Accept.js allows you to translate credit card numbers into coded payment tokens. Then you can charge those payment tokens just as they were credit cards.
Source: https://developer.authorize.net/api/reference/features/acceptjs.html
The documented API is for the visitor to load (insecure and no SRI/CORS) javascript and send payment details directly to Authorize.net.
Instead I'd like to have the visitor send payment details to my server (I am already PCI compliant). Then I'd like to exchange the card details using the accept.js API (not documented) for a token. Then I'd like to store that token on our server.
Is this (ab)use of the accept.js API allowed? Is it documented or do I have to reverse engineer accept.js javascript code? Do the generated payment tokens expire or can I use them in this way for future payments?
Accept.js tokens can be used only once and expire after 15 minutes. Instead, you can create token that does not expire using Customer Profiles.
Also, if your site is already PCI compliant and you don't need an SAQ A-EP compliant solution like Accept.js, you can create the customer profile using the Authorize.Net API. The API also supports creating a customer profile using an Accept.js token as well.
Related
I am a bit confused on how does Authorize.net work and how to integrate it, in my project I am using Angular as frontend and node.js as backend and I have installed Authorize.net via npm install authorizenet also cloned the Node.js sample code and I would like to set Authorize.net like so.
Let's say I have a form on my website where the customer needs to enter their details including the credit card details, my question is when submitting (using HTTP Request Method: POST) does my website need to redirect to Authorize or is there a widget that Authorize uses that I can implement in my website or are the details send directly to Authorize and handled there.
On submitting the details from the website do I simply call let's say the function from the sample codes (modified for my site) charge-credit-card.js ?
After that where do I receive the response, do I need to somehow capture it ?
Do I simply use the Production API Endpoint: https://api.authorize.net/xml/v1/request.apiand use my Api login and transaction key to use Authorize, at least that's the way in the documentation from my understanding - After building the XML object for an API request, submit it to the Authorize.net payment gateway as a standard HTTPS POST to an Authorize.net API endpoint. The exact process for doing this will depend upon the development language that you use.
Thank you in advance.
Your server will never know the customer's credit card details.
when user first time registers in your site then you will create one customer for authorize.net using this code and you will save the customer id returned to your db for future reference.
To Update customer's credit card details:
create one API controller from your node server which will return authenticating token from authorize.net to your frontend. Get token code
Your front end will make call to above created controller's API and get the authorize.net token.
Now, your front end will use this token to get the update details form from authorize.
Then you will use authorize webhook facility to know if user has updated theit payment details or not.
Webhooks to be tracked:
net.authorize.customer.paymentProfile.updated
net.authorize.customer.paymentProfile.created
On receiving below notifications, your node server will perform the whatever task required.
Refer this doc for more details.
I am developing a REST API. In my mobile application we have multiple user roles, they all use the same API. Think the roles are like customer, supplier, and admin. The API is using tokens, making sure everyone need to be logged in and should send the token to the API.
However, if someone has the token somehow, he can easily any information belong to any user. For an example, using the token of customer A, we can view the information of customer B, C` and so on.
Not only that, we can also access the API calls dedicated for the admins using the above mentioned token.
this is what I thought of doing.
Send the user ID with every request. Also embed the user ID into the token. In the server, before any method is accessed, check whether the user id in request and token are the same.
FYI I am using Firebase authentication and tokens, then use AWS API Gateway to authenticate the access to the API. The user Id I was referring to is in database.
How do you think I can overcome this issue and secure the API?
As long as you make sure to pass the tokens only over secured connections, interception of that token is not very likely. If you then use short-lived tokens (such as Firebase's ID tokens), even when a token does get intercepted it can only be used for a short amount of time.
If a token does get intercepted, you can revoke the token, as shown in the Firebase documentation on managing user sessions.
And finally, you can consider implementing App Check for an additional layer of protection, and check that token too in your own backend.
I have created the sign up Api in Django Rest FrameWork without authentication or any permissions and i want to use is it in mobile app.
my question is this api secure???
any person or Robots that access to the SignUp Api Url can create Account nonstop.is there any antibot or something???
If you implement the api without any type of security. Depending on what you let the user do with the api, which endpoints they can hit.
Is there any server side security?
You can implement Jason Web Token: simple JWT
You can check also django throttling : Throttling
You can also research on how to limit api calls from a device.
You can implement a check which will allow only one sign up from a IP address for a specific time so that your API doesn't get brute forced.
And Implement ReCaptcha as well
I have an application, that runs on server. On that server is background task, that will post status update on few social networks (Facebook, Twitter, G+). It must be completely server-side.
In Twitter API I'm able to use OAuth header to authorize API request. OAuth HTTP header uses consumer key, consumer secret, access token and access token secret to create the header. With this I'm able to post/update/delete tweets with no user interaction.
How can I do this for Facebook? I found a solution to obtain a long-lived access_token (2 months), but we don't want to regenerate access_token every 60 days. We want to use it for manage our Facebook page - post status updates, but completely server-side.
Am I able to do this for Facebook? Thanks for answers.
PS: I searched stackoverflow hundred-times but with no solution for my problem.
Thanks.
It is not possible for User Access Tokens (they can only be extended to 60 days and need to be refreshed by the user after that), but for posting to a Page you should use a Page Token anyway. An Extended Page Token is valid forever.
Here are some Links to help you get that Extended Page Token:
https://developers.facebook.com/docs/facebook-login/access-tokens/
http://www.devils-heaven.com/facebook-access-tokens/
http://www.devils-heaven.com/extended-page-access-tokens-curl/
A Page Token will post "as Page" btw, but that´s probably what you want. And auto-posting on user profiles is not really allowed anyway, every message has to be 100% user generated and every posting should get authorized by the user.
Pay attention to Access Tokens Expiration & Extentions.
The Page Access Token could be a good solution to only server side calls for testing and data analysis purposes.
Take your User Access Token from Graph API Tool
Extend your User Access Token
Call https://graph.facebook.com/v2.11/me/accounts with your user access token extended
*all calls are GET and this procedure does not use APP Access Token.
I have an API that I want to provide public access to, but I want to be able to limit access.
I've been thinking about Twitter's model:
Twitter allows developers to access the data using an api key (I think).
Twitter must also access the data from their website to allow you to tweet / search.
So Twitter must be able to stop developers from impersonating twitter and basically using their api key.
How do they do it? And is there a better way?
Twitter doesn't use their REST API to power their website, they query their database directly. Therefore, there is no API key to steal. You can read about the difference between Twitter's API and Website database queries (circa 2009) here.
The basic techniques Twitter uses to rate-limit their API will probably be the ones you would want to consider, too:
Unauthenticated calls are permitted [fewer] requests per hour.
Unauthenticated calls are measured against the public facing IP of the
server or device making the request.
OAuth calls are permitted [more]
requests per hour and are measured against the oauth_token used in the
request.
The mechanisms to implement that depend on your server platform (you should update your original post with that), but you can learn about OAuth (the second technique above) on their website.