Use Clover's token for own API?

Question

question

greg asked Jan 16, '20 greg commented Jan 21, '20

Use Clover's token for own API?

My software consists of a Clover Android app and a web application. The Android app has to upload user provided data to the web application with a POST request. Since I need to secure the API on Django side to only allow POST requests from Clover terminals I need some authentication process. I thought about Clover's tokens:

The Clover Android App can generate a token with the SDK. The web app generates also tokens with the Oauth process. However, I compared the tokens and I see they are not the same for the same merchant.

So I thought, is there a possibility that I generate a Clover auth token on Android app, send the POST request with token and data to the web application (Django) and check using Django if the provided token is a token that is also accepted by Clover? If yes, data are written to the database.

Since merchants are anyway authenticated with their terminals, it seems the best option for me to re-use Clover's authentication system to realize this. If that does not work, I am happy to hear other suggestions.

API Token Auth

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community

Answer 1 · 2020-01-16T20:38:08Z

Jeffrey Blattman answered Jan 16, '20 greg commented Jan 21, '20

App tokens are meant to be used from the device. However some developers do send app tokens to their server, then use those tokens to make calls into Clover on behalf of the merchant. I think this is mainly when there's a server backend without a web frontend to which the merchant has oauthed.

There's no "is valid token" call, so if you only wanted to use them for authorization you'd have to make ab arbitrary REST call w/ the app token to see if it's valid. I can't immediately think of what's wrong with that but it rubs me the wrong way because it's using and endpoint not for its intended purpose. For example, if you decided to call "get orders" you are making the server do the work to get orders for no reason.

I think the proper way to do this is TLS mutual authentication... so your app is pinned to your server AND your server validates that only your app is talking to it.

https://en.wikipedia.org/wiki/Mutual_authentication

1

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

greg commented · Jan 21, 2020 at 10:02 AM

I think your idea to make an arbitrary request is quite practical, thanks for that. The Android app could send merchant-id and the generated auth token to the web API and then Django can make a lightweight request, like get a single merchant to check if this combination of values is fine. It's not super-secure, but at least bots that attack every POST api are locked out. If Clover comes up with something more secure, it would certainly be a benefit for the whole app ecosystem of Clover.

0 ·

Answer 2 · 2020-01-17T02:01:57Z

Jacob Abrams answered Jan 17, '20 greg commented Jan 21, '20

This appears to be a gap in the Clover app market functionality, Clover does not appear to offer a secure solution to verifiably prove that a client is a valid installed Clover app. Here are two ideas you could implement. Of course you should be using regular TLS (not mutual) for either of these solutions. Maybe some day Clover will offer a more seamless and high security solution for this problem.

Option 1 medium security:

Have your app send the Clover merchant id to your server (Clover merchant id can be obtained on the device with MerchantConnector#getMerchant().getId() )

From your sever use your app id and the merchant id while calling this clover REST endpoint v3/apps/aId/merchants/mId/billing_info

If the Clover server returns a valid object indicating the merchant purchased your app send the merchant via email or some other secure communication channel a unique onetime use code.

In your Clover device app prompt for the one time use code and send it to your server, your server can validate the code and respond with a token that your device app uses going forward.

Option 2 low security:

Hardcode a token in your Clover device app and send that plus the merchant id to your server. Validate the hardcoded token and optionally the Clover merchant id.

1

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

greg commented · Jan 21, 2020 at 10:05 AM

Jacob, thanks for your inputs. You are certainly right that this is somehow a gap. Your first option seems a bit too much effort for requests that will happen quite frequently. The 2nd option I already tried and works for now!

0 ·

question