@cybersource/flex-sdk-node
This Node SDK helps with server side aspects of a Flex integration:
- Requesting a transaction specific key
- Verifying the token response
Installation
Using npm:
npm install @cybersource/flex-sdk-node --save
Then in node scripts require the sdk:
var FlexSDKNode = require('@cybersource/flex-sdk-node');
Initializing the SDK
To request a transaction specific key, you must supply:
- authentication credentials
- production or test environment
- Optional params passed directly to underlying request object. See docs for usage
proxy
CyberSource Business Center:
Using credentials obtained throughvar flex = FlexSDKNode({
// auth credentials
mid: '__YOUR_MERCHANT_ID__',
keyId: '__YOUR_KEY_ID__',
sharedSecret: '__YOUR_SHARED_SECRET__',
// live environment
production: true
});
Visa Developer Center:
Using credentials obtained throughvar flex = FlexSDKNode({
// auth credentials
apiKey: '__YOUR_API_KEY__',
sharedSecret: '__YOUR_SHARED_SECRET__',
// test environment
production: false
});
Addtional Options
// CGK test environment with proxy
// Proxy with credentials can be supplied as
// 'http://username:password@localproxy.com'
var flex = FlexSDKNode({
mid: '__YOUR_MERCHANT_ID__',
keyId: '__YOUR_KEY_ID__',
sharedSecret: '__YOUR_SHARED_SECRET__',
production: false,
proxy: 'http://localproxy.com'
});
Debug Settings
Debug logging is used for the keys request and response. See docs for usage
Request a key
Flex encrypts the card number in transit, for additional protection against MitM attacks where the cardholder's network connection is compromised.
The following encryption methods are supported:
RsaOaep256
-
RsaOaep
(Recommended for widest browser compatibility) -
None
(No encryption of the card number)
var options = {
encryptionType: flex.constants.encryptionType.RsaOaep
};
flex.createKey(options, function(err, resp, key) {
if (err) {
// handle error
console.error(err);
return;
}
// you can now pass this key to your front end client for token creation. Ensure to persist
// this somewhere so you can verify the signatures on any created tokens later on!
mySavedKey = key;
});
If you are requesting a key for use with Flex Microform then you must also supply the origin of the website in which Flex Microform will be embedded:
var options = {
encryptionType: flex.constants.encryptionType.RsaOaep,
targetOrigin: 'https://shop.merchant.com'
};
Additional optional settings may also be supplied:
var options = {
encryptionType: flex.constants.encryptionType.RsaOaep,
settings: {
currency: 'USD', // Currency to be used with the token
enableAutoAuth: true, // Whether an automatic authorization should be performed prior to generating a token
enableBillingAddress: true, // Whether dummy address data should be supplied for the token
unmaskedLeft: 6, // The number of unmasked digits to be shown at the beginning of the card number (BIN)
unmaskedRight: 4 // The number of unmasked digits to be shown at the end of the card number
}
};
Verify a token response
There is a possibility that the token response can be tampered with as it passes through the client. Therefore you should always verify the integrity of the response using the SDK.
if (!flex.verifyToken(publicKey, token)) {
// Reject token
}
-
publicKey
can be:- a
jwk
js object - a pem formatted string
- the base64 encoded pem contents (sans header & footer)
- a
-
token
as a js object
Copyright and license
Code and documentation copyright 2018 CyberSource. Released under the CyberSource SDK License Agreement as detailed in ./LICENSE.md
.