Generating Braintree client token in advance - braintree

I'm looking to reduce the response time for a payment page using the Braintree Drop-In UI (JS v3 SDK).
When a user visits the payment page, I'm generating the client token in PHP as per the docs here:
https://developers.braintreepayments.com/reference/request/client-token/generate/php
This request seems to be slowing things down with the token sometimes taking a while to generate.
I was wondering if there are any issues with generating tokens in advance and storing them on my server to speed things up?
I'm aware that tokens can not be re-used from this question here:
Braintree client token expiration
Is anyone aware of any issues as long as the token is discarded from the server once used. I can't seem to find any details of expiration of client tokens in the Braintree docs.
Thanks.

Include Braintree class and write below code to generate client token.This code will generate client token only if you will set merchant details and secret key details .
Braintree_ClientToken::generate();

Related

Coinbase Oauth2 authorization without pop-up dialog

I am working with Spring 5 and Java 8 and creating a RESTful client that will login to CoinBase and make trades for me at given times. I know there is an unsupported Java SDK for Coinbase out there, and I am looking into that code as well for clues.
I am using the CoinBase Oauth2 client in my Spring app, and it has been very successful so far. I make the authorization call with a callback URL. This opens up a dialog box and if I am logged in, asks me to authorize My Coinbase Acct with MyApp and I get an email indicating that this is done. If I am not logged into Coinbase already, then I get asked for my Coinbase username/password and then it is authorized, again I get an email that this is ok.
The next step I see is that my redirect URL is called with a code that is passed back with it. That code, as you all know, then allows me to request an access token. Which I can do, and yes, I get my access token. I can now make calls to Coinbase API with that Access token. However, this access token is only good for 7200 (seconds?), so for two hours? I want to be able to get an access token and have this automatically login to coinbase for me. I don't want to have to re-authorize every time I want to make a trade ... or do I have to?
It seems to me that the "code" that comes back from authorizing is very short lived, and I can use it immediately to get that access token.
So, for me the big question is ... for Coinbase API, how can I keep myself authorized indefinitely? I want to be able to be authorized already, and then get an access token on a regular basis so I can make trades for myself????? Is this even possible with coinbase API?
Do I have to use Coinbase Pro for that ability, which I am fine with using? Is it even possible with Coinbase Pro?
I am a newbie with Coinbase as it's yet another third-party API that I have learn the nuances of. I am not a newbie when it comes to writing Java code to access third-party RESTful api's.
So, any help would be much appreciated. Thanks!
I guess you are missing 'refresh token' in your application.
What is the purpose of a "Refresh Token"?
It is hard to say how to implement it without code snippets but here some steps that should help:
Take a look at coinbase article about refresh tokens they provide
https://developers.coinbase.com/docs/wallet/coinbase-connect/access-and-refresh-tokens
Obtain and save refresh_token as well as token after authorization
Create function that will be using your refresh token to obtain new pair (token, refresh_token). You can find curl example in step (1)
a. Make ExceptionHandler that will call (3) if gets 401 (i guess it is 401 - if token expired)
b. Save 'expires_in' from step 2 and check it before each request. Call (3) if needed

Authorize PHP application permanently to make requests to JWT auth protected API

Maybe I searched with the wrong keywords but I never found anything about the following scenario:
I have both an API with JWT auth (Laravel + tymon/jwt-auth) and a PHP application that should query that API protected by a JWT token.
How can I make sure that the app always is authentificated? After reading a lot of tutorials and article about JWT auth I'm left with this ideas:
using a never expiring token which is stored permanently in the consuming application. If I understand it right this could be a security concern because someone who has access to that token has access to the api as long as he want? But I don't understand why this token shouldn't be invalidated if the token has been stolen?
refresh the token on every request and invalidate the old one. This implies that the consuming application have to update the token after each request in it's storage (database would make the most sense, I guess). In my opinion this produces a lot of overhead and it doesn't prevent for jwt-auth's refresh_ttl setting.
using an additional API request (perhabs cron based?) to a refresh route to prevent the token from expiring. Again there is the jwt-auth's refresh_ttl problem I think.
I wonder why there seems to be no discussions/articles about that scenario.
Any help on that subject I would very much welcome!
You don't want your user logging in every time but you also don't want them to be logged forever.
Here are my thoughts
I have worked with 1 year tokens for comercial applications, I was using it for low level third party developers, the api concept was already overwhelming for them so I went easy on the auth thingy. Once every year their application broke and they had to reach out to get the new token, bad design but it worked.
Refreshing your token on every request will kill your performance and let attackers have a consistent way to break/predict your key, no good.
In my opinion, this is your most elegant suggestion. You could use some PWA features to accomplish that.
I would suggest increasing the refresh_ttl to 30 days and keep the ttl on one hour.
If you're using SPA or heavy js apps:
On your javascript you could do an ajax setup (or prototype or whatever your javascript framework uses for oop) and have a call to refresh whenever you get a .
If you're using just common page refresh for your apps, store you JWT on a cookie, then your application can refresh it whenever it needs and there will be no special js to make. HTTPS will take care of security.

How to protect REST API when using AJAX?

There are SNS application with 2 servers. Web backend server and REST API server.
The web server allows user login/logout with username/password, and show user information
The REST API server provides APIs like /topics, /comments, it should be stateless without session
The REST API will serve other web applications
There are some potential solutions, but neither is security.
Base Auth, the browser hold the username/password
Token with expiry timestamp, the problem is user could stay on the page until token expires
So, is there a way to protect the REST API when calling it from AJAX?
If I have understood your problem correctly I may suggest you use the Token solution. In order to maintain security you may generate new token on every request (& send it to client in response), which should be used to make next request, and disable token if it is once used or has expired.
Sorry, I meant to mention it as a comment, but I don't have enough reputation.

Braintree client token expiration

In Braintree, When I generate a client token with a $customerId, how reliable is it to save that client token to database and re-use it later on?
I always have a user corresponding to a $customerId and it would greatly reduce the number of calls to Braintree if I could re-use the token.
Does the token ever expire? There is no mention of that in the official docs.
Thanks a lot!
Full disclosure: I work as a developer for Braintree
The client token is not intended to be reused and will be revoked if a single client token is used multiple times in a short time span. You can read more about the client token in this part of the Braintree documentation.
​
This was a thing before 2019.
In 2019 they changed the client token behavior so now it is granted for 24 hours and can be reused unless it was granted for specific CustomerId
https://www.braintreepayments.com/blog/changes-to-client-tokens-are-coming/
The client token is a JWT. You'll need to base64 decode, to view the authorizationFingerprint. Then, split the authorizationFingerprint using ".", as the delimiter, and base64 decode the [1] position of the resulting array, and you'll see the "exp" param.

Angular CSRF token + ruby api

I'm currently running into a lot of issues with the CSRF token.
Our current setup is a Ruby API and an Angular front-end, both live on a different domain.
The Ruby back-end solely serves as an API for the front-end.
I've spend a lot of time researching this problem, but I can't find a proper solution.
So far the solutions I've found are:
Generate the token and insert it into the DOM (Different domains, so can't do that)
Let the API return the CSRF token on a GET request (Doesn't seem to work, and it's not a good solution since I don't want to make an extra request just to get the token)
So I'm rather stuck here and not sure how to continue.
Is the current implementation just not working? How do other people create an API with oauth without running into this issue?
Not sure if this will help but here is a sample of a simple todo api in ruby with angular as frontend, and i am using token for authentication generated after the user fills username and password.
https://github.com/sirfilip/todoapi/blob/master/app.rb (the api written in sinatra and sequel)
https://github.com/sirfilip/todoapiclient/blob/master/public/js/angular-todoapi-plugin.js (angular client api service that is used for communication with the api)
TL;DR: Secure your rails API with the doorkeeper gem.
This SO post seems to be the accepted answer when your api and client exist on the same domain.
In the post they outline the angularJS docs http://docs.angularjs.org/api/ng.$http :
Since only JavaScript that runs on your domain could read the cookie,
your server can be assured that the XHR came from JavaScript running
on your domain.
To take advantage of this (CSRF Protection), your server needs to set
a token in a JavaScript readable session cookie called XSRF-TOKEN on
first HTTP GET request. On subsequent non-GET requests the server can
verify that the cookie matches X-XSRF-TOKEN HTTP header
It seems that the security of storing and transferring the XSRF-TOKEN session cookie in this way hinges on having your api and your front-end be in the same domain. Since this is not the case, you may have to implement another form of authorization for any given client session, like OAUTH. I'd recommend taking a look at the doorkeeper gem. The gem will give you the ability to interact with your api as if you were any other client.

Resources