布伦特里DROPIN用户界面不会与离子框架工作，除非强行刷新 [英] Braintree Dropin UI does not work with Ionic Framework unless force refresh

问题描述

我遇到离子框架内布伦特里DROPIN UI一个很奇怪的行为。

I encounter a very strange behavior with Braintree dropin UI inside Ionic framework.

所以我使用该解决方案：<一href=\"http://stackoverflow.com/questions/26986158/cant-create-braintree-client-token-with-customer-id\">Can't创建客户ID 布伦特里客户令牌
创建逻辑的第一次和返回客户

So I use the solution: Can't create Braintree client token with customer ID to create the logic for the first time and the return customer.

$http({
          method: 'POST',
          url: 'http://localhost:3000/api/v1/token',
          data: {
            customerId: braintreeReturnCustomerId
          }
        })

正如我在客户在我的客户视图通过。在我的服务器的NodeJS，我有一个逻辑来检查，看看客户ID是不确定的。如果它没有被定义，它是第一次顾客。如果客户ID具有价值，这是回报客户。非常简单的，像这样：

As I passed in the customerId in my client view. In my nodejs server, I has a logic to check to see if customerId is undefined. If it is undefined, it is first time customer. If customerId has value, it is return customer. Very straight forward like so:

app.post('/api/v1/token', jsonParser, function (request, response) {

var customerId = request.body.customerId;

 if (customerId == undefined) {

   gateway.clientToken.generate({}, function (err, res) {
    if (err) throw err;
     response.json({
      "client_token": res.clientToken
    });
  });
  } else {
    console.log ("using exsiting customer!");
    gateway.clientToken.generate({
        customerId: customerId
    }, function (err, res) {
    if (err) throw err;
    response.json({
      "client_token": res.clientToken
     });
   });
 }


 });

我的客户是在离子视图。所以，当我付出它的第一次，它知道它是弗里斯特时间的用户，然后生成客户ID为我和我把它保存在我的数据库。都好。然后在不清爽，我去一个不同的状态，并返回到付款状态（如离子应用并不时状态改变刷新），它不显示商店信用卡。即使我的服务器日志在客户和我知道肯定服务器code运行具有gateway.clientToken.generate了其他部分（{客户ID：客户ID} ...

My client is in an Ionic View. So when I pay it the first time, it knows it is frist time user, then generate customerId for me and I store it in my database. All good. Then WITHOUT refreshing (as Ionic app do not refresh when state change), I go to a different state and go back to the payment state, it does not show the store credit card. Even my server log the customerId and I know FOR SURE the server code is running the "else" part with gateway.clientToken.generate({customerId: customerId} ...

如果我强迫视图刷新喜欢用

If I force refresh in the view like using

$window.location.reload(true);

第一次付款后马上成功或我只是手动刷新我的Chrome浏览器的页面（如我在发球离子），付款DROPIN UI页面将显示在第一次付款商店信用卡。

right after the first time payment successfully or I just manually refresh the page in my chrome browser (as I am in Ionic Serve), the payment Dropin UI page will show store credit card from the first time payment.

我尝试禁用像缓存：假的说法缓存。但它并不能帮助。我不得不强迫刷新，使DROPIN UI工作第二次。我认为它是JavaScript code在DROPIN UI造成这个问题，但我不知道如何解决它...

I try disable view caching like "cache: false". But it does not help. I have to force refresh to make the Dropin UI works for the second time. I think it is the javascript code in dropin UI causing this issue but I do not know how to fix it...

推荐答案

<子>披露：我在布伦特里工作。如果您有任何疑问，请随时联系支持。

您已经发布的方法是极不安全的，因为它很容易受到不安全的直接对象参考（ OWASP十大），并很容易导致交叉 - 用户被恶意用户收费。你已经基本上允许任何用户使用你的服务器来生成客户端令牌任何客户。

The approach you've posted is extremely unsafe as it is vulnerable to Insecure Direct Object Reference (OWASP Top 10) and can easily result in cross-user charging by a nefarious user. You've essentially allowed any user to use your server to generate client tokens for any customer.

相反，你应该只在服务器上生成的令牌，以避免选择其他用户的ID的用户代理。然后担任了基于用户的登录特命客户ID，而不是让他们在参数传递clientToken生成过程中使用。有许多导游网上关于如何建立认证。但是，一旦你已在服务器上的用户创建的，您可以：

Instead, you should only generate tokens on the server to avoid user agents from choosing the id of another user. Then serve up customer ids based on a user's credentialed login and not allow them to pass in parameters to be used during clientToken generation. There are many guides online on how to build authentication. But once you have the user created on the server you can:

if (userSession == undefined) {
    //or force login if you want them to sign up for your site before buying things
    gateway.clientToken.generate({}, function (err, res) {
        if (err) throw err;
        response.json({
            "client_token": res.clientToken
        });
    });
} else {
    console.log ("using exsiting customer!");
    gateway.clientToken.generate({
        customerId: userSession.user.BraintreeId
    }, function (err, res) {
        if (err) throw err;
        response.json({
            "client_token": res.clientToken
        });
    });
}

不管你做什么不要使用此code，原样，在生产中。我不会建议调试前端，直到你重建修复此漏洞的方法会有很大的不同。但是，如果你不回来这个问题又来了，它看起来像有可能是一个开放的相关问题这种行为。

这篇关于布伦特里DROPIN用户界面不会与离子框架工作，除非强行刷新的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！