topic Re: Generic/Test Nonce for testing in Integration and Testing

Generic/Test Nonce for testing

jima — Mon, 14 Aug 2017 20:28:53 GMT

Hi,

Wondering if there is a list of accepted test Nonce/OTS strings that can be used while developing? I'm testing out an API call (to the createCustomerPaymentProfileRequest method), but rather than using the <creditCard> XML node, I'm trying with the <opaqueData> XML node. It would really help to have a list of accepted Nonces, much like acceptable dummy credit card numbers, for testing. Right now, I'm getting error E00114 "Invalid OTS Token" as the response, and I'm pretty sure that's because the Nonce isn't being recognized as valide data.

Re: Generic/Test Nonce for testing

NexusSoftware — Mon, 14 Aug 2017 21:35:46 GMT

The nonce (number used once or number once) wouldn't be such, if it was used more than said number of times. Just get one dynamically with Accept.js using sandbox credentials.

Re: Generic/Test Nonce for testing

raisedonors — Mon, 14 Aug 2017 21:39:52 GMT

We are doing integration testing and being that this is performed on the server, we need a way to generate a nonce from the server, not client side. Stripe offers this functionality server side,

https://stripe.com/docs/api#create_card_token

I realize the beauty of Accept.js is for improved PCI compliance and keeping all CC data off the server, but we are needing to mock our solution with our integration tests -- and cannot create a nonce value from the server.

As suggested above, having a test nonce or a way to generate a nonce from the server would be of tremendous value.

As of right now, I'm trying to determine how i can create a web request from the server to genereate a nonce. Using Fiddler and such, I'm not having much luck right now....

What is the best practice approach to test our integrations without using a client side javascript library and using nonces?

Re: Generic/Test Nonce for testing

jima — Mon, 14 Aug 2017 22:01:31 GMT

@NexusSoftware, Not really the point here. Yes, it's a single-use number, that didn't need pointed out, but if there was a whitelist of pre-defined pseudo-nonce values, for use in testing, there would be great value in that. Based on other's responses to my question, it's safe to say I'm not alone in thinking so either. Thanks for your input, but again, I'm not looking for a definition, but a means to conveniently develop and test SERVER (not client) API calls.

Re: Generic/Test Nonce for testing

raisedonors — Mon, 14 Aug 2017 22:45:37 GMT

@jima I was able to successfully complete this on the server. I had to create a HttpWebRequest and build my own Json payload. It's working beautifuly for me, still hope Auth.net can build this into their API so that we don't need a 'hacky' solution like this.

https://www.dropbox.com/s/4f2708lt6edf3wx/Screenshot%202017-08-14%2017.44.17.png?dl=0

Re: Generic/Test Nonce for testing

jima — Mon, 14 Aug 2017 22:54:29 GMT

Thanks for this @raisedonors... I was planning on doing similar, and will have a look at your hack in a bit. Honestly though, I see no reason why A.net can't offer a whitelist approach for development, so we (like you said) don't have to build a hack sub-tool just to develop with their API. :D

Re: Generic/Test Nonce for testing

NexusSoftware — Mon, 14 Aug 2017 23:34:18 GMT

It is the point, exactly. Any way you cut it, whether you use Accept.js or call the API directly with the something like the following, it is going to be an actual nonce. Anything else would eliminate the value of it.

<securePaymentContainerRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
    <merchantAuthentication>
        <name>{{loginId}}</name>
        <clientKey>{{clientKey}}</clientKey>
    </merchantAuthentication>
    <refId>12345</refId>
    <data>
    	<type>TOKEN</type>
    	<id>{{$guid}}</id>
    	<token>
    		<cardNumber>4111111111111111</cardNumber>
    		<expirationDate>122025</expirationDate>
    		<cardCode>900</cardCode>
    		<fullName>Mary Jones</fullName>
    	</token>
    </data>
</securePaymentContainerRequest>

Re: Generic/Test Nonce for testing

jima — Tue, 15 Aug 2017 04:01:08 GMT

@NexusSoftware, I'm quite certain I know what the point of my question here is. I appreciate your efforts, but do not appreciate your argumentative tone when I point out that your offerings aren't on point to the question/request. Your point may be "...the point, exactly", for your purposes and/or proposed solution to your misperceptions to what I'm needing, but they couldn't be further from my point, or the point that I am trying to address in this thread. Still, thanks all the same.

Re: Generic/Test Nonce for testing

shaneprrlt — Tue, 19 Sep 2017 21:44:27 GMT

Stripe and Braintree both provide nonces for testing, saying it's pointless @NexusSoftware is stupid. It's test data, i.e. no real transactions take place. How is someone supposed to write unit tests, or test their backend implementation. I had to create a small one-page app just to get nonces to test with using Accept.js. What a waste of time. @jima is 100% correct saying this is essential. Is it bad to have test credit cards? No? Then why not have test nonces so we can properly test our implementations. Utterly ridiculous. Yeah, I understand that an nonce is single-use, at the end of the day it's just a string the developer is passing through to Authorize.Net, the fact that it's single-use and different every time has no bearing on our implementation, it's a security detail. Braintree offers fake-valid-nonce as a test nonce. They do it, stripe does it, why again can't Authorize.Net?

And if you need to test a bunch of cases, make different nonces that respond to different events. Fake-valid-nonce, fake-invalid-nonce, fake-expired-nonce, fake-duplicate-nonce, etc.

Re: Generic/Test Nonce for testing

NexusSoftware — Tue, 19 Sep 2017 22:40:45 GMT

@shaneprrlt, apparently Authorize.net has higher standards and a better system than Stripe or Braintree.

Getting a nonce, server side, without using Accept.js is extremely easy. The fact that you wasted your time creating a one page app to get a nonce, when within minutes a function can be created to get a nonce, is on you. I hope you are not charging by the hour.

Re: Generic/Test Nonce for testing

RichardH — Wed, 20 Sep 2017 19:38:39 GMT

We appreciate the feedback from everyone regarding the lack of a test payment nonce for testing. If you would like to see this added, please go to the product ideas forum and vote for the suggestion. We do review these regularly and use your votes for priority.

Richard