Accept JS, how are you generating the corect public client key

[turbo124]

Reading the Authorize.net docs, it says we need to generate a public client key, when using Accept.js.

I don't see this method in any of the omnipay authorize.net libraries.

I note in reading some of the issues, people are exposing their apiLoginId and transactionKey client side, this makes me somewhat nervous exposing these details.

Is there something I am missing? Should we consider adding a helper method into the driver to generate a public client key?

[judgej]

The public API key was always generated manually in the admin pages, so was a long-lifetime key used over and over. I haven't looked at this in a while, but is it now a short-lifetime or single-use token? If so, then yes, this package needs extending.

[turbo124]

It is essentially a short lifetime token that can be used instead of exposing the apiLoginId and transactionKey in the client.

The only way to generate this is to pull in the authorize.net sdk and use something like this

$merchantAuthentication = new AnetAPI\MerchantAuthenticationType();
$merchantAuthentication->setName('apiLoginId');
$merchantAuthentication->setTransactionKey('transactionKey');

$request = new AnetAPI\GetMerchantDetailsRequest();
$request->setMerchantAuthentication($merchantAuthentication);

$controller = new GetMerchantDetailsController($request);

$response = $controller->executeWithApiResponse( \net\authorize\api\constants\ANetEnvironment::SANDBOX);

$publicClientKey = $response->getPublicClientKey();

This can then safely be used client side. Hopefully this helps someone.

[judgej]

Okay thanks, that's new to me. I understand that there are some details which should never be exposed, and this package is cafeful not to expose those credentials. I did raise the long-time key with Authorize.Net some years ago (pointing to Sage Pay Pi that generates a one-time key each time) and they said it was okay, since the key was of use to no-one else without the back-end credentials. But I guess things have moved on.

Do you have a PR or fork that could be merged? If not, do yout need anything to help put one together?

[turbo124]

@judgej I think we'll use the authorize.net sdk directly for this project, i'm happy to share anything else that may be needed to get this working in this package.