带有标头的基本身份验证 - Javascript XMLHttpRequest

2022-01-15 00:00:00 cors xmlhttprequest javascript basic-authentication adyen

我正在尝试访问需要基本身份验证凭据的 Adyen 测试 API.

但我在尝试使用 XMLHttpRequest POST 请求访问 API 时收到 401 Unauthorized 响应.

Javascript 代码

var url = "https://pal-test.adyen.com/pal/servlet/Payment/v25/authorise";var username = "ws@Company.CompanyName";var 密码 = "J}5fJ6+?e6&lh/Zb0>r5y2W5t";var base64Credentials = btoa(用户名+":"+密码);var xhttp = new XMLHttpRequest();xhttp.open("POST", url, true);xhttp.setRequestHeader("内容类型", "应用程序/json");xhttp.setRequestHeader("授权", "基本" + base64Credentials);var requestParams = XXXXXXXX;xhttp.send(requestParams);


结果

解决方案

PAL 是一个支付授权 API.您从不想从浏览器调用它.您只想公开您的用户名和密码,以便在您的后端代码中发送付款.

在客户端加密中,加密是在浏览器中完成的.然后,您将加密数据发送到您自己的服务器.然后在您的服务器上创建一个支付授权请求(其中加密数据是元素之一,以及支付金额等).

如果您能够设法从浏览器运行此操作,您的最终解决方案将允许您的购物者从 JavaScript 层更改金额、货币、支付元数据等.绝不应该是这种情况.

因此,授权是文档服务器端"集成部分的一部分:https://docs.adyen.com/developers/ecommerce-integration?ecommerce=ecommerce-integration#serverside

根据您的服务器端环境,您最喜欢的语言的 CURL 实现会有所不同,但大多数时候很容易找到.

亲切的问候,

阿诺德

I am trying to access Adyen test API that requires basic authentication credentials. https://docs.adyen.com/developers/ecommerce-integration

My credentials work when accessing the API page through browser.

But I get an 401 Unauthorized response when trying to access the API with XMLHttpRequest POST request.

Javascript Code

var url = "https://pal-test.adyen.com/pal/servlet/Payment/v25/authorise";

var username = "ws@Company.CompanyName";
var password = "J}5fJ6+?e6&lh/Zb0>r5y2W5t";
var base64Credentials = btoa(username+":"+password);

var xhttp = new XMLHttpRequest();
xhttp.open("POST", url, true);
xhttp.setRequestHeader("content-type", "application/json");
xhttp.setRequestHeader("Authorization", "Basic " + base64Credentials);

var requestParams = XXXXXXXX;
xhttp.send(requestParams);


Result

解决方案

The PAL is a Payment Authorisation API. You never want to call it from a browser. You only want to expose your username and password to send in payments in your backend code.

In Client-side encryption, the encryption is done in the browser. You then send the encrypted data to your own server. On your server you then create a payment authorization request (of which the encrypted data is one of the elements, along side payment amount, etc).

If you would be able to manage to make this run from your browser, your end solution will allow your shoppers to change amounts, currency's, payment meta data etc from the JavaScript layer. This should never be the case.

The authorization is for that reason part of the "Server side" integration part of documentation: https://docs.adyen.com/developers/ecommerce-integration?ecommerce=ecommerce-integration#serverside

Depending on your server side landscape the CURL implementation in your favorite language differs, but most of the time are easy to find.

Kind regards,

Arnoud

相关文章