Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
@cybersource/flex-sdk-node
Advanced tools
Easily create keys for use in a Flex API integration and verifying Flex token contents
Readme
This Node SDK helps with server side aspects of a Flex integration:
Using npm:
npm install @cybersource/flex-sdk-node --save
Then in node scripts require the sdk:
var FlexSDKNode = require('@cybersource/flex-sdk-node');
To request a transaction specific key, you must supply:
proxy
var flex = FlexSDKNode({
// auth credentials
mid: '__YOUR_MERCHANT_ID__',
keyId: '__YOUR_KEY_ID__',
sharedSecret: '__YOUR_SHARED_SECRET__',
// live environment
production: true
});
var flex = FlexSDKNode({
// auth credentials
apiKey: '__YOUR_API_KEY__',
sharedSecret: '__YOUR_SHARED_SECRET__',
// test environment
production: false
});
// CGK test environment with proxy
// Proxy with credentials can be supplied as
// 'http://username:password@localproxy.com'
var flex = FlexSDKNode({
mid: '__YOUR_MERCHANT_ID__',
keyId: '__YOUR_KEY_ID__',
sharedSecret: '__YOUR_SHARED_SECRET__',
production: false,
proxy: 'http://localproxy.com'
});
Debug logging is used for the keys request and response. See docs for usage
Flex encrypts the card number in transit, for additional protection against MitM attacks where the cardholder's network connection is compromised.
The following encryption methods are supported:
RsaOaep256
RsaOaep
(Recommended for widest browser compatibility)None
(No encryption of the card number)var options = {
encryptionType: flex.constants.encryptionType.RsaOaep
};
flex.createKey(options, function(err, resp, key) {
if (err) {
// handle error
console.error(err);
return;
}
// you can now pass this key to your front end client for token creation. Ensure to persist
// this somewhere so you can verify the signatures on any created tokens later on!
mySavedKey = key;
});
If you are requesting a key for use with Flex Microform then you must also supply the origin of the website in which Flex Microform will be embedded:
var options = {
encryptionType: flex.constants.encryptionType.RsaOaep,
targetOrigin: 'https://shop.merchant.com'
};
Additional optional settings may also be supplied:
var options = {
encryptionType: flex.constants.encryptionType.RsaOaep,
settings: {
currency: 'USD', // Currency to be used with the token
enableAutoAuth: true, // Whether an automatic authorization should be performed prior to generating a token
enableBillingAddress: true, // Whether dummy address data should be supplied for the token
unmaskedLeft: 6, // The number of unmasked digits to be shown at the beginning of the card number (BIN)
unmaskedRight: 4 // The number of unmasked digits to be shown at the end of the card number
}
};
There is a possibility that the token response can be tampered with as it passes through the client. Therefore you should always verify the integrity of the response using the SDK.
if (!flex.verifyToken(publicKey, token)) {
// Reject token
}
publicKey
can be:
jwk
js objecttoken
as a js objectCode and documentation copyright 2018 CyberSource. Released under the CyberSource SDK License Agreement as detailed in ./LICENSE.md
.
FAQs
Easily create keys for use in a Flex API integration and verifying Flex token contents
The npm package @cybersource/flex-sdk-node receives a total of 89 weekly downloads. As such, @cybersource/flex-sdk-node popularity was classified as not popular.
We found that @cybersource/flex-sdk-node demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.