TechQA.

Which Braintree business object IDs could be made available to end users

119 views Asked by At

Braintree API returns various internal IDs to business objects including IDs of Subscription, Plan, PaymentMethod, and such. Are there any security issues in sharing these IDs with end-users' applications (the front-end code running on users' devices)? (The end-user would not see these IDs, but they would be transmitted through the wire.)

Detailed example:

The user adds a payment method to the App. The App server forwards the request to Braintree, for example:

val result = gateway.paymentMethod.create(
            new PaymentMethodRequest()
              .customerId(user.billing.get.braintree.customerID)
              .paymentMethodNonce(nonce)
              .billingAddressId(user.billing.get.braintree.addressID.get)
              .options()
              .makeDefault(true)
              .verifyCard(true)
              .failOnDuplicatePaymentMethod(false)
              .done()
          )

Then the result is handled as follows:

Option(result.getTarget)
            .map {
              case card: CreditCard =>
                braintreePaymentMethod(
                  card.getClass.getCanonicalName,
                  card.getToken,
                  card.getImageUrl,
                  card.isDefault,
                  "ending " + card.getLast4
                )
            }
            .getOrElse(throw Payments.Exception.Braintree(result.getMessage))

The card.getToken returns the payment method's token as in interface:


public interface PaymentMethod {

    String getToken();
    boolean isDefault();
    String getImageUrl();
    String getCustomerId();
    List<Subscription> getSubscriptions();
}

The above token acquired by getToken is then used to check the existence of the payment method, moreover, used to remove, list and update the method.

Internally, in the App, this token could also be used to identify the payment method.

Recap: Are there any security issues to share this token with the user?

java scala security braintree braintree-vault
Original Q&A
3

There are 3 answers

1
sarveshseri On

I don't see any point in sharing the braintree identifiers with users.

If you want to provide some functionality over those payments or address then these should go through your api.

Ideally, you should not expose the braintree domain model directly to the users (this is standard pactice for almost every third party domain model). You can create your own domain model on top of braintree domain model. All of your api's will revolve around your domain model which will proxy for braintree domain model.

4
Preston PHX On

Braintree identifiers and tokens aren't interesting or relevant to users. There is no reason to share them. The last 4 of the card is all you need to show for their later reference purposes.

0
Johnny On

If you have to use it, that's fine.Middleware can be used to ensure security here.

Related Questions in JAVA

Related Questions in SCALA

Related Questions in SECURITY

Related Questions in BRAINTREE

Related Questions in BRAINTREE-VAULT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions