+
+        it 'fails with unsupported_version_err on callback phase' do
+          post '/auth/swedbank/callback', 'VK_SERVICE' => '3003'
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_version_err&strategy=swedbank')
+        end
       end
     end
 
-    context 'with non-existant private key files' do
-      let(:app){ Rack::Builder.new do |b|
-        b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
-        b.use(OmniAuth::Strategies::Swedbank, 'missing-private-key-file.pem', PUBLIC_KEY, 'MY_SND_ID', 'MY_REC_ID')
-        b.run lambda{|env| [404, {}, ['Not Found']]}
-      end.to_app }
+    context 'callback phase' do
+      let(:auth_hash){ last_request.env['omniauth.auth'] }
+
+      context 'with valid response' do
+        before do
+          post '/auth/swedbank/callback',
+            'VK_SERVICE' =>   '3003',
+            'VK_VERSION' =>   '008',
+            'VK_SND_ID' =>    'HP',
+            'VK_REC_ID' =>    'MY_REC_ID',
+            'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
+            'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
+            'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
+            'VK_LANG' =>      'LAT',
+            'VK_ENCODING' =>  'UTF-8'
+        end
+
+        it 'sets the correct uid value in the auth hash' do
+          expect(auth_hash.uid).to eq('123456-12345')
+        end
+
+        it 'sets the correct info.full_name value in the auth hash' do
+          expect(auth_hash.info.full_name).to eq('Example User')
+        end
+      end
+
+      context 'with non-existant public key file' do
+        let(:app){ Rack::Builder.new do |b|
+          b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
+          b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, 'missing-public-key-file.pem', 'MY_SND_ID', 'MY_REC_ID')
+          b.run lambda{|env| [404, {}, ['Not Found']]}
+        end.to_app }
+
+        it 'redirects to /auth/failure with appropriate query params' do
+          post '/auth/swedbank/callback'
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=public_key_load_err&strategy=swedbank')
+        end
+      end
 
-      it 'redirects to /auth/failure with appropriate query params' do
-        expect(last_response.status).to eq(302)
-        expect(last_response.headers['Location']).to eq('/auth/failure?message=private_key_load_err&strategy=swedbank')
+      context 'with invalid response' do
+        it 'detects invalid signature' do
+          post '/auth/swedbank/callback',
+            'VK_SERVICE' =>   '3003',
+            'VK_VERSION' =>   '008',
+            'VK_SND_ID' =>    'HP',
+            'VK_REC_ID' =>    'MY_REC_ID',
+            'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
+            'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
+            'VK_MAC' =>       'invalid signature',
+            'VK_LANG' =>      'LAT',
+            'VK_ENCODING' =>  'UTF-8'
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=invalid_response_signature_err&strategy=swedbank')
+        end
+
+        it 'detects unsupported VK_SERVICE values' do
+          post '/auth/swedbank/callback',
+            'VK_SERVICE' =>   '3004',
+            'VK_VERSION' =>   '008',
+            'VK_SND_ID' =>    'HP',
+            'VK_REC_ID' =>    'MY_REC_ID',
+            'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
+            'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
+            'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
+            'VK_LANG' =>      'LAT',
+            'VK_ENCODING' =>  'UTF-8'
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_service_err&strategy=swedbank')
+        end
+
+        it 'detects unsupported VK_VERSION values' do
+          post '/auth/swedbank/callback',
+            'VK_SERVICE' =>   '3003',
+            'VK_VERSION' =>   '009',
+            'VK_SND_ID' =>    'HP',
+            'VK_REC_ID' =>    'MY_REC_ID',
+            'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
+            'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
+            'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
+            'VK_LANG' =>      'LAT',
+            'VK_ENCODING' =>  'UTF-8'
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_version_err&strategy=swedbank')
+        end
+
+        it 'detects unsupported VK_ENCODING values' do
+          post '/auth/swedbank/callback',
+            'VK_SERVICE' =>   '3003',
+            'VK_VERSION' =>   '008',
+            'VK_SND_ID' =>    'HP',
+            'VK_REC_ID' =>    'MY_REC_ID',
+            'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
+            'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
+            'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
+            'VK_LANG' =>      'LAT',
+            'VK_ENCODING' =>  'ASCII'
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_encoding_err&strategy=swedbank')
+        end
       end
     end
   end
 
-  context 'callback phase' do
-    let(:auth_hash){ last_request.env['omniauth.auth'] }
+  context 'v009' do
+    let(:app){ Rack::Builder.new do |b|
+      b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
+      b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, PUBLIC_KEY_V009, 'MY_SND_ID', 'MY_REC_ID',
+        version: '009')
+      b.run lambda{|env| [404, {}, ['Not Found']]}
+    end.to_app }
+
+    context 'request phase' do
+      EXPECTED_VALUES_V009 = {
+        'VK_SERVICE' => '4012',
+        'VK_VERSION' => '009',
+        'VK_SND_ID' =>  'MY_SND_ID',
+        'VK_REC_ID' =>  'MY_REC_ID',
+        'VK_RETURN' =>  'http://example.org/auth/swedbank/callback'
+      }
+
+      let(:last_response_datetime) { last_response.body.match(/name="VK_DATETIME" value="([^"]*)"/)[1] }
+      let(:last_response_rid) { last_response.body.match(/name="VK_RID" value="([^"]*)"/)[1] }
+
+      before(:each) do
+        post(
+          '/auth/swedbank',
+          {},
+          'rack.session' => {csrf: token},
+          'HTTP_X_CSRF_TOKEN' => token
+        )
+      end
 
-    context 'with valid response' do
-      before do
-        post '/auth/swedbank/callback',
-          'VK_SERVICE' =>   '3003',
-          'VK_VERSION' =>   '008',
-          'VK_SND_ID' =>    'HP',
-          'VK_REC_ID' =>    'MY_REC_ID',
-          'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
-          'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
-          'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
-          'VK_LANG' =>      'LAT',
-          'VK_ENCODING' =>  'UTF-8'
+      it 'displays a single form' do
+        expect(last_response.status).to eq(200)
+        expect(last_response.body.scan('<form').size).to eq(1)
       end
 
-      it 'sets the correct uid value in the auth hash' do
-        expect(auth_hash.uid).to eq('123456-12345')
+      EXPECTED_VALUES_V009.each_pair do |k,v|
+        it "has hidden input field #{k} => #{v}" do
+          expect(last_response.body.scan(
+            "<input type=\"hidden\" name=\"#{k}\" value=\"#{v}\"").size).to eq(1)
+        end
       end
 
-      it 'sets the correct info.full_name value in the auth hash' do
-        expect(auth_hash.info.full_name).to eq('Example User')
+      it 'has a VK_DATETIME field' do
+        expect(last_response_datetime).to match(/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}/)
       end
-    end
 
-    context 'with non-existant public key file' do
-      let(:app){ Rack::Builder.new do |b|
-        b.use Rack::Session::Cookie, {secret: '5242e6bd9daf0e9645c2d4e22b11ba8cee0bed44439906d5f1bd5dad409d8637'}
-        b.use(OmniAuth::Strategies::Swedbank, PRIVATE_KEY, 'missing-public-key-file.pem', 'MY_SND_ID', 'MY_REC_ID')
-        b.run lambda{|env| [404, {}, ['Not Found']]}
-      end.to_app }
+      it 'has a VK_RID field' do
+        expect(last_response.body).to include('name="VK_RID"')
+      end
 
-      it 'redirects to /auth/failure with appropriate query params' do
-        post '/auth/swedbank/callback' # Params are not important, because we're testing public key loading
-        expect(last_response.status).to eq(302)
-        expect(last_response.headers['Location']).to eq('/auth/failure?message=public_key_load_err&strategy=swedbank')
+      it 'has a 20 byte long nonce field value' do
+        expect(last_response_nonce.bytesize).to eq(20)
+      end
+
+      it 'has a correct VK_MAC signature using SHA-512' do
+        sig_str =
+          '0044012' + # VK_SERVICE
+          '003009' +  # VK_VERSION
+          '009MY_SND_ID' +  # VK_SND_ID
+          '009MY_REC_ID' +  # VK_REC_ID
+          "020#{last_response_nonce}" +  # VK_NONCE
+          "041#{EXPECTED_VALUES_V009['VK_RETURN']}" +  # VK_RETURN
+          "#{'%03d' % last_response_datetime.length}#{last_response_datetime}" +  # VK_DATETIME
+          "000"  # VK_RID (empty)
+
+        private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
+        expected_mac = Base64.encode64(private_key.sign(OpenSSL::Digest::SHA512.new, sig_str))
+        expect(last_response_mac).to eq(expected_mac)
+      end
+
+      it 'does not output a deprecation warning' do
+        expect { post('/auth/swedbank', {}, 'rack.session' => {csrf: token}, 'HTTP_X_CSRF_TOKEN' => token) }
+          .not_to output(/DEPRECATION/).to_stderr
       end
     end
 
-    context 'with invalid response' do
-      it 'detects invalid signature' do
-        post '/auth/swedbank/callback',
-          'VK_SERVICE' =>   '3003',
-          'VK_VERSION' =>   '008',
-          'VK_SND_ID' =>    'HP',
-          'VK_REC_ID' =>    'MY_REC_ID',
-          'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
-          'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
-          'VK_MAC' =>       'invalid signature',
-          'VK_LANG' =>      'LAT',
-          'VK_ENCODING' =>  'UTF-8'
-
-        expect(last_response.status).to eq(302)
-        expect(last_response.headers['Location']).to eq('/auth/failure?message=invalid_response_signature_err&strategy=swedbank')
-      end
-
-      it 'detects unsupported VK_SERVICE values' do
-        post '/auth/swedbank/callback',
-          'VK_SERVICE' =>   '3004',
-          'VK_VERSION' =>   '008',
-          'VK_SND_ID' =>    'HP',
-          'VK_REC_ID' =>    'MY_REC_ID',
-          'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
-          'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
-          'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
-          'VK_LANG' =>      'LAT',
-          'VK_ENCODING' =>  'UTF-8'
-
-        expect(last_response.status).to eq(302)
-        expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_service_err&strategy=swedbank')
-      end
-
-      it 'detects unsupported VK_VERSION values' do
-        post '/auth/swedbank/callback',
-          'VK_SERVICE' =>   '3003',
-          'VK_VERSION' =>   '009',
-          'VK_SND_ID' =>    'HP',
-          'VK_REC_ID' =>    'MY_REC_ID',
-          'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
-          'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
-          'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
-          'VK_LANG' =>      'LAT',
-          'VK_ENCODING' =>  'UTF-8'
-
-        expect(last_response.status).to eq(302)
-        expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_version_err&strategy=swedbank')
-      end
-
-      it 'detects unsupported VK_ENCODING values' do
-        post '/auth/swedbank/callback',
-          'VK_SERVICE' =>   '3003',
-          'VK_VERSION' =>   '008',
-          'VK_SND_ID' =>    'HP',
-          'VK_REC_ID' =>    'MY_REC_ID',
-          'VK_NONCE' =>     'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a',
-          'VK_INFO' =>      'ISIK:123456-12345;NIMI:Example User',
-          'VK_MAC' =>       'cmXyp2My7P9pTgrzqJeg7qH+NPCuyaiGNpQIrcCr6S44w0bH+Ao4WDViqytaPH2vENooVPXDSgOcBqHTg44gJ9FlrhI5StiouHVhjpCcWg+h/ERcyc8w58PjsEmdsd4BIpaGXNyhvcIKdWfNwYA1UCIrmFsPAPWfVeorNxp81E7pvY4p4zsqMF80YZ7/RdOpjrtuXJ4nYJ7d+2fXJKKmUlqArCc786DJdb/z8wVDSNA9BZxnf8EE6s//p9gzqLPAg/T9Xp/2024n2JtC6kwsWF614bn64LEZz5c8owZth6FV+2fjnzHxOiifOe+jc9SRstCLITK6Y0j+6n8auiEZ5g==',
-          'VK_LANG' =>      'LAT',
-          'VK_ENCODING' =>  'ASCII'
-
-        expect(last_response.status).to eq(302)
-        expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_encoding_err&strategy=swedbank')
+    context 'callback phase' do
+      let(:auth_hash){ last_request.env['omniauth.auth'] }
+
+      # Generate a valid v009 MAC for test data
+      let(:v009_response_params) do
+        nonce = 'pXXXlocalhostX3000b41292810c0345a7b3770b1c807bed7a'
+        datetime = '2026-04-29T12:00:00+0300'
+        user_name = 'Example User'
+        user_id = '123456-12345'
+        country = 'LV'
+        other = ''
+        token_val = '7'
+        rid = ''
+
+        sig_str = [
+          '3013', '009', datetime, 'SWEDBANK_LV', 'MY_REC_ID',
+          nonce, user_name, user_id, country, other, token_val, rid
+        ].map{|v| '%03d' % v.to_s.length + v.to_s.dup.force_encoding('ascii')}.join
+
+        private_key = OpenSSL::PKey::RSA.new(PRIVATE_KEY)
+        mac = Base64.encode64(private_key.sign(OpenSSL::Digest::SHA512.new, sig_str))
+
+        {
+          'VK_SERVICE' =>    '3013',
+          'VK_VERSION' =>    '009',
+          'VK_DATETIME' =>   datetime,
+          'VK_SND_ID' =>     'SWEDBANK_LV',
+          'VK_REC_ID' =>     'MY_REC_ID',
+          'VK_NONCE' =>      nonce,
+          'VK_USER_NAME' =>  user_name,
+          'VK_USER_ID' =>    user_id,
+          'VK_COUNTRY' =>    country,
+          'VK_OTHER' =>      other,
+          'VK_TOKEN' =>      token_val,
+          'VK_RID' =>        rid,
+          'VK_MAC' =>        mac,
+          'VK_LANG' =>       'LAT',
+          'VK_ENCODING' =>   'UTF-8'
+        }
+      end
+
+      context 'with valid response' do
+        before do
+          post '/auth/swedbank/callback', v009_response_params
+        end
+
+        it 'sets the correct uid value in the auth hash' do
+          expect(auth_hash.uid).to eq('123456-12345')
+        end
+
+        it 'sets the correct info.full_name value in the auth hash' do
+          expect(auth_hash.info.full_name).to eq('Example User')
+        end
+
+        it 'sets the correct info.country value in the auth hash' do
+          expect(auth_hash.info.country).to eq('LV')
+        end
+
+        it 'includes all v009 params in extra.raw_info' do
+          expect(auth_hash.extra.raw_info).to include(
+            'VK_SERVICE' => '3013',
+            'VK_VERSION' => '009',
+            'VK_SND_ID' => 'SWEDBANK_LV',
+            'VK_USER_NAME' => 'Example User',
+            'VK_USER_ID' => '123456-12345',
+            'VK_COUNTRY' => 'LV',
+            'VK_TOKEN' => '7',
+            'VK_RID' => ''
+          )
+        end
+
+        it 'does not include VK_INFO in extra.raw_info' do
+          expect(auth_hash.extra.raw_info).not_to have_key('VK_INFO')
+        end
+      end
+
+      context 'with invalid response' do
+        it 'detects invalid signature' do
+          params = v009_response_params.merge('VK_MAC' => 'invalid signature')
+          post '/auth/swedbank/callback', params
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=invalid_response_signature_err&strategy=swedbank')
+        end
+
+        it 'detects unsupported VK_SERVICE values' do
+          params = v009_response_params.merge('VK_SERVICE' => '3003')
+          post '/auth/swedbank/callback', params
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_service_err&strategy=swedbank')
+        end
+
+        it 'detects unsupported VK_VERSION values' do
+          params = v009_response_params.merge('VK_VERSION' => '008')
+          post '/auth/swedbank/callback', params
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_version_err&strategy=swedbank')
+        end
+
+        it 'detects unsupported VK_ENCODING values' do
+          params = v009_response_params.merge('VK_ENCODING' => 'ASCII')
+          post '/auth/swedbank/callback', params
+
+          expect(last_response.status).to eq(302)
+          expect(last_response.headers['Location']).to eq('/auth/failure?message=unsupported_response_encoding_err&strategy=swedbank')
+        end
       end
     end
   end

metadata

@@ -1,16 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-swedbank
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Mitigate
 - Jānis Kiršteins
 - Kristaps Ērglis
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-27 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -139,6 +138,7 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- docs/migration_008_to_009.md
 - lib/omniauth-swedbank.rb
 - lib/omniauth/locales/omniauth.en.yml
 - lib/omniauth/locales/omniauth.lv.yml
@@ -148,13 +148,13 @@ files:
 - omniauth-swedbank.gemspec
 - spec/certs/request.private.pem
 - spec/certs/response.public.pem
+- spec/certs/response.v009.public.pem
 - spec/omniauth/strategies/swedbank_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/mitigate-dev/omniauth-swedbank
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -162,19 +162,19 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: OmniAuth strategy for Swedbank Banklink
 test_files:
 - spec/certs/request.private.pem
 - spec/certs/response.public.pem
+- spec/certs/response.v009.public.pem
 - spec/omniauth/strategies/swedbank_spec.rb
 - spec/spec_helper.rb