How to get Braintree v.zero to show existing payment methods? - javascript

Setting up a payment form with the Braintree v.zero SDK:
braintree.setup(response.value, 'dropin', {
container : 'xyz',
onPaymentMethodReceived : function(payment) {
pay(payment.nonce);
},
});
After entering payment information, the form shows:
...but only until the page is reloaded. Is there a way to initialize the dropin payment form to list a customer's existing payment methods?

Full disclosure: I work at Braintree. If you have any further questions, feel free to contact support.
The key would seem to lie with your response.value (i.e. your client token). I would guess that your server code used to generate it isn't specifying a customerId for that user.
​
From the Braintree documentation on generating client tokens:
Your server is responsible for generating a client token, which contains all authorization and configuration information your client needs to initialize the client SDK to communicate with Braintree. Including a customerId when generating the client token lets returning customers select from previously used payment method options, improving user experience over multiple checkouts. Set Up Your Client covers the client side of the exchange.
Bottom-line: Drop-in will display multiple cards if you generate your Client Token using the customer_id that matches your customer.
client_token = braintree.ClientToken.generate({
"customer_id": a_customer_id
})

Related

Stripe - Refund Checkout Session

I’m trying to implement a method for my connected account owners to be able to refund charges collected via a Stripe Checkout Session.
In order to do so, I want to use the following code:
const refund = await stripe.refunds.create({
payment_intent: pi_id,
});
In order to obtain the payment_intent_id, I am listening to the checkout.session.completed webhook, and accessing data.object.payment_intent.
When I attempt to create a refund using this payment intent id, I get the No such paymentintent error from Stripe. I noticed in my Stripe test account that there is a charge ID associated with the payment, so maybe I should be using that - but I’m not sure how to retrieve that programmatically from the checkout session.
You're making the API call correctly.
“No such...” errors with Stripe are usually caused by either a mismatch in API keys (e.g. using a mixture of your test plus live keys) or by trying to access objects that exist on a different account (e.g. trying to perform an operation from your platform account on an object that was created on a connected account).

PayPal Checkout: Is it safe to receive a payment with only client-side code?

I'm using the PayPal API to put payment options to my website. In the tutorial they have, they are rendering the button and setting up the transaction entirely at the client side with JavaScript. Here is the sample code:
<script>
paypal.Buttons({
createOrder: function(data, actions) {
// This function sets up the details of the transaction, including the amount and line item details.
return actions.order.create({
purchase_units: [{
amount: {
value: '0.01'
}
}]
});
},
onApprove: function(data, actions) {
// This function captures the funds from the transaction.
return actions.order.capture().then(function(details) {
// This function shows a transaction success message to your buyer.
alert('Transaction completed by ' + details.payer.name.given_name);
});
}
}).render('#paypal-button-container');
//This function displays Smart Payment Buttons on your web page.
</script>
Is this secure?
The user can just change the payment amount in the code on his side and pay less. Even if I set up client-side code to send transaction-id once the transaction is successful (ie. make a POST request at onApprove), so that I can have a server-side code check if the amount sent is correct, the client can still change the code on his side to send a fake transaction-id.
I basically need a mechanism to check if I definitely received the right amount, before delivering the product. I obviously need to make this check at the server-side but I can't figure out a secure way to do it because I need to get some info from the client-side which might be fake. How do I prevent the user from pretending to have paid for example by sending a past transaction-id?
You are correct that the user can always change the amount in client-side code, and send a payment for a lower amount. That's how client side payments work.
Any logic to keep track of which payments are real and for the correct amount must be on your server.
For PayPal Checkout, here's the front-end UI you should use: https://developer.paypal.com/demo/checkout/#/pattern/server
You'll need two corresponding routes on your server, one for 'Create Order' and one for 'Capture Order'. You can use one of the Checkout-lanuagename-SDK's (edit:though these have been deprecated now) for the routes' API calls to PayPal, or your own HTTPS implementation of first getting an access token and then doing the call (there is a full-stack example in node.js at the main PayPal Checkout guide, but it can be done with any backend server language).
Both of the two routes should return only JSON data (no HTML or text). Inside the 2nd route, when the capture API is successful you should verify the amount was correct and store its resulting payment details in your database (particularly purchase_units[0].payments.captures[0].id, which is the PayPal transaction ID) and perform any necessary business logic (such as sending confirmation emails or reserving product) immediately before forwarding your return JSON to the frontend caller. In the event of an error forward the JSON details of it as well, since the frontend must handle such cases.
I'm sorry but this still all seems to be very insecure to me. Once you have given your client-ID in the paypal javascript tag, then any good hacker can use devtools in Google or Firefox, etc. and replace your paypal.buttons code with their own paypal.buttons code and happily send the transaction along to paypal without using your client-side code or server code.
I did some test of this theory and in five minutes or less I was able to redo the code in the client javascript and pay whatever I wanted for the product I was buying (this in a test environment).
What am I missing here that doesn't render the client side code totally insecure.

How to find user is logged in or not from cloud function side using Firebase?

To provide dynamic content delivery, I am using rewrites in fire base hosting. Whenever open website with index.html then the browser request the firebase cloud function main.
"rewrites": [ {
"source": "/index.html",
"function":"main"
}]
Now I am facing a problem to provide dynamic content based on user login status. I also checked about client side authendication using JS.
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
// User is signed in.
} else {
// No user is signed in.
}
});
I don't know about web development. Here I have few questions,
How can I find authentication status of user by more flexible way? Does cookies used for this? I am asking because I don't know to pass firebase-token to the cloud function main.
Please address me an idea. Thank you all.
Short answer: End users don't have a sign-in status that's visible on a backend. That's just not how Firebase Authentication works.
Auth clients provide credentials to get a token that's used to identify themself when they invoke backend services. This tokens has a lifetime of 1 hour, and the client must refresh it in order to keep using it. Your backend doesn't know or care if the client has an auth token, if they use it, or if they refresh it. The client just needs to provide that token from whatever device they have signed in so the backend can validate it. There is no way your backend can know if the client obtained a token - you just have to accept the one it is given. This means you're going to have to actually figure out how to pass that token and validate it with the Firebase Admin SDK, or use a callable type function using the Firebase Client SDK to send that token automatically.

Braintree: can users update their vaulted customer information?

I'm using the Braintree v3 javascript client implementation. After my server returns to me the vaulted information on the customer : payment method, billing address, etc so I can pre-populate some fields on the UI, is there a way on the client side to update the information, such as billing address, if they want to change it?
Disclaimer: I work at Braintree. If you need more assistance, please reach out to Braintree Support.
You can make a server side API call that updates the customer's information based on what they enter into your client-side form. Here is an example of making this call using the Node.js sdk:
gateway.customer.update("theCustomerId", {
firstName: "New First Name",
lastName: "New Last Name"
}, function (err, result) {
});
A link with more details is located in Braintree's Support Documentation.

Login and pay with Amazon integration issue

So, I'm trying to integrate the Login and Pay with Amazon widget, and I'm encountering some problems.
So, I have my seller account all set up on
https://sellercentral.amazon.de/gp/
I have access to my API credentials, and I need to get a LWA client.
So, I have registered on
https://sellercentral.amazon.com/gp/homepage.htm
in order to create an application. I have set up the application, on web settings I have completed the required URL's, and got my client ID.
In the js for the Login and Pay with Amazon widget, I have replaced all the info needed: Client Id, merchant Id etc.
But when I try to make a test login, I receive the following error :
400 Bad Request Unknown client_id
The Pay With Amazon documentation is not very clear, and I can't seem to find anywhere a list with the error codes.
If anybody has an idea, let me know.
Thanks!
you should create your Login with Amazon application using https://sellercentral.amazon.de instead of the .com site. They are separate accounts.
It sounds like you're missing this piece of code:
window.onAmazonLoginReady = function() { amazon.Login.setClientId('CLIENT_ID'); }

Categories