cancel
Showing results for 
Search instead for 
Did you mean: 

Generic/Test Nonce for testing

Hi,

 

Wondering if there is a list of accepted test Nonce/OTS strings that can be used while developing? I'm testing out an API call (to the createCustomerPaymentProfileRequest method), but rather than using the <creditCard> XML node, I'm trying with the <opaqueData> XML node. It would really help to have a list of accepted Nonces, much like acceptable dummy credit card numbers, for testing. Right now, I'm getting error E00114 "Invalid OTS Token" as the response, and I'm pretty sure that's because the Nonce isn't being recognized as valide data.

jima
Regular Contributor
10 REPLIES 10

The nonce (number used once or number once) wouldn't be such, if it was used more than said number of times. Just get one dynamically with Accept.js using sandbox credentials.

Powered by NexWebSites.com -
Certified Authorize.net developers
NexusSoftware
Trusted Contributor

We are doing integration testing and being that this is performed on the server, we need a way to generate a nonce from the server, not client side. Stripe offers this functionality server side,

https://stripe.com/docs/api#create_card_token

 

I realize the beauty of Accept.js is for improved PCI compliance and keeping all CC data off the server, but we are needing to mock our solution with our integration tests -- and cannot create a nonce value from the server.

 

As suggested above, having a test nonce or a way to generate a nonce from the server would be of tremendous value. 


As of right now, I'm trying to determine how i can create a web request from the server to genereate a nonce. Using Fiddler and such, I'm not having much luck right now....

 

What is the best practice approach to test our integrations without using a client side javascript library and using nonces?

 

@NexusSoftware, Not really the point here. Yes, it's a single-use number, that didn't need pointed out, but if there was a whitelist of pre-defined pseudo-nonce values, for use in testing, there would be great value in that. Based on other's responses to my question, it's safe to say I'm not alone in thinking so either. Thanks for your input, but again, I'm not looking for a definition, but a means to conveniently develop and test SERVER (not client) API calls.

jima
Regular Contributor

@jima I was able to successfully complete this on the server. I had to create a HttpWebRequest and build my own Json payload. It's working beautifuly for me, still hope Auth.net can build this into their API so that we don't need a 'hacky' solution like this.

 

https://www.dropbox.com/s/4f2708lt6edf3wx/Screenshot%202017-08-14%2017.44.17.png?dl=0

Thanks for this @raisedonors... I was planning on doing similar, and will have a look at your hack in a bit. Honestly though, I see no reason why A.net can't offer a whitelist approach for development, so we (like you said) don't have to build a hack sub-tool just to develop with their API. :D

jima
Regular Contributor

It is the point, exactly. Any way you cut it, whether you use Accept.js or call the API directly with the something like the following, it is going to be an actual nonce. Anything else would eliminate the value of it.

<securePaymentContainerRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
    <merchantAuthentication>
        <name>{{loginId}}</name>
        <clientKey>{{clientKey}}</clientKey>
    </merchantAuthentication>
    <refId>12345</refId>
    <data>
    	<type>TOKEN</type>
    	<id>{{$guid}}</id>
    	<token>
    		<cardNumber>4111111111111111</cardNumber>
    		<expirationDate>122025</expirationDate>
    		<cardCode>900</cardCode>
    		<fullName>Mary Jones</fullName>
    	</token>
    </data>
</securePaymentContainerRequest>
Powered by NexWebSites.com -
Certified Authorize.net developers
NexusSoftware
Trusted Contributor

@NexusSoftware, I'm quite certain I know what the point of my question here is. I appreciate your efforts, but do not appreciate your argumentative tone when I point out that your offerings aren't on point to the question/request. Your point may be "...the point, exactly", for your purposes and/or proposed solution to your misperceptions to what I'm needing, but they couldn't be further from my point, or the point that I am trying to address in this thread. Still, thanks all the same.

jima
Regular Contributor

Stripe and Braintree both provide nonces for testing, saying it's pointless @NexusSoftware is stupid. It's test data, i.e. no real transactions take place. How is someone supposed to write unit tests, or test their backend implementation. I had to create a small one-page app just to get nonces to test with using Accept.js. What a waste of time. @jima is 100% correct saying this is essential. Is it bad to have test credit cards? No? Then why not have test nonces so we can properly test our implementations. Utterly ridiculous. Yeah, I understand that an nonce is single-use, at the end of the day it's just a string the developer is passing through to Authorize.Net, the fact that it's single-use and different every time has no bearing on our implementation, it's a security detail. Braintree offers fake-valid-nonce as a test nonce. They do it, stripe does it, why again can't Authorize.Net? 

 

And if you need to test a bunch of cases, make different nonces that respond to different events. Fake-valid-nonce, fake-invalid-nonce, fake-expired-nonce, fake-duplicate-nonce, etc.

shaneprrlt
Member

@shaneprrlt, apparently Authorize.net has higher standards and a better system than Stripe or Braintree.

 

Getting a nonce, server side, without using Accept.js is extremely easy. The fact that you wasted your time creating a one page app to get a nonce, when within minutes a function can be created to get a nonce, is on you. I hope you are not charging by the hour. 

Powered by NexWebSites.com -
Certified Authorize.net developers