1

I am currently using the braintree server package (Node.js) and am working towards implementing subscriptions.

As an intermediate step, I'm managing a list of payment methods for each customer, which is found inside a customer object: customer.paymentMethods.

I want to be sure that passing this list directly to the client is an ok thing to do. Essentially, I'd like to list all of the current payment methods, and also create a way to add new ones / remove existing ones. When a payment method is selected, I can pass the payment_method_token to the server to perform a particular action with this payment method.

As I'm only passing payment tokens to the user when they have the proper session, it seems safe to be passing tokens around in this way, but I want to be positive that I'm doing this correctly.

Can somebody verify whether or not this approach is ok?

wheresmycookie
  • 683
  • 3
  • 16
  • 39
  • So basically if I am a "bad user" can I add payment methods client side? Is there any check server side that the data has not been toyed with? Don't feel like I know enough about your situation to answer. Never trust the user. Continue being paranoid. Refresh reading up some on OWASP site. – ficuscr Jan 10 '18 at 22:30
  • @ficusr Thanks for the response. I'm mainly trying to relay the user's existing payment information to the client side, so that one can be chosen to create a subscription. All that I need to create a subscription is that payment_token, so it seems questionable as to whether or not it's ok to have that residing on the client. – wheresmycookie Jan 10 '18 at 22:48
  • 1
    If bad user send back `fake token` to server, it will fail since your web server will pass the token to braintree server. In addition, we can always check if the token is valid in server side. OP approach is correct. – wdetac May 11 '18 at 07:04

1 Answers1

-1

Seems to me that 1) this is a lot of unneeded work and 2) not really what you should be doing...

You should be passing the payment nonce around - the SDKs do all the other work for you - https://developers.braintreepayments.com/start/overview

Specifically, for the subscription flow, see https://developers.braintreepayments.com/guides/recurring-billing/create/node - you need the paymentMethodToken, which comes from the nonce (either from the client or one stored on your server) and a planID that is set up in the Control Panel. The paymentMethodToken is not passed around, it is created (and can/should be stored) server side.

Apps-n-Add-Ons
  • 2,026
  • 1
  • 17
  • 28
  • But the payment nonce is a one-time thing though, right? So I can't really store that in my database or retrieve that in the future. – wheresmycookie Jan 10 '18 at 22:34
  • If I do a `gateway.customer.find(userId)` and then `customer.payment_methods`, then I have `payment_tokens` right there, and braintree is doing all of that for me. I guess what I mean to ask is, what is the proper way to relay that information the client so the client can select which payment method to use? – wheresmycookie Jan 10 '18 at 22:36
  • Again, I will refer you to the braintreepayments docs - it depends a lot on what client you are using and what server (you said node.js - those docs are there, too) - the client stuff is at https://developers.braintreepayments.com/start/hello-client/android/v2#get-a-client-token (select the client you use at the top of the page). Following all the docs, I can find nowhere that it ever says you should pass around the payment_tokens - only the client token and nonce (even if you can get to it through the object...). Follow the flow they show - it has worked for me, every time. – Apps-n-Add-Ons Jan 11 '18 at 00:20
  • 1
    I actually just emailed support who confirmed that the payment_token is not secure data, so you actually can pass that to the client. – wheresmycookie Jan 11 '18 at 02:28
  • 1
    You should not use `Payment Method Nonce` in this situation. `Payment Method Nonce` is only for 3D Secure guide. Also the document suggest you to use `Payment Method Token`. – wdetac May 11 '18 at 07:06