I'm currently working on a REST based SagePay Integration using a combination of Django on the backend and Vue / Nuxt on the front.
The current process is as follows:
Client makes a request to my backend server for a merchantSessionKey via a GraphQL resolver.
The backend graphene resolver uses the secret merchant integration key and password (stored in environment variables) to make a post request for the merchantSessionKey and returns it to the Vue frontend.
A user fills in the credit card form (using SagePay's Own Form integration)
I use the card data to generate a cardIdentifier that I will store in my vuex state and will use later to further the rest of the transaction.
Is this all safe to do? Obviously it will be secured via https and I will setup CORS properly when everything goes into production, but I am technically storing the merchantSessionKey and cardIdentifier on the end users machine.
Both expire after 400sec and must be send together within Payment Registration POST authenticated with your vendor/account IntegrationKey and IntegrationPassword from your server which IP is whitelisted by Sage Pay. MSK is required to authenticate card tokenization call from customer's browser to Sage Pay endpoint. As a result you receive cardIdentifier/Token. This method keeps your server free of cardholder details but all (MSK,Token, PAN and CV2) are allowed to exist in customer browser.
IntegrationKey and IntegrationPassword can't be stored in the customer browser.
If you decide to use your own payment pages instead of drop-in checkout, you can't reference files from 3rd-party non-PCI DSS server to archive PCI DSS SAQ A-EP attestation.
I've reviewed it with QSA
Related
I am a bit confused on how does Authorize.net work and how to integrate it, in my project I am using Angular as frontend and node.js as backend and I have installed Authorize.net via npm install authorizenet also cloned the Node.js sample code and I would like to set Authorize.net like so.
Let's say I have a form on my website where the customer needs to enter their details including the credit card details, my question is when submitting (using HTTP Request Method: POST) does my website need to redirect to Authorize or is there a widget that Authorize uses that I can implement in my website or are the details send directly to Authorize and handled there.
On submitting the details from the website do I simply call let's say the function from the sample codes (modified for my site) charge-credit-card.js ?
After that where do I receive the response, do I need to somehow capture it ?
Do I simply use the Production API Endpoint: https://api.authorize.net/xml/v1/request.apiand use my Api login and transaction key to use Authorize, at least that's the way in the documentation from my understanding - After building the XML object for an API request, submit it to the Authorize.net payment gateway as a standard HTTPS POST to an Authorize.net API endpoint. The exact process for doing this will depend upon the development language that you use.
Thank you in advance.
Your server will never know the customer's credit card details.
when user first time registers in your site then you will create one customer for authorize.net using this code and you will save the customer id returned to your db for future reference.
To Update customer's credit card details:
create one API controller from your node server which will return authenticating token from authorize.net to your frontend. Get token code
Your front end will make call to above created controller's API and get the authorize.net token.
Now, your front end will use this token to get the update details form from authorize.
Then you will use authorize webhook facility to know if user has updated theit payment details or not.
Webhooks to be tracked:
net.authorize.customer.paymentProfile.updated
net.authorize.customer.paymentProfile.created
On receiving below notifications, your node server will perform the whatever task required.
Refer this doc for more details.
I have my web application. Now i want to integrate salesforce into my web app so that i can push data from my app to any salesforce org after the authentication(OAuth).
I found 2 ways:
1. Connected Apps
2. via wsdl generation file and use
I created a connected app from my developer account and i authenticated using consumer key, cusumer secret key(from my connected app) and username of user and secret token of the user account.
I tried with another free trail account, It's validating and fetching the details and post data also working.
My question is, shall i deploy my connected app into app exchange, then only i caan use REST APIs ?
generating wsdl and coding around is the better option than the above ?
Is there a option, only one time authentication enough for any number of sessions and use the REST APIs?
Please suggest me a best way to proceed.
You're mixing up a couple of independent issues here.
If you're going to authenticate via OAuth, you must have a Connected App.
A SOAP API login() call requires you to store a username and password, which is undesirable.
There is no way to "permanently" authenticate, i.e., to get a session id that never expires. Your app must always be ready to get a new access token via the OAuth refresh token it obtains and stores (via, for example, the Web Server OAuth flow), or to reauthenticate via JWT flow.
Connected Apps are global metadata in most cases. You don't need to deploy a Connected App into a target org in order to authenticate using its Client Id and Secret into that org. The only exception I'm aware of is if you want to use the JWT flow with a certificate and preauthorized Profiles and Permission Sets.
Based on what you've shared, I don't see any reason for the AppExchange to be involved.
I'm setting up a Django-React application, with authentication through third party CAS. The process of CAS authentication looks like following:
The web application redirects the user's browser to CAS's login URL with a "service" parameter, for instance https://cas.com/login?service=http://myapp.com.
Once the user has been authenticated by CAS, CAS redirects the authenticated user back to the application, and it will append a parameter named "ticket" to the redirected URL. Its ticket value is the one-time identification of a "service ticket". For instance, http://myapp.com/?ticket=abcdefg.
The application can then connect to the CAS "serviceValidate" endpoint to validate the one-time service ticket. For instance, https://cas.com/serviceValidate?service=http://myapp.com&ticket=abcdefg.
In response, CAS shall return an XML containing the authenticated user id, for instance,
<cas:serviceResponse>
<cas:authenticationSuccess>
<cas:user>johnd</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
I've done some research and found it could be implemented in mainly two ways:
Serve react as part of Django's static content.
Standalone react single page application(SPA) through JWT.
I've tried the first approach and it works, but the problem is that every time I want to test the authentication with React, I need to build the static file first and put them in Django, which is kind of slow. So I would like to try the second approach.
My question is that is there any best practice I could implement for the standalone approach? If I were to implement JWT, is it safe to store the access token in localStorage or cookie?
Many Thanks!
I have a logic app which triggers my HTTP endpoint every 15 minutes. Then the endpoint connects to SharePoint using Rest API and gets the data from specific list which is then added to my db.
But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself? or is there any to pass access token from my logic app while triggering my endpoint ?
As first answer. Yes, implement logic to get access token in HTTP Endpoint using SharePoint Online REST API.
Through such guides may be 1, 2, 3, 4. I think not exists any ways to pass access token from Azure logic app to your endpoint.
As second answer I can suggest to use SharePoint CSOM object model. To using it just install SharePoint Online Client Components SDK on computer where is your HTTP endpoint located and add Microsoft.SharePoint.Client.dll Microsoft.SharePoint.Client.Runtime.dll libraries as references. There exists good SharepointOnlineCredentials class to give credentials to requests.
Or other ways - you can re-architecture your solution:
Azure Logic Apps if I understood correctly must ask you to set connection to SharePoint by out-of-box features. See this article. I think you can get list items from SharePoint by actions in Azure Logic App and pass data to your HTTP endpoint without any additional access token requests just as method arguments.
If you have access to HTTP Endpoint from SharePoint then you can send data from SharePoint to your endpoint directly, not from Azure logic apps. You can do it from list items form pages, from site workflows or may be some Flow templates.
If you don't have access to HTTP Endpoint from SharePoint then you can create Azure hosted web service and call its methods from SharePoint by any ways. This web service will pass data to your HTTP endpoint as method arguments without any additional authentication. Web service call will be done from JavaScript on list item form save, from SharePoint workflow. May be here to get access token to this Azure web service will be easier then from your HTTP Endpoint to SP.
Are you using Azure SQL Database ? If yes then create connection between SharePoint Online and Azure SQL Database through Business Connectivity Services BCS. Like here or here or here. This allow user get, create, update items in your database inline in SharePoint list by out-of-box features.
Create periodically running code (Console App, PowerShell script, Windows Service). Schedule it on some server in your company. That code will use CSOM SharePoint object model and connect to SharePoint more easier through SharepointOnlineCredentials class, get data and connect to your HTTP Endpoint directly or to your database.
If your database is MS SQL Server located on-premise then you can use this guide to create Business Connectivity Services content types between SharePoint Online and on-premise SQL Server.
You can go some extravagant ways: =)
SharePoint by some ways can send emails with data from list items to some inbox and your HTTP endpoint can get these emails, parse data and perform following steps.
May be you can create Sql Server Integration Service (SSIS) package on some company local MS SQL Server that will send data from SharePoint on periodically basis to your database directly or to your HTTP endpoint directly.
Other ways...
"But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself?"
Correct, you do need a bearer access token. Where are you hosting the code for your HTTP endpoint? If you can put it in Azure as a Function or web API, then you can implement app-only permissions which will give you the necessary access token.
There are 2 options for doing so:
Granting access via Azure AD App-Only
Granting access using SharePoint App-Only
The first one is a bit more involved, because it requires a client secret AND a self-signed security certificate, but it will allow you permissions to any O365 API. The 2nd one is simpler and will only require the app/client ID and secret, but only allows permissions to the SharePoint Rest API.
The MSDN documentation linked above uses a PowerShell script to generate the security cert, but I prefer Bob German's instructions for manually creating/exporting one. He also includes instructions for registering an Azure AD application for your Azure function in his tutorial.
I'm struggling to understand how flask_login or django knows when a user logs in that they retain access?
If I were to use ReactJs or Angular with flask-restful or django/tastypie, what is being added to the header/body of future json requests to ensure that my user stays logged in?
This is done via sessions, which is based on cookies. From the Flask documentation:
In addition to the request object there is also a second object called session which allows you to store information specific to a user from one request to the next. This is implemented on top of cookies for you and signs the cookies cryptographically.
and the Django docs:
Django provides full support for anonymous sessions. The session framework lets you store and retrieve arbitrary data on a per-site-visitor basis. It stores data on the server side and abstracts the sending and receiving of cookies. Cookies contain a session ID – not the data itself (unless you’re using the cookie based backend).
So, the requests to the server automatically include a cookie that indicates some ID that the server then uses to figure out what the session data should be for the given user. In general, when Ajax requests are made from client-side applications to the server, this cookie is included and so ensures that the user is considered to be logged in for those requests.
In some cases, you can also (optionally) manually add a special header to HTTP requests to indicate which user is logged in.
See also Securing RESTapi in flask for some more information.
If you use REST service then you should take a look at oAuth. In other words it uses token which you attach to every request from client to server and the last can determine which user sent this request by this token.
On the other hand, you can use cookie or session to determine a user status. And in this case you don't need to add any headers to your request.
Also I recommend you this package for Django - Django Rest Framework (there you can read more about token and auth via REST) and this extension for Flask.