I am implementing Stripe Payments in my iOS app and i obviously cant store credit card information over the iOS app so i have to create tokens and send that to the server to be charged etc.
My question is how can i communicate iOS => server and vice versa
My web app is in Rails by the way.
I read in some places that i might need to create a API on my server? then call it from my iOS side?
if anyone has an idea on how to do such a thing please let me know, i would appreciate it a lot.
Yes, you must create (or update) your Rails application to expose an HTTP API, which usually communicates using JSON. Your API will need to respond to POST/GET/whatever requests the iOS app make and behave correctly based on what you expect to do (do something with some tokens from my understanding).
Please notice though that handling payments and not having already the knowledge on how to do such a thing might be dangerous for the end user.
To give you a general overview of the process:
Create Rails routes, controllers, models required to manage the logic of perform a payment from a token, this is entirely your job unless the Rails app you are working with, already support this
Update your iOS app to send, probably with a POST request, the token you talked about, you'll probably need to define some sort of authentication protocol, look into JWT or something similar, you won't have cookies at your disposal in the iOS app
It's a long but interesting task
Related
I don't know if there's a lot of people people in here who are familiar with Stripe, but I hope someone can help me out. I'm setting up iDEAL payment in my app using Sources, and I'm using the guide on the Stripe website to help me out. Everything was explained very clear about how to set up the source, but the problem I'm running into is that the guide is very unclear about how I should continue after the source has been created and the user has authenticated the payment. It only describes how to continue when you're a web developer, but it's very unclear how to continue when you're an iOS developer. Basically what I want to do, is to get notified on whether the source object became chargeable (successful authentication) or failed. It only says you can get notified about the authentication status through client-side polling, but it's poorly described how to set up client-side polling in iOS. Can someone give me some directions on how I should continue after the authentication has been completed and the user returns back to the app? How can I get access to the new status of the source object after I return to the app?
It's not possible to charge a given source or create a customer in your iOS application as those calls require your Secret API key. You should never have the Secret API key in your iOS application otherwise an attacker could get his hands on it and then create charges, refunds or transfers on your behalf.
Once the source is created client-side, you need to send its id src_XXXX to your server. There, you will be able to call the Create Charge API to charge your source with your Secret API key.
Since you plan to use iDeal, the source is not chargeable immediately. Instead, you need to either poll the source client-side until it's ready to be charged or you need to listen for the source.chargeable webhook event indicating that the source is ready to be charged.
Once it is ready, you will be able to charge the source on your server.
I am using rails 4 and developing my first API. The API will be used solely for our android and ios apps to communicate with the rails app / database.
I am struggling to see the difference between API authentication and user authentication when it comes to an API. It seems people use these terms interchangeably.
I want my api to be secure, meaning only the apps can submit http requests, but I also want users to be able to log in. And when I say users, I mean app users... not outside clients who are accessing our api (we don't want this at all).
Would love if someone could clear this up for me. I may just not be thinking about it in the right way, therefore confusing myself.
So to break it down, these are the two things I need to be able to do:
secure the api of course... making it so only the mobile apps can access it
users are able to log in and access their profile, resources that belongs_to to them, etc. When users aren't logged in, they still need to be able to see the index and other pages that don't require a logged in user.
thx!
Have you heard of JWT? It's a good option to hadle users with the app and rails api separated.
Gem for jwt in rails: https://github.com/nsarno/knock
Hello me and friends are planning on taking on a big project. My two friends are going to be building iOS and Android apps and I will be making the server back end. I recently started developing with RoR and have fallen in love with Ruby. Now here are my questions:
Little more background:
I only want a private API for the android and iPhone app. I do NOT want a full fledged OAuth authentication process. Doing some research I think I will go with basic HTTP authentication.
1. My App uses cookie based authentication meaning a cookie has to be passed with each subsequent request. So will my friends need to have to store a cookie and on each subsequent request to the server send the cookie along with it?
2. How do I go about making the API private? I know in OAuth there are consumer secret and consumer key. I know if anyone could simply figure out the URL schema they will be able to have access to the API. How do I protect my back end from request from unknown users? (Hard coding strings in the Apps themselves?, Checking headers for device type?)
3. Should I only build the API now and worry about a web app later? Or would it be too horrific of an experience to go back and build a web app (Although I really do actually want the web app to be more significant than the mobile app
Here is a great article explaining exactly what you're looking for : securing an API without setting up a full OAUTH provider :
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
Works great (even if the solution is finally not so far from oauth ;)
I have to call payment gateway API from iOS code. Problem is it needs merchant credentials and I feel insecure embedding the merchant credentials in code. If someone somehow reverse engineer the code and get the credentials then the client is dead. Any advice?
I found this post Does Apple modify iOS application executables on apps submitted to the App Store? which says that app binaries are encrypted by Apple be default. Does it mean I can safely embed the credentials in code?
NO! Instead of adding the credentials to iOS app you should think about setting up a server which handles the interaction with the API, you are talking about, and let the app only interact with your server. So you can store the API key on your server and can limit whats possible by the user on server side (which will be much harder to abuse).
I'm trying to work out the best architecture for a couple of apps I'm developing.
In both apps I want to utilise google/twitter/LinkedIn/etc to provide authentication of a users identity. The app is composed of an iOS app which has an option to send data to a server which I'm writing in node.js.
I want to utilise either OAuth or OpenId to handle identifying a user against the above servers so that I don't have to put in an authentication system of my own. In other words, allowing users to re-use their ids when choosing to upload data.
I should also note that apart from identifying a user, obtaining a name and email address, I have not intention of using any of their APIs at this time.
I think I have two options:
Place the Authorisation code in the iOS client and transmit some sort of key to the server with the data which it can then verify.
Keep the iOS client fairly dumb, and handle authorisation from the node server.
I'd probably prefer the second option because it means I could centralise authentication and be able to support a web site as well. That's my current theory.
Can anyone who has done something like this give me some pointers as to the pros and cons, OAuth or OpenId, or links to some examples?
In our previous app we opted for a combination of the two approaches. We wanted to centralize our user data on our server in the event we needed to make future API calls on those services. We also wanted the native oAuth experience for the user on the client. Ie: on Android and iOS, the developer can have single sign-on / authorization run through the native Facebook app (if available), vs. popping-up a webview that serves the 'Approve' dialog. It's a better user experience in my opinion. Also for Twitter, the oAuth process may require a PIN code to be entered in the callback which should probably be handled on the client side.
You can pass the access token retrieved by the client to the server for storage and later use if you intend on making additional API calls on these services, provided you expect the token to be long-lived (ie: offline-access permission on FB).
In any case this is mostly a user experience decision.