SANDBOX/PRODUCTION API key to context mprovements #73
Comments
|
That quick fix you are referring tho is not recommended due to security issues. That quick fix should only be used for sandbox testing/while you’ve got time to update curl. It should not be used on production however. Also point a is not the fault of the sdk however a fault of the users environment.
Point B, if I’m not mistaken, doc mentions that you can get sandbox api key by using one of the tinker projects 🤔
… Op 15 okt. 2018 om 12:21 heeft Deddo Wiersma ***@***.***> het volgende geschreven:
See also: https://together.bunq.com/d/4883-api-production-and-sandbox-context-creation-issues
Two small suggestions for improvements for new API users (rookie level):
a) To prevent failing PRODUCTION context creation issues make the quickfix of removing line 315 (CURLOPT_PINNEDPUBLICKEY) in ApiClient.php a definite one. If this balances out the problems which the current SDK causes (spend a lot of time trying to figure out the problem and upgrading cUrl on CentOS/PHP7.0 is not that easy) versus the benefits (which I don't have knowledge about).
b) Update in https://doc.bunq.com/, introduction, 4th bullet point to explain the difference between the production API key obtained through the App and the sandbox API key obtained through (link to article, current link https://doc.bunq.com/#/android-emulator goes to the same page, tipo in link?). Someting like: 'The sandbox API key is different from the production API key. Instructions to get it are found in <page with at least the curl option, maybe more options?>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
ok for a) didn't know the impact, b) is not very clear in the docs, it is hidden under a section in the middle with a link to the page tag which isn't working and if first sight related to Android (and not everybody uses the Bunq API for native Android Apps). Also the curl tip to get a valid Sandbox API would be a good addition. I can understand that documentation is not the highest priority but spending 5 minutes updating the documentation saves n*rookie users as myself several hours trying to figure out how it works. |
|
@DeddoWiersma Please rest assured that the issue with steep learning curve for users not using tinker is known, including points that you mention. Your both points are valid and even if old curl is not recommended for security reasons, that could be communicated more clearly than it is now. Similarly, it's not clear enough that keys for production and sandbox are not the same. We'll be looking into ways to improve that in the future, and I'll leave this issue open and update once that's done. |
|
@kojoru Thanx, leave it than with you as I assume you can update the documentation. I learned from this discussion that I also have to solve the cUrl issue on the server for safe operational transactions, I will bend my learning curve in that direction now ;-) |
|
@kojoru i don’t have access to my MacBook atm, while your add it please fix |
|
@DeddoWiersma just to be clear, |
Feel free to create a PR @DeddoWiersma with the changes you please to make it more clear ! 😊 if me or @kojoru didn’t had a chance to do so yet. |
|
We won't be removing certificate pinning for reasons outlined above. The documentation should be sufficiently all right after #85. @DeddoWiersma let me know if there's anything else we can do or if the changes look insufficient for any reason. |
See also: https://together.bunq.com/d/4883-api-production-and-sandbox-context-creation-issues
Two small suggestions for improvements for new API users (rookie level):
a) To prevent failing PRODUCTION context creation issues make the quickfix of removing line 315 (CURLOPT_PINNEDPUBLICKEY) in ApiClient.php a definite one. If this balances out the problems which the current SDK causes (spend a lot of time trying to figure out the problem and upgrading cUrl on CentOS/PHP7.0 is not that easy) versus the benefits (which I don't have knowledge about).
b) Update in https://doc.bunq.com/, introduction, 4th bullet point to explain the difference between the production API key obtained through the App and the sandbox API key obtained through (link to article, current link https://doc.bunq.com/#/android-emulator goes to the same page, tipo in link?). Someting like: 'The sandbox API key is different from the production API key. Instructions to get it are found in <page with at least the curl option, maybe more options?>
The text was updated successfully, but these errors were encountered: