Security Vulnerabilities With Package #102
Description
Internally, we discovered that this package calls this URL (https://api.paystack.co/checkout/request_inline), and that's fine. However certain details like the public_key are exposed when you inspect the browser Network tab, and even the reference for that transaction is exposed.
I have attached a sample request body that this package sends to the URL I mentioned earlier.
{
"id": "paystackvlYSU",
"key": "pk_live_xxxx_xxx76xxx_xxxxf",
"ref": "ed343dcbc48fa4712f500dbe1fd9fd52d1e2214da230c37d135_xxxx_xxx",
"email": "stephenilori458@gmail.com",
"amount": 50000,
"currency": "NGN",
"firstname": "Stephen",
"lastname": "Ilori",
"split": {},
"bearer": "account",
"metadata": "{\"firstName\":\"Stephen\",\"lastName\":\"Ilori\",\"emailAddress\":\"stephenilori458@gmail.com\",\"customer_timezone\":\"Africa/Lagos\",\"custom_fields\":[{\"display_name\":\"firstName\",\"variable_name\":\"firstName\",\"value\":\"Stephen\"},{\"display_name\":\"lastName\",\"variable_name\":\"lastName\",\"value\":\"Ilori\"},{\"display_name\":\"emailAddress\",\"variable_name\":\"emailAddress\",\"value\":\"stephenilori458@gmail.com\"}],\"referrer\":\"replaced_with_actual_url\"}",
"mode": "popup",
"hasTLSFallback": true,
"device": "30140c9bf009f77cc5c305e84c7e5ace"
}I believe that this request body should be encrypted at the point a call is made to your URL from this package. Even though you need to put a webhook in place or call a re-verify endpoint at the end of the day, I think we should make the frontend a little more secure by ensuring that this request is encrypted with the public key before it's sent out, else the public key is just serving as an Identifier for this request.