update
This commit is contained in:
37
readme.hints.md
Normal file
37
readme.hints.md
Normal file
@@ -0,0 +1,37 @@
|
||||
# bunq API Client Implementation Hints
|
||||
|
||||
## Response Signature Verification
|
||||
|
||||
The bunq API uses response signature verification for security. Based on testing:
|
||||
|
||||
1. **Request Signing**: Only the request body is signed (not headers or URL)
|
||||
2. **Response Signing**: Only the response body is signed
|
||||
3. **Current Issue**: Response signature verification fails because:
|
||||
- smartrequest automatically parses JSON responses
|
||||
- When we JSON.stringify the parsed object, it may have different formatting than the original
|
||||
- The server signed the original JSON string, not our re-stringified version
|
||||
|
||||
### Temporary Solution
|
||||
Response signature verification is currently only enforced for payment-related endpoints:
|
||||
- `/v1/payment`
|
||||
- `/v1/payment-batch`
|
||||
- `/v1/draft-payment`
|
||||
|
||||
### Proper Fix
|
||||
To properly fix this, we would need to:
|
||||
1. Access the raw response body before JSON parsing
|
||||
2. Verify the signature against the raw body
|
||||
3. Then parse the JSON
|
||||
|
||||
## Sandbox API Keys
|
||||
|
||||
Sandbox users can be created without authentication by posting to:
|
||||
```
|
||||
POST https://public-api.sandbox.bunq.com/v1/sandbox-user-person
|
||||
```
|
||||
|
||||
This returns a fully functional API key for testing.
|
||||
|
||||
## IP Whitelisting
|
||||
|
||||
When no permitted IPs are specified, use `['*']` to allow all IPs for sandbox testing.
|
||||
Reference in New Issue
Block a user