Which Braintree business object IDs could be made available to end users

116 views Asked by At

Braintree API returns various internal IDs to business objects including IDs of Subscription, Plan, PaymentMethod, and such. Are there any security issues in sharing these IDs with end-users' applications (the front-end code running on users' devices)? (The end-user would not see these IDs, but they would be transmitted through the wire.)

Detailed example:

The user adds a payment method to the App. The App server forwards the request to Braintree, for example:

val result = gateway.paymentMethod.create(
            new PaymentMethodRequest()
              .customerId(user.billing.get.braintree.customerID)
              .paymentMethodNonce(nonce)
              .billingAddressId(user.billing.get.braintree.addressID.get)
              .options()
              .makeDefault(true)
              .verifyCard(true)
              .failOnDuplicatePaymentMethod(false)
              .done()
          )

Then the result is handled as follows:

Option(result.getTarget)
            .map {
              case card: CreditCard =>
                braintreePaymentMethod(
                  card.getClass.getCanonicalName,
                  card.getToken,
                  card.getImageUrl,
                  card.isDefault,
                  "ending " + card.getLast4
                )
            }
            .getOrElse(throw Payments.Exception.Braintree(result.getMessage))

The card.getToken returns the payment method's token as in interface:


public interface PaymentMethod {

    String getToken();
    boolean isDefault();
    String getImageUrl();
    String getCustomerId();
    List<Subscription> getSubscriptions();
}

The above token acquired by getToken is then used to check the existence of the payment method, moreover, used to remove, list and update the method.

Internally, in the App, this token could also be used to identify the payment method.

Recap: Are there any security issues to share this token with the user?

3

There are 3 answers

1
sarveshseri On

I don't see any point in sharing the braintree identifiers with users.

If you want to provide some functionality over those payments or address then these should go through your api.

Ideally, you should not expose the braintree domain model directly to the users (this is standard pactice for almost every third party domain model). You can create your own domain model on top of braintree domain model. All of your api's will revolve around your domain model which will proxy for braintree domain model.

4
Preston PHX On

Braintree identifiers and tokens aren't interesting or relevant to users. There is no reason to share them. The last 4 of the card is all you need to show for their later reference purposes.

0
Johnny On

If you have to use it, that's fine.Middleware can be used to ensure security here.