英文:
Which Braintree business object IDs could be made available to end users
问题
Braintree API会返回各种内部ID,包括Subscription、Plan、PaymentMethod等业务对象的ID。将这些ID与最终用户应用程序(在用户设备上运行的前端代码)共享是否存在安全问题?(最终用户不会看到这些ID,但它们将通过网络传输。)
详细示例:
用户向应用添加付款方式。然后,应用服务器将请求转发给Braintree,例如:
val result = gateway.paymentMethod.create(
new PaymentMethodRequest()
.customerId(user.billing.get.braintree.customerID)
.paymentMethodNonce(nonce)
.billingAddressId(user.billing.get.braintree.addressID.get)
.options()
.makeDefault(true)
.verifyCard(true)
.failOnDuplicatePaymentMethod(false)
.done()
)
然后对结果进行如下处理:
Option(result.getTarget)
.map {
case card: CreditCard =>
braintreePaymentMethod(
card.getClass.getCanonicalName,
card.getToken,
card.getImageUrl,
card.isDefault,
"ending " + card.getLast4
)
}
.getOrElse(throw Payments.Exception.Braintree(result.getMessage))
card.getToken会返回支付方式的令牌,如接口所示:
public interface PaymentMethod {
String getToken();
boolean isDefault();
String getImageUrl();
String getCustomerId();
List<Subscription> getSubscriptions();
}
通过getToken获取的上述令牌随后用于检查支付方式的存在,此外,还用于删除、列出和更新该方法。
在应用内部,此令牌还可以用于识别支付方式。
总结:与用户共享此令牌是否存在安全问题?
英文:
Braintree API returns various internal IDs to business objects including IDs of Subscription, Plan, PaymentMethod, and such. Are there any security issues in sharing these IDs with end-users' applications (the front-end code running on users' devices)? (The end-user would not see these IDs, but they would be transmitted through the wire.)
Detailed example:
The user adds a payment method to the App. The App server forwards the request to Braintree, for example:
val result = gateway.paymentMethod.create(
new PaymentMethodRequest()
.customerId(user.billing.get.braintree.customerID)
.paymentMethodNonce(nonce)
.billingAddressId(user.billing.get.braintree.addressID.get)
.options()
.makeDefault(true)
.verifyCard(true)
.failOnDuplicatePaymentMethod(false)
.done()
)
Then the result is handled as follows:
Option(result.getTarget)
.map {
case card: CreditCard =>
braintreePaymentMethod(
card.getClass.getCanonicalName,
card.getToken,
card.getImageUrl,
card.isDefault,
"ending " + card.getLast4
)
}
.getOrElse(throw Payments.Exception.Braintree(result.getMessage))
The card.getToken returns the payment method's token as in interface:
public interface PaymentMethod {
String getToken();
boolean isDefault();
String getImageUrl();
String getCustomerId();
List<Subscription> getSubscriptions();
}
The above token acquired by getToken is then used to check the existence of the payment method, moreover, used to remove, list and update the method.
Internally, in the App, this token could also be used to identify the payment method.
Recap: Are there any security issues to share this token with the user?
答案1
得分: 1
Braintree的标识符和令牌对用户来说不是有趣或相关的。没有理由分享它们。卡的最后4位数字是您日后参考的全部内容。
英文:
Braintree identifiers and tokens aren't interesting or relevant to users. There is no reason to share them. The last 4 of the card is all you need to show for their later reference purposes.
答案2
得分: 1
我不认为与用户分享Braintree标识有任何意义。
如果您想要在这些付款或地址上提供一些功能,那么这些功能应该通过您的API进行。
理想情况下,您不应直接向用户公开Braintree领域模型(这是几乎每个第三方领域模型的标准做法)。您可以在Braintree领域模型之上创建自己的领域模型。您的所有API都将围绕您的领域模型展开,该模型将作为Braintree领域模型的代理。
英文:
I don't see any point in sharing the braintree identifiers with users.
If you want to provide some functionality over those payments or address then these should go through your api.
Ideally, you should not expose the braintree domain model directly to the users (this is standard pactice for almost every third party domain model). You can create your own domain model on top of braintree domain model. All of your api's will revolve around your domain model which will proxy for braintree domain model.
答案3
得分: 1
如果您必须使用它,那是可以的。中间件可用于确保这里的安全性。
英文:
If you have to use it, that's fine.Middleware can be used to ensure security here.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论